The Time to Act: Insights from the NCSC Annual Review 2025

As we approach the end of 2025, the National Cyber Security Centre’s (NCSC) Annual Review has delivered a clear reminder cyber threats are escalating and it is never too early to act.

A Surge in Cyber Incidents

Between September 2024 and August 2025, the NCSC responded to 429 cyber incidents, with 204 (48%) classified as “nationally significant”. This marks a nearly 50% increase in highly significant incidents compared to the previous year, underscoring the growing scale and sophistication of cyber threats.

Notable attacks targeted major UK brands, including Marks & Spencer, Co-op and Jaguar Land Rover.

Cyber Security: A Boardroom Priority

The NCSC has emphasised cyber security is no longer just an IT issue, it is a key business priority. Cyber incidents can disrupt operations, damage reputations and lead to serious financial and legal consequences. For today’s leaders, cyber resilience is about having the strategic foresight to prepare for, respond to and recover from cyber attacks.

At Delta Cyber Security, we see firsthand how organisations benefit from implementing robust cyber governance. Our experience shows proactive risk management not only strengthens defences, but also gives senior management confidence to make informed decisions in the face of evolving threats.

The Role of Emerging Technologies

The NCSC’s review also highlights the increasing role of emerging technologies in both cyber attacks and defences. While advancements like AI offer new opportunities, they also present new challenges. Organisations must stay ahead of these developments to protect their digital assets effectively.

Building Resilience Through Practical Cyber Security Measures

Experience shows organisations benefit most when they take a structured approach to cyber security. Implementing frameworks like Cyber Essentials, certified organisations experienced a 92% reduction in cyber insurance claims, helps create clear, achievable standards reduce risk and improve overall resilience.

Key practical steps include:

• Strengthening Cyber Governance: Align your organisation to fundamental standards & benchmarks such as Cyber Essentials, CIS and ISO27001

• Preparing for Incidents: Developing and testing response plans ensures organisations can respond quickly and minimise disruption when an incident occurs.

• Staying Ahead of Emerging Threats: Monitoring new threats and absorbing the learnings into your processes, supports your organisations to anticipate risk rather than reacting after the fact.

By taking these proactive measures, organisations not only protect themselves from attacks but also create a culture of security that supports business continuity and trust with customers and partners, an example of which is:

In response to the significant cyber attack on the Legal Aid Agency (LAA) in April 2025, which compromised sensitive personal data of over 2 million individuals, the LAA has taken the proactive step of mandating all law firms holding Criminal Legal Aid contracts in England and Wales must obtain Cyber Essentials certification by October 2025. This requirement aims to bolster cyber security, ensuring the implementation of essential security measures to protect client data and maintain trust in the justice system.

In conclusion, the NCSC’s Annual Review serves as a wake up call for organisations of all sizes. Cyber resilience is no longer optional, it is a part of maintaining business continuity. By taking proactive steps, such as implementing recognised standards, strengthening governance and preparing for incidents, organisations can significantly reduce risk and better respond to evolving threats.