Brian Sims
Editor
Brian Sims
Editor
DESPITE INCREASED investment in security, UK businesses – particularly so those operating Critical National Infrastructure (CNI) and large-scale sites – are becoming more exposed to disruption. In its latest Annual Intelligence Estimate, Securitas UK highlights that the growing gap is driven by threats evolving quietly across domains and below traditional response thresholds.
The 80-page analysis produced by Securitas’ Risk Intelligence Centre shows that the nature of disruption affecting CNI, workplaces and major operational sites is evolving. Protest activity, sabotage attempts, insider risk, drone threats and hostile reconnaissance are now increasingly overlapping, in turn creating compound threats that often sit below traditional ‘attack thresholds’, but still generate serious operational, legal and reputational consequences.
Intelligence indicates that this pattern has accelerated over the past year and, indeed, remains a defining feature of the current risk environment.
“UK organisations are not short on awareness of security,” said Mike Evans, director of Securitas’ Risk Intelligence Centre. “They’re short on understanding. The threats causing disruption today rarely announce themselves with a dramatic event, like violence or obvious wrongdoing. Instead, they develop quietly through activity that’s easy to dismiss in isolation and only become obvious once escalation is already underway.”
Evans added: “Without developing an understanding of their threat landscape and risk profile, organisations are forced into reactive decisions rather than being able to intervene early, proportionately and with the right context.”
Planning in silos
Many organisations continue to plan for incidents in silos, treating crime, protest, cyber risk or insider threats as separate challenges despite intelligence showing that today’s most disruptive activity is multi-layered, persistent and deliberately ambiguous in nature.
According to Securitas, threat actors ranging from activist networks and organised criminal groups through to hostile state‑aligned actors are increasingly exploiting supply chains and third party access points, executive and individual exposure, publicly available information and open source data and accessible tools (such as commercially available drones).
Analysis highlights the fact that disruption is increasingly more likely to emerge through online mobilisation, pattern‑of‑life observation, reconnaissance, surveillance and testing behaviour: activity that can appear routine unless viewed collectively over time.
As geopolitical instability, activist escalation and hybrid threat activity continue to shape the operating environment, organisations that rely solely on reactive, site‑by‑site security models risk being overtaken by events.
Intelligence-led decision-making
Securitas has warned that those organisations most exposed are not companies without security officers or security technology to look after them, but those lacking integrated and intelligence‑led decision-making.
“Those organisations that invest in early warning, cross‑functional awareness and intelligence‑led decision‑making,” asserted Mike Evans, “are better positioned to identify emerging pressure points, recognise escalation indicators earlier and adjust security posture before disruption impacts people, operations or critical infrastructure in today’s more complex and contested risk landscape.”
*Read the 2026 Annual Intelligence Estimate: Annual-Intelligence-Report-2026.pdf
**Further information is available online at www.securitas.uk.com
