Empty shelves at M&S were not the real warning sign. The 50 per cent rise in nationally significant attacks was.
The National Cyber Security Centre’s (NCSC) Incident Management team effectively processed 1,727 tips during the 2024 to 2025 period, leading to the identification of 429 supported incidents. Encouragingly, nearly half of these incidents, 48 per cent, or 204 cases, were classified as having national significance, which is a notable rise from 89 cases the previous year. This increase reflects the NCSC and UK law enforcement's ability to prioritise incidents based on their impact, as categorised into significant, highly significant, and national cyber emergencies. Particularly positive is the 4 per cent of incidents, or 18 cases, that were identified as highly important, representing a 50 per cent growth in this category. This marked increase for the third consecutive year highlights the ongoing improvement in our response to cyber threats and the importance of robust incident management.
This isn't just a retail story; it's a deeper reflection on a growing concern that impacts many sectors. The Review highlights the pervasive nature of ransomware, illustrating how these criminals choose their targets based on vulnerability and the likelihood of a ransom being paid. Organisations must understand that being outside of the headlines doesn’t mean they’re safe or immune.
The NCSC’s perspective is clear and concerning: ransomware poses an immediate and serious threat to our critical national infrastructure. We’ve seen how devastating these attacks can be, leaving customers in difficult situations and exposing sensitive information that can harm individuals and communities alike. Furthermore, we’re witnessing a troubling shift in the landscape, with less experienced actors now targeting operational technology systems. This increase in activity underscores the urgent need for protective measures, as even basic security practices can have far-reaching consequences when neglected.
Vulnerability exploitation is the accelerant behind the rise in severe incidents. Three specific vulnerabilities in Microsoft SharePoint Server, Ivanti Connect Secure and related products, and Fortinet FortiManager, were linked to 29 incidents handled by the NCSC. That single trio illustrates why cadence on patch governance is no longer an operational housekeeping issue. It is a board exposure issue.
What this means for a CIO and the board. Service continuity and public trust now hinge on faster detection, disciplined vulnerability management, and tested recovery. The categorisation model exists to drive coordinated cross-government response when the harm scale demands it. Waiting for that threshold to be met is not a strategy.
Law enforcement pressure disrupted LockBit in 2024. The Review is clear that the threat persists regardless. The cybercrime market is resilient. Ransomware groups diversify, rebrand, and adjust their operating models when pressure rises. Payment incentives keep the criminal ecosystem healthy. Conosco’s stance is unambiguous. Never pay. Plan for recovery that does not depend on criminal promises.
AI is not a distant concern. Threat actors use AI to scale what already works. That now includes more convincing phishing, faster reconnaissance, and processing of stolen data at volume. The near-term concern flagged by the NCSC is AI-assisted vulnerability research and exploit development, often abbreviated as VRED. That increases the likelihood that flaws in code or configuration will be found and weaponised sooner.
The implication for identity and access is immediate. The NCSC wants passkeys to become the default authentication recommendation, given their role in improving resilience at the national scale. Move off legacy factors wherever possible. It's essential to focus on high-risk populations, such as administrators and finance teams, for the early adoption of new practices. When managing password exceptions, treat them as a deliberate risk decision, ensuring an accountable owner is assigned, along with a review date and appropriate compensating controls. The controls that remain effective against the enhancements brought by AI are fundamentally the same; what has changed is the need to implement them to a higher standard.
When leadership asks for tangible steps, map them to services with clear outcomes. For identity and detection, align with a 24/7 Security Operations Centre with response playbooks, and bring in fractional leadership to drive policy and accountability where internal capacity is thin. For recovery assurance, fund immutable backups and complete environment recovery rehearsals, not just file restores.
To enhance visibility, it's crucial to implement robust monitoring practices and establish early warning systems to detect potential threats before they materialise. The NCSC’s Early Warning service has delivered over 316,000 alerts to UK organisations this year, highlighting suspected compromises and notifying them of vulnerabilities. By registering for this service, organisations can enhance their defences and provide their teams with more opportunities to address issues proactively.
Adequate coverage is about managing the attack surface with a disciplined approach. Recent reviews have linked three CVEs to 29 incidents, emphasising the need to transition from calendar-based patching to a more strategic, risk-based approach that accounts for real-world exploitation. This shift encourages organisations to adopt comprehensive attack surface management practices rather than relying on periodic assessments. Continuous discovery and validation are vital, and while penetration testing is essential for validating security controls, it should be part of a broader, ongoing threat and vulnerability management strategy.
Make the programme concrete.
Where to start with Conosco.
The NCSC’s perspective in the broader threat picture reinforces the need for this standard. State actors continue to push intrusion capabilities, commodity cyber-intrusion markets are proliferating, and the overall threat to the UK is described as growing from an already high level. Ransomware remains acute and pervasive across UK organisations despite headline disruptions. That is the context boards must plan for, not wish away.
Controls only stick when governance is explicit. The Review points boards toward practical levers, from culture to formal frameworks. Cybersecurity culture is framed as a leadership responsibility. The guidance encourages leaders to set tone and expectations, address behavioural barriers, and move from reactive to proactive. Treat this as an organisational performance issue with Cyber Security Culture Principles used as an anchor for change.
Adopt frameworks that make risk measurable. CAF 4.0 is designed for essential service providers and offers outcomes-based assessment that boards can understand. Even outside regulated sectors, its structure helps clarify roles, responsibilities, and systematic risk management. Align internal reviews to it, not to a homegrown checklist that hides gaps.
Make five commitments at the board level, then fund them.
Leaders should also make clear calls on identity modernisation. The NCSC wants passkeys to become the default recommendation. Treat that as policy. Create a migration plan with a budget, service owner, and date. Prioritise administrators, finance, and any workflow that triggers payments, changes security posture, or modifies supplier details. Report progress monthly until the default is achieved.
Finally, stitch the capability together so responsibility is shared and time to act is short. Blend in-house teams with a named vCIO or vCISO to keep posture change on a single accountable plan. Combine SOC coverage with threat and vulnerability management, and instrument the estate to detect before criminals monetise access. Train executives on decision pathways before an incident lands. Then prove recovery with evidence that regulators and insurers will accept.