Cyber security is now a matter of business survival and national resilience, according to the head of the UK official National Cyber Security Centre, which has brought out its latest annual review.
Dr Richard Horne, Chief Executive of the NCSC, said: “With over half the incidents handled by the NCSC deemed to be nationally significant, and a 50 per cent rise in highly significant attacks on last year, our collective exposure to serious impacts is growing at an alarming pace. The best way to defend against these attacks is for organisations to make themselves as hard a target as possible. That demands urgency from every business leader: hesitation is a vulnerability, and the future of their business depends on the action they take today. The time to act is now.”
‘Time to act’
Titled ‘It’s time to act’ (a phrase from a foreword by GCHQ director Anne Keast-Butler), the 100-page document stresses that cyber risk is no longer a matter only for IT, but for boardrooms; ‘cyber incidents can disrupt operations, damage reputation, and lead to serious financial and legal consequences’. The review comes in three parts: the threat to the UK, building resilience against that threat; and ‘keeping pace with evolving technology’. In a foreword, Horne says: “Empty shelves and stalled production lines are a stark reminder that cyber attacks no longer just affect computers and data, but real business, real products, and real lives.” That refers to attacks on retailers such as the Co-operative (whose CEO Shirine Khoury-Haq writes of the impact and strain caused by the April attack) and Jaguar Land Rover. These attacks must act as a wake-up call, Horne adds. Another foreword comes from the Home Office security minister Dan Jarvis who writes that ‘cyber security has never been more pivotal to our national security and our economic health’.
Ministerial letter
Separately, while quoting the NCSC’s services and products, a letter signed by several Government ministers including Dan Jarvis and Chancellor of the Exchequer Rachel Reeves, besides Dr Richard Horne, has gone to chairs and chief executives of ‘leading UK companies’, urging them ‘to take the necessary steps to protect your business and our wider economy from cyber attacks’.
About the year
The review is of the year to August 2025; hence it goes back to the ransomware attack on the medical blood testing firm Synnovis, which ‘led to significant clinical healthcare disruption across the London region’. The document urges, ‘don’t wait for the breach’: ‘Cyber incidents often act as powerful cues to increase cyber security but by then, the damage is done. The cost of inaction is rising, and the window for preparation is narrowing’. The NCSC acknowledges that delay may be due to ‘a complex mix of behavioural, cultural, and financial dynamics that shape how organisations perceive and respond to cyber risk’. Hence the review urges ‘a focus on understanding the true cyber risk facing organisations, the impact breaches could have and the actions that could be taken’.
Culture
The NCSC points to research that such efforts ‘will only ever be effective if they are supported by a culture that encourages this improvement’. The review points out that ‘cyber criminals continue to exploit basic weaknesses in systems’; and acknowledges the ‘scale of exposure across our hyper‑connected and technology-dependant society’. Besides cyber technical controls, the NCSC makes the case for ‘resilience engineering’, so that in the face of the unexpected an attacked organisation can recover critical services.
Toolkit
The NCSC has launched a Cyber Action Toolkit (now moved to Public Beta) for small businesses and sole traders, to help them make foundational controls. Visit www.ncsc.gov.uk.
About the NCSC
The National Cyber Security Centre, a part of the UK Government eavesdropping agency GCHQ, is the UK’s technical authority for cyber security. Set up in 2016, it provides incident response to the most serious attacks on the UK.
Comments
