The National Cyber Security Centre's most recent Annual Review carries a blunt headline message — "it's time to act" — and it's aimed squarely at business leaders, not just IT teams. As a director, I think it's worth reading in that spirit.

What the review found

The NCSC reported a record number of serious incidents over the year, with nationally significant attacks at their highest ever level and highly significant ones up around 50% — the third consecutive year of sharp increases. It named ransomware as the most immediate, disruptive threat, pointed to ongoing state-backed activity, and flagged how attackers are now using AI to make phishing and intrusions more effective. High-profile attacks on well-known UK names showed the real-world consequences: halted operations, stolen customer data, and lasting reputational damage.

Crucially, the NCSC's view is that the main barriers to resilience are not technical — they're about culture and leadership. Its CEO put it directly: the question is no longer if your organisation faces a cyber incident, but when, and the leaders who plan for it fare far better than those who don't.

Why this matters for your business

It's easy to treat cyber security as something "the IT people handle." The NCSC is explicit that this has to change — boards and owners need to own cyber risk, set the strategy, and make sure plans for continuity and recovery actually exist before they're needed.

What leaders should do

  1. Put cyber on the leadership agenda — review your risks and plans regularly, not just after an incident.
  2. Get the fundamentals certified. Cyber Essentials covers the basics that stop most attacks; ask your key suppliers to hold it too.
  3. Have a tested recovery plan. Assume a breach will happen and make sure you can keep running and restore quickly.
  4. Use the free help. The NCSC offers no-cost tools like Early Warning and its Takedown Service.

Helping Greater Manchester businesses turn this from a worry into a clear, costed plan is exactly what we do — from Cyber Essentials to continuity planning. Get in touch for a straightforward conversation.

Source: NCSC Annual Review 2025 — National Cyber Security Centre