NCSC publishes Annual Review 2025

The NCSC’s Annual Review 2025 urges business leaders to take decisive action on cyber resilience.

It’s time to act – is the clear message NCSC is making to businesses in the ninth NCSC Annual Review.

The review opens with a letter from the CEO of a major high street retailer impacted by a high-profile cyber-attack earlier this year. The message made to business leaders and decision-makers is direct: take the security of your systems seriously. The letter makes clear the far-reaching consequences of an attack, not just on businesses, but also for its employees and customers.

This year has seen an unprecedented number of nationally significant incidents impacting on UK businesses, including a 50% increase in incidents categorised as highly significant in nature. The NCSC believe these recent events should come as a reminder that cyber-attacks are not confined to computers and data, but can disrupt every part of an organisation.

The review makes a consistent effort to signpost to existing cyber security guidance and training which the NCSC already provides – including Cyber Essentials, Cyber Governance Training and the new Cyber Action Toolkit. While the report highlights the government’s commitment to supporting businesses, it places more emphasis on the responsibility for business leaders to take action and accountability for their organisations own cyber resilience.

The report focuses on three main areas:

• An overview of the cyber threat to the UK, identifying state actors and the tactics they use. The NCSC emphasises the need for better collaboration to improve our understanding of the threat and speed of collective response.
• How the NCSC supports organisations to build cyber resilience through leadership, culture and behavioural science. The report details the tools and guidance developed to help businesses prepare for, detect and respond to potential attacks.
• The NCSC’s role in shaping the development of technologies like post-quantum cryptography (PQC), AI and passkeys. The review also considers the future of digital identity, and the role NCSC plays in the security of authentication.