ISF chief Steve Durbin says attackers are using business systems to gather intelligence that could later be used for espionage, disruption and reputational damage

Companies across Europe should prepare for the possibility that hackers are already inside their systems, tracking operations and stealing data for future attacks, one of the cyber security industry’s leading figures has warned.

Steve Durbin, chief executive of the Information Security Forum (ISF), said businesses were facing a sleeper-cell-type cyber threat, with attackers entering networks, gathering intelligence and waiting for the right moment to use it.

The risk is especially serious for critical infrastructure, defence, arms manufacturing and other sensitive sectors, where stolen information could be used in future campaigns involving espionage, disruption or reputational damage.

Speaking on Business Matters, Durbin said attackers did not always need to damage systems immediately to cause long-term harm.

“You may want to go into somebody’s network and just watch what’s going on, exfiltrate some of that information so that in the future you may be able to use it,” he said.

Durbin said information taken from companies could be used in several ways, including attacks on infrastructure, the theft of trade secrets, selective leaks, manipulated disclosures or campaigns designed to damage public trust.

The warning comes as businesses face a sharp rise in cyber activity and a threat landscape shaped by geopolitical tension, artificial intelligence and supply-chain weakness.

Organisations faced an average of 1,925 cyber attacks a week in the first quarter of 2025, up 47 per cent on the same period a year earlier.

BT has said it detects more than 2,000 signals of potential cyber attacks every second across its networks, equivalent to more than 200 million a day.

It has also warned that web-connected devices are scanned more than 1,000 times a day by known malicious sources.

Durbin has also criticised the absence of cyber security from the UK government’s Spring Statement, saying public bodies could be left exposed at a time of heightened geopolitical risk.

He said companies now needed to think less about stopping every attack and more about staying operational when systems are breached.

That means identifying the data, services and systems needed to keep trading, delivering services and protecting customers during an incident.

“I think we have to move very, very quickly away from this concept that we can prevent attacks happening,” Durbin told Juliette Foster.

“We have to move to a position that says, irrespective, my company is going to be resilient.”

Durbin said artificial intelligence was increasing the pressure on businesses, with many organisations adopting new tools before setting clear rules for staff.

Sensitive company information entered into public AI tools such as ChatGPT could create security risks if businesses have not set proper controls around how such systems are used.

He also warned that attackers were looking beyond large organisations and targeting smaller suppliers with weaker defences as a route into bigger companies.

The supply-chain risk means businesses need to look at partners, contractors and vendors as part of their own security exposure.

Durbin said companies were in a stronger position than before to deal with some emerging threats, although the next phase of AI-enabled attacks remained difficult to predict.

“I would say we are better placed to offset some of the threats that are coming down the road, but we don’t actually know what some of those AI threats are going to look like,” he said.

He said the uncertainty around future attacks strengthened the case for cyber audits to become a legal requirement for larger organisations.

International agreement on cyber law and AI governance remained difficult, he added, because technology was moving faster than regulation.

The cyber industry is also facing a shortage of skilled people, adding further pressure as attacks become more complex and more frequent.

Watch Steve Durbin, chief executive of the Information Security Forum, in conversation with Juliette Foster on Business Matters, on The European’s YouTube channel.

VIEW MORE: Firms ‘wasting AI’ by using it to speed up bad habits. SDG Group’s Steve Crosson Smith says companies need to move beyond quick productivity wins and use AI to connect siloed data, expose bottlenecks and give leaders a clearer view of where to act.

Do you have news to share or expertise to contribute? The European welcomes insights from business leaders and sector specialists. Get in touch with our editorial team to find out more.