Login Book a call
Search
Clear search icon

6 key takeaways from the NCSC Annual Report 2025

Frankie
NCSC Annual Report 2025
Back to blog

Table of contents

Want to speak with sales?

Book a call

The leaves are turning, there’s a chill in the air, and autumn is here in the UK. For the cybersecurity world, this means one thing: the National Cybersecurity Centre’s annual review is about to drop. As in previous years, we’ve gone away, reviewed the report and stripped out the key points to save you the time. So, without further ado, here are our key takeaways from the NCSC Annual Report 2025.

1. The number of attacks on the UK has increased (again)

It’s rare to read a cybersecurity sector report with good news to share, but still, the NCSC’s findings make for alarming reading. The past 12 months have seen a significant rise in cyberattacks, with a 50% increase in highly and nationally significant attacks compared to the previous year.

Digging a little further into those numbers, the NCSC reported 204 “nationally significant” cyber incidents between September 2024 and August 2025. That’s significant because it’s the highest ever number, and it’s a huge increase (130%) from the previous year’s 89 incidents. In all, the NCSC received 1727 incident tips in the period, with 429 of those classified as cyber incidents which required the agency’s support.

2. The biggest cyber threats to the UK

The report also tackles what the NCSC regards as the greatest threats to the UK’s cybersecurity, ranging from state-backed actors to artificial intelligence and large language models.

State actors

Given the geopolitical turmoil currently raging across the globe, it’s not a surprise to see crimes linked to a number of state-backed cybercriminals mentioned in the report. However, of more interest is the specific threats the NCSC has linked to each state.

  • China: The Flax Typhoon group, linked to several attacks on the UK
  • Russia: The Authentic Antics malware, which steals victims’ login details and tokens to enable long-term access to email accounts
  • Iran: Attempted attacks on US and UK critical national infrastructure (CNI) as part of the Iranian-Israeli conflict
  • North Korea: Fake IT worker scams, designed to funnel money from UK companies to the DPRK state

Ransomware

Ransomware remains one of the most acute threats to UK organisations. The NCSC highlights the retail attacks on Marks & Spencer and the Co-op as high-profile examples. However, the report stresses that while it might seem that retail has become a key target, in reality, most cybercriminals are sector agnostic, picking victims based on:

  • Who is most likely to pay a ransom
  • Who is most vulnerable to operational downtime
  • Who holds sensitive data that would cause significant harm to UK citizens if leaked

AI

You can read more about the specific threats and opportunities presented by AI in our blog on the subject. But, needless to say, the NCSC is very concerned about the use of AI, both by cybercriminals (particularly state-backed groups) to supercharge their attacks and by companies for everyday tasks. The latter presents a huge risk due to problems like slopsquatting and businesses unwittingly creating vulnerabilities through their use of LLMs and other tools.

Cyber proliferation

This is perhaps the most interesting of the threats discussed by the NCSC. Cybercrime has been going through a transition in recent years, from something largely practised in the margins by the highly tech-literate and cyber spies to a full-blown black market industry.

The rise of malware-as-a-service and DIY cybercrime has democratised hacking. No longer do cybercriminals need advanced coding skills or any real knowledge of how malware works to launch attacks. Instead, anyone can simply head to a dark-web marketplace and buy off-the-shelf malware and ransomware. This is a trend the NCSC expects to accelerate further over the next five years, particularly as regimes like the DPRK continue to back innovation among criminal groups.

Threats to critical national infrastructure

The cyber threat to the UK's critical national infrastructure (CNI) remains high. The NCSC notes the attacks by the DragonForce ransomware group (Coop, Harrods, M&S) as the current most likely kind of attack. However, the report also notes that hacktivist activity has shifted to low-skilled attacks against operational technology.

3. It’s time to act

The report represents a real hardening in the rhetoric used by both the NCSC and the government more widely. The NCSC stresses the urgency for every organisation – big or small – to act now by making themselves harder to successfully attack.

Notably, this places the responsibility firmly with businesses themselves. As Richard Horne, the NCSC’s chief executive, put it, “cybersecurity is now a matter of business survival and national resilience”.

