UK infrastructure is more exposed to disruption despite rising security spend, warns Securitas

Despite increased investment in security, UK businesses – particularly those operating critical infrastructure and large sites – are becoming more exposed to disruption. Securitas UK highlights that the growing gap is driven by threats that evolve quietly across domains and below traditional response thresholds.

Analysis from Securitas’ Risk Intelligence shows that the nature of disruption affecting critical national infrastructure, workplaces and major operational sites is evolving. Protest activity, sabotage attempts, insider risk, drone threats and hostile reconnaissance are increasingly overlapping, creating compound threats that often sit below traditional “attack thresholds” but still generate serious operational, legal and reputational consequences.

Intelligence indicates that this pattern accelerated over the past year and remains a defining feature of the current risk environment.

“UK organisations are not short on awareness of security; they’re short on understanding,” said Mike Evans, Director of Securitas’ Risk Intelligence Centre. “The threats causing disruption today rarely announce themselves with a dramatic event, like violence or obvious wrongdoing. They develop quietly, through activity that’s easy to dismiss in isolation, and only become obvious once escalation is already underway. Without developing an understanding of their threat landscape and risk profile, organisations are forced into reactive decisions rather than being able to intervene early, proportionately and with the right context.”

Many organisations continue to plan for incidents in silos, treating crime, protest, cyber risk or insider threats as separate challenges, despite intelligence showing that today’s most disruptive activity is multi-layered, persistent and deliberately ambiguous.

According to Securitas, threat actors ranging from activist networks and organised criminal groups to hostile state‑aligned actors are increasingly exploiting:

• supply chains and third‑party access points
• executive and individual exposure
• publicly available information and open‑source data
• accessible tools such as commercially available drones

Analysis shows disruption is increasingly more likely to emerge through online mobilisation, pattern‑of‑life observation, reconnaissance, surveillance and testing behaviour – activity that can appear routine unless viewed collectively over time.

As geopolitical instability, activist escalation and hybrid threat activity continue to shape the

operating environment, organisations that rely solely on reactive, site‑by‑site security models risk being overtaken by events.

Mike warns that the organisations most exposed are not those without guards or security technology, but those lacking integrated, intelligence‑led decision making.

“Those that invest in early warning, cross‑functional awareness and intelligence‑led decision‑making are better positioned to identify emerging pressure points, recognise escalation indicators earlier, and adjust security posture before disruption impacts people, operations or critical infrastructure in today’s more complex and contested risk landscape.”

Read the 2026 Annual Intelligence Estimate: annual-intelligence-report-2026.pdf