Britain is in a contest for cyberspace, the new CEO of the UK official NCSC (National Cyber Security Centre) CEO Dr Richard Horne said in a speech to launch the Centre’s eighth annual review.
He concluded that we should do more than talk about being resilient. He said: “We must all take the crucial steps that bolster our defences, that improve and grow our capability to contest. And that includes the ability to continue and recover on the occasions that attacks do get through, and this is often overlooked. The NCSC has always believed that cyber security is a team sport – that is true now more than ever.”
For the speech in full click here; for the 71-page review document, visit https://www.ncsc.gov.uk/collection/ncsc-annual-review-2024. The document has forewords by Anne Keast-Butler, director of GCHQ, the Government monitoring agency that the NCSC is part of; and the responsible Government minister, Pat McFadden, Chancellor of the Duchy of Lancaster. In his own foreword, Dr Richard Horne stressed that the Centre’s work ‘can only happen with the support from our friends across government, industry, academia, and international partners’.
The document opens with the remark that the UK depends on digital technology to live and work. Cyber security is defined as ensuring individuals and businesses can operate effectively in our connected world, and ‘central to national resilience’.
Despite media impressions, most cyber breaches are not a result of ‘complex and sophisticated attacks’, the review points out. “The vast majority of cyber attacks are still based upon well-known techniques exploiting commonly understood weaknesses. This means that organisations employing basic cyber security standards, such as Cyber Essentials, can successfully defend themselves from the most common online threats.”
The document covers September 2023 to August 2024 and goes over the threats, resilience, ‘developing the UK’s cyber ecosystem’, and the prospect of tech such as artificial intelligence (AI).
Comments
Steve Bradford, Senior Vice President EMEA at the identity security product firm SailPoint, said: “Cyber criminals are now regularly using AI to ramp up the frequency and severity of attacks. Many of these, however, still come down to some sort of compromised identity, with user access points often targeted.
“As the UK faces a “widening gap” in its ability to combat these threats, which increasingly target supply chains, organisations must ensure they are implementing security across the entire ecosystem. Technology such as identity security ensures employees, including those from third-party organisations who have access to systems, are only granted the necessary permissions to fulfil their specific roles and responsibilities, no more, no less. This helps to close any gaps in cyber security posture and enables organisations to quickly spot and stop any compromised access in its tracks.
“Training is also essential. Ensuring everyone, at every link in the supply chain, is equipped with the knowledge of how to recognise and react in the face of an attack, goes a long way in preventing bad actors from surreptitiously gaining access.”
Cyber is no longer just a technical concern but a critical boardroom priority, said John Hughes, SVP and Head of Network Security Business Group at Enea. “With AI enabled intrusion making cyber threats increasingly sophisticated, the integration of cybersecurity into overarching organisational strategies is essential for maintaining resilience and trust.
“This shift reflects the growing understanding that operational continuity, customer trust, and regulatory compliance hinge on robust cybersecurity measures. Particularly in sectors like telecoms, where protecting critical infrastructure and subscriber data is paramount, leaders must adopt proactive strategies that go beyond immediate threat mitigation to address long-term security challenges.
“The report also underscores the need for cross-functional collaboration, as cybersecurity impacts not only IT teams but also finance, legal, and operations. Boards now have a responsibility to ensure security investments are aligned with business goals, enabling organisations to stay ahead of emerging threats while safeguarding their reputations and critical assets.”
And Matt Cooke, Cybersecurity Strategist at the cyber firm Proofpoint said that the 2024 annual review emphasises the necessity of resilience in the face of escalating threats from state-aligned adversaries. “These adversaries have shown an intricate connection between their cyber espionage operations and geopolitical dynamics throughout 2024. In 2025, we expect Advanced Persistent Threat (APT) activities will continue to reflect global and regional conflicts. The cyber espionage campaigns that precede these conflicts won’t be confined to the larger nations traditionally recognised as sophisticated cyber actors. Instead, they will spread to a wider range of actors involved in regional conflicts, who will seek to exploit the asymmetric advantage that cyber warfare offers.
“The report brings attention to the growing prevalence of phishing attacks, which remain a top concern for UK Chief Information Security Officers (CISOs). Alarmingly, Proofpoint’s Voice of the CISO 2024 report indicates that 73 per cent of UK CISOs feel vulnerable to a material cyber-attack within the next year. The NCSC Annual Review offers clear guidance, tools, and frameworks that organisations can utilise to enhance their security posture. The frequency of targeted phishing attacks underlines the need for robust email security defences. Implementing measures like DMARC (Domain-based Message Authentication, Reporting and Conformance) is crucial in safeguarding email domains from spoofing and phishing and prioritising these steps will bolster overall cyber resilience and help mitigate the expanding risk landscape.
Awareness
Cooke spoke of a pressing need for heightened security awareness.” It’s essential for organisations to recognise the cyber threats they face and take proactive measures to boost their cyber resilience. This includes adopting basic cybersecurity practices, as recommended by the NCSC’s Cyber Essentials scheme.”
Supply chain
He added: “The increasing threat of supply chain attacks is evident, as exemplified by the ransomware attack on Synnovis, which significantly disrupted NHS services. Organisations must acknowledge the risks associated with their supply chains and implement strategies to mitigate them. This involves evaluating suppliers’ security postures and ensuring they have adequate security controls in place.
“Organisations that invest in securing their partner networks will see tangible benefits. St James’s Place’s decision to certify its partner network to Cyber Essentials Plus saw them reduce incidents by 80%. This highlights the impact that threats coming from supply chain and business partner networks are having on all organisations. Gaining visibility and implementing controls on your partners can have a dramatic impact on operation efficiency and risk reduction.”
Strategy
Proofpoint’s Voice of the CISO 2024 report showed that UK CISOs are most concerned about ransomware attacks (51pc), cloud account compromise (42pc), and business email compromise (35pc), he added. “This indicates a heightened awareness of the increasing sophistication and prevalence of these types of cyber threats. A significant majority (65%) of CISOs view human error as their organisation’s biggest cyber vulnerability, highlighting the critical role of employee education and training in cybersecurity strategies.
“There is a growing recognition in the potential of AI technology, as 87pc of UK CISOs are looking to deploy AI-powered capabilities to help mitigate human error and combat advanced cyber threats. This points towards a critical demand of integrating advanced technologies into cybersecurity measures to enhance protection against increasingly complex threats.”