How should firms do this? Well, one of the key recommendations from the report is for businesses to ensure suppliers meet Cyber Essentials standards to reduce supply chain vulnerabilities. Alongside this, it also draws attention to the importance of cyber insurance (and the fact that it’s often included with Cyber Essentials). The report also urges businesses to use the NCSC’s free early warning service to keep on top of emerging cyber threats.

4. Cybersecurity must become a boardroom priority

Much like DSIT’s Cyber Breaches Survey earlier this year, the NCSC makes it clear that cyber risk management is now a boardroom priority and responsibility. In the past, many businesses treated cybersecurity as a task for technical teams with little in the way of board oversight or direction.

The report makes it clear that this has to change. Boards now need to take a proactive approach to cybersecurity, both in terms of setting strategy and oversight of technical teams. It’s also worth noting that it’s highly likely this will be formalised in the upcoming Cybersecurity and Resilience Bill currently going through its last legislative stages.

5. High-profile attacks are a wake-up call for all businesses

When we look back on 2025 in years to come, it’ll almost certainly be remembered as the year societal attitudes to cybersecurity shifted. The attacks on Co-op, Harrods, M&S, Jaguar-Land Rover and now rail operator LNER have awoken the public to the potentially crippling impact of large-scale cyberattacks.

The same is true for businesses. While the business community has made huge strides in cyber preparedness and how it treats security in recent years, the last few months have really brought home the importance of cybersecurity. As a result, the NCSC expects all organisations, no matter the sector or size, to treat cybersecurity as a priority going forward.

6. The UK government is taking action

Finally, the NCSC and the UK government as a whole have been spurred into action by the events of this year. Most notably, following the publication of the NCSC’s report a ministerial letter has been sent to the CEO’s (or leaders) of FTSE 350 companies. The letter outlines several things the UK government expects business leaders to do, including:

  • Make cyber risk a Board-level priority using the Cyber Governance Code of Practice
  • Require Cyber Essentials across your supply chain
  • Sign up for the NCSC’s Early Warning service

Where does that leave ordinary businesses?

Of course, not everyone has the resources of an FTSE 350 company. In fact, 90% of businesses in the UK don’t. However, that doesn’t mean that the NCSC’s findings don’t apply. Cybersecurity is everyone’s responsibility, so here are a few things any business can do.

  • Focus on the importance of ‘Cyber basics’ like phishing awareness, security training, and technical controls such as multi-factor authentication
  • Complete Cyber Essentials certification at a minimum, especially if you’re part of a larger supply chain
  • Sign up for free-to-use tools like the NCSC’s Early Warning and Takedown Services
  • Consider purchasing specialist cyber insurance (often included with Cyber Essentials), which can help you recover far quicker following a breach
  • Use the Cyber Governance Code of Practice to implement board-level responsibility for cybersecurity

For managed service providers, the onus is on you (and partners like CyberSmart) to help businesses understand and adopt a good cybersecurity baseline. It’s often overlooked how many of the high-profile cyber incidents we’ve seen in 2025 stem from breaches at smaller suppliers, and we all have a part to play in making the UK a safer place to live and do business.

CyberSmart Patch helps you reduce vulnerabilities by keeping third-party software up to date — without the hassle. Try it today.

Frequently asked questions

    • Cyber risk to the UK continues to increase (a 50% increase on 2024)
    • In the wake of high-profile attacks, cybersecurity must become a boardroom priority
    • The UK faces a wide range of threats, such as ransomware, state-backed actors, attacks on critical national infrastructure, cyber proliferation, and AI.
    • Businesses must require Cyber Essentials across their supply chain
    • The UK government is taking action, including sending a ministerial letter to FTSE 350 companies

  • The NCSC and UK government have shifted their rhetoric to demand action from businesses to build national cyber resilience. The government now expects UK businesses to make cybersecurity a board-level priority and take action to improve cybersecurity across their supply chain.

    • Focus on the importance of ‘Cyber basics’ like phishing awareness, security training, and technical controls such as multi-factor authentication
    • Complete Cyber Essentials certification at a minimum, especially if you’re part of a larger supply chain
    • Sign up for free-to-use tools like the NCSC’s Early Warning and Takedown Services
    • Consider purchasing specialist cyber insurance (often included with Cyber Essentials), which can help you recover far quicker following a breach
    • Use the Cyber Governance Code of Practice to implement board-level responsibility for cybersecurity