In a year marked by an unprecedented surge in digital threats, the United Kingdom’s National Cyber Security Centre (NCSC) has sounded the alarm, urging businesses across the country to rethink their approach to cyber resilience. The call comes as the UK grapples with a sharp rise in highly significant cyberattacks—incidents that have not only disrupted major corporations but have also exposed the vulnerabilities of a society increasingly dependent on digital infrastructure.
According to the NCSC’s Annual Review, published on October 15, 2025, the UK has experienced a staggering 50% increase in "highly significant" cyberattacks over the past year. The security agency, which serves as the UK’s technical authority for cybersecurity, reported handling 429 cyber incidents from August 2024 to September 2025. Nearly half of these incidents were classified as nationally significant—more than double the number from the previous year. Eighteen of these attacks were deemed "highly significant," meaning they had a serious impact on the economy, the mass population, essential services, or government operations. As the NCSC put it, the UK is now facing a new nationally significant cyber incident roughly every other day—a record high for the past decade.
The impact of these attacks has been felt across the economy. Major firms such as Jaguar Land Rover, Marks & Spencer, and The Co-op Group have all suffered production halts and supply chain disruptions following breaches of their systems. In September 2025, cyberattacks even triggered delays at various European airports, underscoring just how far-reaching the consequences can be when digital systems are compromised. The situation is so dire that, as the NCSC’s chief executive Richard Horne declared at the agency’s Annual Review launch event in London on October 14, “Cybersecurity is now a matter of business survival and national resilience.”
So what’s driving this surge in cyber threats? The NCSC attributes the spike to two main factors: the UK’s growing dependence on digital systems and a marked increase in ransomware activity, with attackers targeting organizations for financial gain. State-sponsored actors from China, Iran, North Korea, and Russia remain the primary sources of these threats. The agency’s report also highlights Russia’s role in inspiring informal "hacktivist" groups, which have carried out disruptive attacks not only in the UK but also in the US and other European and NATO countries.
The risks are not just theoretical. The operational and human toll of these attacks is sobering. A ransomware attack on a London blood testing provider last year caused severe clinical disruption and contributed to at least one patient death, according to the NCSC. These incidents are a stark reminder that cybercrime is not just about stolen data or financial loss—it can have life-and-death consequences.
In response, the UK government has issued a strong warning to company leaders, urging them to prepare for the inevitability of cyber incidents by maintaining offline, paper-based contingency plans. The NCSC’s advice might sound old-fashioned in today’s digital age, but experts argue it’s a pragmatic approach. As Graeme Stewart, head of public sector at Check Point, put it, “You wouldn’t walk onto a building site without a helmet, yet companies still go online without basic protection. Cybersecurity must be treated like health and safety: not optional, but essential.”
Specifically, the NCSC recommends that organizations adopt "resilience engineering" strategies—systems designed to anticipate, absorb, recover, and adapt during cyberattacks. This means storing response plans offline and outlining alternative communication methods, such as phone trees and manual record-keeping, in case email systems fail. The agency’s guidance follows a series of high-profile attacks this year, which have exposed the risks of total digital dependency and the critical need for robust backup systems.
The government’s message is clear: cyber-resilience must be treated as a board-level responsibility. Senior ministers, including Chancellor Rachel Reeves and Security Minister Dan Jarvis, have emphasized this point to business leaders. Jarvis stated, “Cybercrime is a serious threat to the security of our economy, businesses, and people’s livelihoods. While we work round the clock to counter threats and provide support to businesses of all sizes – we cannot do it alone.” The government is also encouraging companies—particularly small and medium-sized enterprises (SMEs)—to take advantage of the NCSC’s free support tools, including cyber insurance linked to its Cyber Essentials programme.
The NCSC’s Annual Review doesn’t just look at the present; it also warns of challenges on the horizon. The agency predicts that artificial intelligence will “almost certainly pose cyber-resilience challenges to 2027 and beyond.” AI-enhanced cyberattacks are expected to become more sophisticated, making it even harder for organizations to defend against them. In a recent incident, a bug in GitHub Copilot Chat allowed attackers to steal private code via prompt injection, offering a glimpse of the new frontiers in cybercrime.
For many organizations, the message is hitting home. The days when cybersecurity could be relegated to IT departments are over. As digital threats multiply and become more complex, resilience is no longer just a technical issue—it’s a matter of business continuity, public safety, and national security. The government’s "call to arms" is as much about changing mindsets as it is about implementing new protocols.
Of course, some business leaders have expressed concerns about the costs and logistical hurdles of maintaining paper-based backups and manual systems. Yet, as the NCSC and government officials point out, the alternative—being caught unprepared in the face of a major cyberattack—could prove far more costly. The recent spate of high-profile incidents has shown that even the most advanced digital systems can be brought to their knees, sometimes with devastating consequences.
As the UK moves forward, the challenge will be to strike a balance between embracing the efficiencies of digital transformation and safeguarding against the ever-evolving threats that come with it. The NCSC’s advice may seem retro to some, but as the past year has shown, sometimes old-school solutions are the best defense against new-school threats.
With cyberattacks now a daily reality for UK organizations, the message from the nation’s top cybersecurity experts is simple: prepare for the worst, hope for the best, and never underestimate the value of a paper backup plan.
