Businesses are looking in the wrong direction. The real danger is not AI itself, but what happens when criminals use it to remove the one thing that used to slow them down: human effort. Cybercrime is a bigger threat to businesses than AI, this is according to cybersecurity expert and J2 CEO John Mc Loughlin.
For years, sophisticated cyberattacks required time, skill and patience. Attackers had to research their victims, understand the business, test for weaknesses, craft convincing social engineering attempts and work through targets one by one. That constraint is disappearing. AI does not create an entirely new category of cybercrime. It makes the old methods faster, cheaper and available to more people.
He warns that this is the risk many organisations are still missing. “AI gives good businesses productivity but also gives criminals the same advantage. A threat actor who previously had the capacity to actively target ten companies can now automate large parts of the process and target thousands.”
Research, reconnaissance, vulnerability scanning, phishing, credential abuse and social engineering can now be accelerated at a scale that most businesses are not prepared to defend against. The consequences are particularly serious for SMEs, many of which still believe they are too small to be targeted.
“That assumption is now dangerous because automated attackers do not need to know who you are before they find you. They simply look for stolen credentials, exposed systems, poor controls, unmanaged devices, unpatched software and any path of least resistance. If your business is visible, vulnerable and not monitored, it becomes a target whether anyone selected it by name or not,” he explains.
This is why the conversation must move beyond the hype around AI. The issue is not whether an attacker is a person, a bot or an AI enabled tool. The issue is whether the organisation has the right cyber security controls, layered protection, monitoring, visibility and response capability in place.
If those foundations are missing, the outcome is the same: the attacker gets in, moves through the environment, inserts malicious inbox rules and causes damage before the business understands what happened. This just happens faster than it did before.
Gartner’s 2026 cybersecurity research reinforces the urgency of this shift. In its Top cybersecurity trends for 2026, Gartner identifies the chaotic rise of AI, an accelerating threat landscape and the need for new approaches to cyber risk management and resilience as defining pressures for security leaders.
It also warns that AI driven security operations are changing traditional operating models, while GenAI adoption is breaking conventional cyber awareness approaches.
That matters because awareness alone is no longer enough. People remain important, but businesses cannot train their way out of machine speed attacks. Criminals are using automation to find weaknesses faster than human teams can manually detect, investigate and respond.
AI enabled defences may reduce mitigation times, but the total number of attacks is increasing. This means security teams can still spend more time defending, even when individual incidents are closed faster.
Mc Loughlin says there is also a growing vulnerability problem. “AI is accelerating the discovery of weaknesses in applications, services and networks. It is not necessarily creating new zero days, but it is helping people find existing weaknesses faster.
“The concern is that as more advanced capabilities filter into free and open source tools, the barrier to entry for attackers will fall even further. The script kiddie in a bedroom no longer needs years of experience to launch attacks that look sophisticated.”
This is where many boards and executives need to change their thinking. Cyber resilience is no longer about buying another tool and hoping it works. It is about knowing what is happening across the environment, identifying broken credentials, strange rules, suspicious behaviour and malicious activity, and having the ability to respond quickly enough to stop an incident from becoming a business crisis.
“AI attackers attack in the same way, with the same methods, only quicker and with more knowledge,” he adds. “There is nowhere to hide any longer. Every business is a target, even if they are not actively targeted. The AI will use the path of least resistance to steal and encrypt everything it can.”
The businesses that survive this next phase will not be those that spend the most time debating AI. They will be the ones that understand the risk behind it. Visibility, layered controls, monitoring, identity protection and response capability are no longer optional.
“They are the minimum requirement for doing business in a world where attackers no longer get tired, no longer work one target at a time and no longer need to be highly skilled to be highly dangerous,” he concludes.