Back to Knowledge Vault

NCSC Annual Review 2025: A Call for Leadership

Stop talking about prevention. Start building resilience. The National Cyber Security Centre (NCSC) Annual Review 2025 doesn’t read like a report — it reads…

Stop talking about prevention. Start building resilience.

The National Cyber Security Centre (NCSC) Annual Review 2025 doesn’t read like a report — it reads like a warning. It captures a year in which cyber attacks stopped being technical events and became operational crises.

“For too long, cyber security has been regarded as an issue for technical staff. This must change.” — Richard Horne , CEO, NCSC

That single line sets the tone for the year ahead. Cyber resilience is no longer the job of IT — it’s the responsibility of leadership.

A changed landscape

The NCSC handled almost 1,800 cyber incidents over the past 12 months, with 204 classed as nationally significant, a 130% increase year over year. Nearly half of all incidents were significant enough to impact national services, supply chains, or the wider economy.

This is the third consecutive year of growth in severe incidents. The trendline is clear. Attacks are more targeted, more political, and more disruptive than ever before.

The Review notes that the “new normal” is a threat landscape in which cyber incidents can directly affect daily life, from delayed hospital appointments to empty supermarket shelves.

It’s no longer about data loss. It’s about economic stability and public trust.

https://www.ncsc.gov.uk/collection/ncsc-annual-review-2025

The failure of pure prevention

The scale of this challenge shows that prevention alone has reached its limits. Patching, monitoring, and firewalling will always reduce risk, but not remove it.

As the NCSC notes, the defining measure of success is no longer how well you defend, but how effectively you recover.

Prevention is about technology. Resilience is about leadership.

Boards must now accept that some attacks will get through. The real test is whether the organisation can still function when they do.

Three truths every board should take from the Review

The scale of disruption is now systemic

204 major attacks in one year is not a technical statistic, it’s an operational reality. Businesses must assume disruption, plan for continuity, and rehearse recovery.

Resilience means being able to absorb impact and maintain critical operations not just survive the headlines.

The battleground has shifted

The Review highlights how attackers are moving up the chain. Cloud identity, authentication, and trusted integrations are now the preferred routes in. The perimeter has disappeared, and trust has become the new target.

Boards must understand where their critical assets really live and who has the power to reach them.

Resilience is the new definition of leadership

The UK government has written directly to CEOs and Chairs, making cyber resilience a board-level duty. Neglecting it is no longer an operational weakness; it’s a governance failure.

Boards must take ownership, allocate accountability, and demand evidence that continuity plans work.

“The buck stops with us as senior leaders. Please continue to consider the best route to protecting your business, but also the best means to defend against an attack, including supporting customers and colleagues, at every possible stage.” — Shirine Khoury-Haq , CEO, Co-op

The Co-op’s open letter to business leaders is one of the most honest reflections of what a cyber event feels like inside the boardroom. It echoes the NCSC’s message that resilience isn’t theory, it’s a responsibility.

What boards must now prioritise?

• Continuity: Can your organisation operate for 24 hours without IT?
• Recovery: Do you have a clean, trusted recovery source?
• Governance: Who owns resilience in your board structure?
• Evidence: When did you last test and time your recovery plan?

These are no longer “CISO questions.” They’re leadership questions.

Forward-thinking leaders are already taking tangible steps to separate their most sensitive information from connected systems and create offline recovery vaults for clean restart capability. In an environment where every network can be reached, the ability to isolate and control data has become a defining act of resilience.

From national guidance to board action

The NCSC Annual Review 2025 isn’t just an assessment of risk, it’s a blueprint for change. It pushes resilience up the chain of command and embeds it as part of responsible governance.

Resilience is now the measure of leadership in a connected world.

Boards that plan for failure, rehearse continuity, and manage recovery will define the next era of responsible business. Those that don’t will learn the hard way that cyber is no longer a technical risk, it’s an existential one.

At Firevault Limited , We share the NCSC’s belief that resilience must be built, tested, and evidenced. Our work with business leaders focuses on continuity and control ensuring that when the worst happens, critical data and decisions are protected inside Vault, the offline safety deposit box for the information that keeps organisations moving.

Because when everything is connected, the ability to disconnect safely becomes leadership in practice.

Our reflection

The NCSC has done its part. It has given business leaders clarity, urgency, and direction. The next step belongs to the boardroom.

Defence reduces risk. Resilience ensures survival. Leadership delivers both.

👉 Read the NCSC Annual Review 2025: www.ncsc.gov.uk #CyberResilience #Leadership #NCSC #Governance #BoardResponsibility #Coop #Firevault #Vault

Share this article