Same Warnings. Same Threats. Bigger Consequences… Increase in highly and nationally significant cyber-attacks in 2025, NCSC announces.

It feels like we cannot go more than a couple of weeks without news of a cyber attack hitting the headlines. With household names such as Marks and Spencer’s, the Co-op Group and Jaguar Land Rover (JLR) all falling victim to incidents this year, you could perhaps be forgiven for being fatigued by all the buzz around cyber. However, even a quick glance at the headline figures in the National Cyber Security Centre’s (NCSC) annual review for 2025 shows that cyber security must remain a priority. With the costs to Marks and Spencer’s of its ransomware attack estimated to exceed £300m, the importance of keeping cyber at the top of the agenda is as apparent as ever. Now is not the time for complacency.

According to the NCSC review, the number of cyber-attacks in the UK has continued to rise for the third consecutive year. The review, published on 14 October, states that nearly half (48%) of all incidents in the last 12 months were nationally significant (having caused sustained disruption on UK essential services or affecting UK national security). This equates to an average of four such attacks a week. There was also a 50% increase in highly significant attacks compared with 2024 (attacks with serious impact on central government, UK essential services, a large portion of the UK population or the UK economy).

As part of his call to action, Richard Horne, CEO of the NCSC, notes that “these numbers clearly illustrate the challenge we face is growing at an order of magnitude” and urges “all business leaders […] to take responsibility for their organisation’s cyber resilience.” However, whilst threat levels continue to intensify, the activity that is repeatedly called out is not radically new. Ransomware, for instance, remains one of the most severe and prominent threats and has been responsible for numerous high-profile attacks this year. 

For many years now we have known that it is not a question of if your organisation will face a cyber-attack but one of when an attack will occur. More importantly, it is a question of how prepared you are to deal with it. Organisations need to implement systems that operate and recover following cyber disruption. Established cyber security measures, such as risk management and business continuity and disaster recovery, will remain important in this regard. However, the NCSC suggest organisations should look towards engineering fundamental resilience, to improve an their ability to recover and adapt and mitigate the impact of unexpected cyber incidents. In doing so, businesses could seek to leverage several cyber security architectural and operational approaches, including:

• Infrastructure as code: to rapidly and reliable replicate and reconstitute systems and infrastructure.

• Segmentation: using logical and physical architectural patterns to achieve isolated operations.

• Applying the principle of least privilege across all services: to isolate applications and minimums the ‘blast radius’ of potential threats.

• Chaos engineering: deliberately introducing failure to validate detection and recovery.

• Critical business functions running on duplicate but distinct instances: to ensure continuity of critical services.

Another key area of concern is supply chain risk. Supplier based breaches have become increasingly common in recent years, with the impact of such breaches having wide scale impacts both up and down supply chains. The attack on JLR in August brought its UK vehicle production to a halt and threatened the jobs of some 200,000 that support its vast supply chain. This led JLR to rely on a £1.5bn loan guarantee from the UK government in order to support its suppliers. Nearly two months on, the fallout continues. JLR are only now resuming production at some of its sites, car sales are down, and smaller suppliers remain at risk due to ongoing cash flow shortages.

Despite this, the NCSC Annual Review identified that only14% of UK business reviewed the cyber risk of their immediate suppliers in the last 12 months. Organisations need to do more to mitigate their supply chain cyber risk, not least by thoroughly diligencing its suppliers. The NCSC recommends using a new tool developed my IASME that allows organisations to conduct bespoke searches across a large number of suppliers to find out whether they are certified to Cyber Essentials or Cyber Essentials Plus, the government-backed certification scheme recommended as the minimum standard of cyber security for all organisations. Our blog on the cyber-attack suffered by JLR (see here) also sets out further recommendations for managing supply chain cyber risk.

As well as implementing controls and protection, it is becoming increasingly important have buy in at all levels from those on the ground to those in the boardroom. Leadership engagement is critical and shouldn’t wait until post a cyber breach. Given the wide ranging reputational, operational and financial repercussions of a cyber incidents, senior leaders need to be engaged and alive to cyber risk. For those having to encourage such engagement, the NCSC’s guide to Engaging with Boards to improve the management of cyber security risk provides helpful insights. 

Alongside the annual review, the NCSC also announced the launch of a new Cyber Action Toolkit. This new tool offers free support for sole traders and small business personalised recommendations, focusing on low-effort, high impact measures, to help them as they start out on their journey of implementing cyber resilience. 

From those of us who continue to champion the importance of robust cyber security, the continued complacency is concerning. The messaging is not new. The threat, whilst growing, is not new. The only thing that truly needs to be new is our attitude.