The NCSC Says “It Is Time to Act”, But How?

By Phil Muncaster • 6 November 2025

It’s unusual to see an open letter from a business leader at the start of a government cybersecurity report. Especially someone whose company has just suffered a humiliating breach. But these are unusual times. And the message is critically important. That’s why GCHQ’s National Cyber Security Centre (NCSC) made room for Co-op Group CEO, Shirine Khoury-Haq, at the start of its Annual Review 2025.

Her message, echoed and amplified throughout the document, was simple: preparation is everything. But how do company leaders ensure they build sufficient cyber resilience into their organisation today, in order to ensure business as usual in the event of a breach tomorrow?

Nationally Significant Incidents Surge

The numbers from the past year tell their own story. The NCSC claims that almost half (48%) of the incidents its Incident Management team responded to over the past year were “nationally significant”. That amounts to 204 separate incidents, or four per week. Some 4% (18) are categorised as “highly significant” – a 50% annual increase. These are one step down from the maximum severity, which denotes incidents that can have severe economic/social consequences or loss of life. But they still signify cyber-attacks and breaches which could have a serious impact on central government, essential services, and a large proportion of the UK population or economy.

Interestingly, 29 incidents managed by the NCSC over the period stemmed from just three vulnerabilities: CVE‑2025‑53770 (Microsoft SharePoint Server), CVE‑2025‑0282 (Ivanti Connect Secure, Policy Secure & ZTA Gateways) and CVE‑2024‑47575 (Fortinet FortiManager). That immediately highlights some low-hanging fruit for organisations choosing to deploy risk-based patch management programmes.

This low-hanging fruit is everywhere if business leaders were only motivated enough or aware of the need to find it, says NCSC CEO Richard Horne. In his foreword, he describes the challenges faced by British organisations as growing at “an order of magnitude”. Horne concludes: “Cybersecurity is now critical to business longevity and success. It is time to act.”

A Letter to the FTSE 350

This emphasis on action is backed by recent catastrophic cyber-related outages impacting Jaguar Land Rover (JLR), M&S and Co-op group, to name just three. Some estimates put the total losses experienced by these companies and their suppliers at close to £1bn. It’s part of the reason why the report directly exhorts business leaders to stop treating cyber as a matter for the IT department, and start realising its critical importance to business growth and the UK economy.

It’s why it features the Co-op Group’s Khoury-Haq. And why Horne exclaims: “All business leaders need to take responsibility for their organisation’s cyber resilience.” It’s also why the report promotes various NCSC initiatives like:

The Cyber Governance Code of Practice: designed to help boards and directors better manage digital risks
The Cyber Governance Training programme, which aligns with the code’s five core principles: risk management, strategy, people, incident planning, response and recovery, and assurance and oversight
NCSC guidance on “Engaging with Boards to improve the management of cybersecurity risk”, which helps CISOs to communicate more effectively with their board
The Cyber Security Culture Principles, which outline what good security culture looks like and how to change behaviours
The Cyber Action Toolkit, to boost cyber awareness among small business leaders

It’s also why, in what appears to have been a coordinated move, the government has written to the CEOs of the FTSE 350 imploring them to recognise the scale of the threat.

“For too long, cybersecurity has been a concern of the middle management and only gets escalated to the seniors in a crisis. It’s not a case of if you will be the victim of a cyber attack, it’s about being prepared for when it does happen,” said security minister Dan Jarvis at the review’s launch. Tellingly, he sought to emphasise the competitive advantage that best practice cyber can deliver for businesses.

Building Resilience

The good news is that while the threat is intensifying, the NCSC claims most activity it sees is not radically new, whether state sponsored or the work of groups like Scattered Spider. That should make achieving cyber resilience slightly easier. But what’s there in the report? Aside from listing NCSC initiatives like Active Cyber Defence and Cyber Essentials, the 100-page document highlights the notion of “resilience engineering”.

Although it has its heritage in safety engineering, the concept could be transplanted effectively to the cyber sphere, the NCSC claims, via initiatives like:

Infrastructure as code: Allowing organisations to reliably replicate systems for rapid recovery and deploy trusted immutable infrastructure.

Immutable backups: Enables effective recovery when there’s total environment loss (including identity, cloud configurations, hypervisors etc).

Segmentation: For isolation and containment to minimise impact during an event, or “persistently to create trust boundaries”.

Least privilege: Across all services, in order to limit damage and support Zero Trust approaches.

Observability and monitoring: To detect anomalies and improve post incident learning.

Chaos engineering: The deliberate introduction of failure to validate/test detection and recovery processes.

Resilient operations: Includes ensuring availability of crisis response runbooks digitally or physically on isolated platforms or hardcopies.

Look to Standards

Peter Connolly, CEO at Toro Solutions, argues that best practice standards like ISO 27001 can help organisations to improve their cyber resilience.

“It provides a structured framework for managing risk that goes beyond IT to include people, physical security, and business continuity,” he tells ISMS.online. “By taking this integrated approach, organisations can minimise the impact of incidents, maintain critical operations, and demonstrate to customers, investors, and partners that security is a serious priority.”

Connolly adds that organisations should use ISO 27001 compliance to help embed security into everyday business culture.

“This means making security principles part of routine operations rather than treating them as a separate task,” he concludes. “Start by addressing the most critical risks first, and ensure that cyber, physical, and people-related security are considered together. This approach builds genuine resilience while also providing internationally recognised credibility.”

The word “resilience” is mentioned 139 times in the NCSC report. It’s time UK PLC took notice.

Phil Muncaster

Phil Muncaster has been an IT journalist for 20 years. He started out as a reporter on enterprise IT title IT Week in 2005 and progressed to the role of News Editor before leaving to pursue a freelance career. Since then, Phil has written for titles including The Register, where he worked as Asia correspondent whilst based in Hong Kong for over two years, MIT Technology Review, SC Magazine, Infosecurity Magazine and others.

What an npm Attack Says About the Risks of Open-Source Software

The history of open-source security is littered with examples of catastrophic failings and near misses. A crypto-malware campaign discovered in ear...

Phil Muncaster

Cyber security 9 October 2025

Can the UK Create a Multibillion-Pound AI Assurance Sector?

The government is going all-in on AI. Announced in January, its AI Opportunities Action Plan seeks to drive economic growth, improve the quality of...

Phil Muncaster

Cyber security 2 October 2025

Jaguar Land Rover’s Travails Highlight the Need for Cyber Resilience

Manufacturers have been the most popular target for global cyber-attacks over the past four years. The sector was also number one for ransomware in...

Phil Muncaster