“It’s time to act” – that’s the message issued to organisations from the National Cyber Security Centre (NCSC), part of GCHQ, the UK’s technical authority for cyber security, in its Annual Review 2025.
“Nobody wants to believe their business could grind to a halt following a cyber-attack. But any leader who fails to prepare for that scenario is jeopardising their business’s future,” says NCSC CEO Richard Horne.
British businesses are being urged to take “concrete action” to protect themselves from cyber-attacks, as the number of nationally significant incidents rises to an average of four every week.
The report issues a stark reminder: “The recent cyber-attacks must act as a wake-up call. The new normal is that cyber criminals will target organisations of all sizes, operating in any sector. From local coffee shops to providers of critical national infrastructure, every organisation must understand their exposure, build their defences, and have a plan for how they would continue to operate without their IT (and rebuild that IT at pace) were an attack to get through.”
Included in the report is a candid and honest open letter from Shirine Khoury-Haq, CEO of the Co-op Group, reflecting on their recent high-profile cyber-attack.
In it, she writes: “I am writing this letter as a CEO whose business has just experienced a cyber-attack, in the hope that by sharing some of our experiences and learnings, you can all feel better equipped in dealing with what is a mounting issue for us all.
While you can plan meticulously, invest in the right tools and run countless exercises, nothing truly prepares you for the moment a real cyber event unfolds. The intensity, urgency and unpredictability of a live attack is unlike anything you can rehearse. That said, those drills are invaluable; they build muscle memory, sharpen instincts, and expose vulnerabilities in your systems.
The buck stops with us as senior leaders. Please continue to consider the best route to protecting your business, but also the best means to defend against an attack, including supporting customers and colleagues, at every possible stage.”
Anne Keast-Butler, Director of GCHQ, reiterated the message, stating: “This year, the realities of cyber-attacks have hit the headlines and affected the bottom lines of many companies. Incidents like the high-profile attacks on Marks & Spencer, the Co-op Group and Jaguar Land Rover serve as a stark reminder that the cyber threat is not just an abstract concept but a real one with real-world costs.
The importance of vigilance, resilience and the collective responsibility to defend against an increasingly complex threat is clear. Cyber security is a matter of business survival that demands action. Don’t be an easy target; prioritise cyber risk management, embed it into your governance, and lead from the top.”
The key takeaway for senior leaders and their employees is this: Don’t wait for the breach – act earlier.
“Cyber security needs to be a boardroom issue. It affects financial performance, operational continuity, and corporate reputation. Yet, despite the rising frequency and severity of cyber incidents, many organisations still do not act until after a breach has occurred. The consequences – legal, financial, and reputational – can be devastating, as seen in several high-profile attacks this year.”
There are common cultural barriers that the NCSC examines in the latest report, looking at why organisations delay preparing for cyber incidents.
“This delay is not simply a matter of oversight. It reflects a complex mix of behavioural, cultural, and financial dynamics that shape how organisations perceive and respond to cyber risk,” notes the NCSC.
“A common barrier to proactive cyber risk management is the belief that their organisation is unlikely to be targeted. Smaller organisations, or leaders in sectors such as healthcare, manufacturing, or education might ask, “Why would cyber criminals attack us?” This reflects a behavioural theory called optimism bias – the assumption that negative events are unlikely to happen to them. It’s reinforced by a lack of visible threats and limited understanding of how cyber attackers operate. Cyber criminals target vulnerabilities, not sectors, so every organisation with digital assets is a potential target.
Like any other business risk, cyber security will be competing for limited resources – both in terms of money and, crucially, space within the board’s agenda. Without a visible threat, investment in prevention is frequently deferred. As a result, cyber security remains underfunded – until a breach occurs. Only then do attitudes shift, public scrutiny intensifies, and urgency becomes unavoidable.”
The report cites IBM’s X-Force 2025 Threat Intelligence Index, which notes that the UK is the most targeted European country for cyber-attacks. In the UK, businesses have lost billions of pounds to cyber-attacks over five years.
“Many of these losses could have been prevented through basic cyber hygiene and cultural change,” notes the NCSC.
Boards must recognise that investing in cyber resilience today protects long-term value and reduces the likelihood of costly disruption.
According to the NCSC, organisations need to better understand their risks and impact and call on leaders to consider their approach to ‘cyber security culture’, as this can be the springboard for a whole range of good cyber security behaviours and practice.
Research from the NCSC shows that any efforts to improve the cyber security of an organisation will only ever be effective if they are supported by a culture that encourages this improvement. An organisation’s culture influences how cyber security is approached – for example, how decisions are made, how incidents are managed, and people’s attitudes towards it.
“Cyber incidents often act as powerful cues to increase cyber security, but by then, the damage is done. The cost of inaction is rising, and the window for preparation is narrowing. Organisations must move from reactive to proactive approaches to cyber security. This means challenging assumptions, quantifying risk, investing in prevention, and embedding a culture of cyber resilience at every level. The question is no longer if your organisation will face a cyber incident, but when. The time to act is now.”