British govt agents demand action after UK mega-cyberattacks surge 50%
- Reference: 1760439066
- News link: https://www.theregister.co.uk/2025/10/14/ncsc_uk_cyberattack_surge/
- Source link:
GCHQ's cyber arm, the National Cyber Security Centre's (NCSC), said in its [1]annual review published today that its incident management team handled 429 cyberattacks on organizations in the past 12 months, one fewer than the same reporting period in last year's review.
However, the number of nationally significant attacks stood at 204, a 48 percent increase year on year, and the number of highly significant attacks stood at 18, a 50 percent increase on last year – the third marked increase in as many years.
[2]
The NCSC has six categories of attacks, ranked in DEFCON style:
Category 1 – National cyber emergency: Attacks that cause sustained disruption to critical services or impact national security. These demand a cross-government response, with senior ministers and law enforcement working together. NCSC advises on incident response.
Category 2 – Highly significant incident: Attacks have a serious impact on central government, essential services, and a large population of the UK. NCSC leads the response.
Category 3 – Nationally significant incident: Used to be called just a "significant incident," these attacks strike a large organization and carry a risk of impacting essential services. NCSC leads the response.
Category 4 – Substantial incident: Attacks that have a serious impact on a medium-sized organization, or those that pose a considerable risk to a large one. NCSC or law enforcement leads the response.
Category 5 – Moderate incident: An attack on a small organization that could impact a larger one. Law enforcement leads the response.
Category 6 – Localized incident: An attack on an individual, or one that could shape into an attack on an SMB. Local police lead the response.
NCSC chief exec Richard Horne said: "Cybersecurity is now a matter of business survival and national resilience. With over half the incidents handled by the NCSC deemed to be nationally significant, and a 50 percent rise in highly significant attacks [3]compared to last year , our collective exposure to serious impacts is growing at an alarming pace.
"The best way to defend against these attacks is for organizations to make themselves as hard a target as possible. That demands urgency from every business leader: hesitation is a vulnerability, and the future of their business depends on the action they take today. The time to act is now."
[4]
[5]
The prevailing message from the NCSC's report is that UK organizations lack the urgency around implementing measures that could improve their resilience to cyberattacks.
People close to the matter believe many business and technical leaders in the UK are knowledgeable enough and understand what needs to be done, but it just isn't being enacted quickly enough.
[6]
In a speech scheduled for later today, Horne will allude to an open letter penned by Co-op's CEO, Shirine Khoury-Haq, which reminded others in similar shoes that nothing can prepare a company's top brass for the dreaded call informing them of an attack.
He will say that it's even worse receiving that call when the organization does not have a plan in place to manage the widespread disruption and business continuity.
Hammering home the theme of urgency, Horne will add: "So, the time to act is now. Every leader, whether you're one person at your kitchen table or the boss of thousands of people, you must have a plan to defend against criminal cyberattacks and you must have a plan for continuity. You must know how to keep going should a cyberattack get through.
[7]
"If your IT infrastructure was crippled tomorrow and all your screens went blank, could you run your payroll systems, or keep your machinery working, or stock your shelves?
"If the answer is 'no,' or more likely 'don't know,' act now. Because when an attack does break through, it is the strength of these pre-engineered solutions that determines an organization's ability to endure, respond, rebuild, and survive."
[8]UK may already be at war with Russia, ex-MI5 head suggests
[9]UK and US security agencies order urgent fixes as Cisco firewall bugs exploited in wild
[10]Workers fear for their jobs as JLR's latest shutdown extended
[11]UK to ban ransomware payments by public sector organizations
The report opens by referencing the cyberattacks on UK household names. The NCSC doesn't name them, but the issues at [12]M&S , [13]Co-op , and [14]Jaguar Land Rover are so well-known that it makes little sense to tiptoe around them.
Empty shelves and silent production lines defined the UK's year in cybersecurity in 2025, and the cybersecurity agency said these recent attacks, among others, "must serve as a wake-up call" for orgs of all sizes.
CEOs, you've got mail
Senior ministers are writing to the leaders of all FTSE 100 and FTSE 250 companies this week, as well as "a number of other leading UK firms," imploring them to heed the NCSC's advice.
As well as echoing the main takeaways of the NCSC's review, they issue three requests in support of the agency's urgency goals, with the top one addressing business culture.
Ministers want cyber risk to be a board-level priority. This builds on a similar call made by the NCSC, which urges organizations not to treat cybersecurity as a matter purely for technical teams.
The letter will also ask business leaders to sign up to the NCSC's Early Warning service, which is free for all. All that's required is for a business provide its public IPs and domains, and the NCSC will send alerts if it detects possible malicious activity targeting an org's network.
Ministers also asked the UK's top companies to demand that their suppliers meet the requirements set out by the NCSC's Cyber Essentials standard.
The agency claims those that meet the Cyber Essentials mark are 92 percent less likely to make a claim on their cyber-insurance policy, and when every link in the supply chain is secure, it lessens the likelihood of an upstream or downstream attack on others, too.
"We are encouraged to see that more than 90 percent of company boards now recognize cybersecurity as a critical priority," said [15]the letter signed by secretaries of state, Horne, and NCA chief Graeme Biggar.
"We now need to convert this priority into concrete actions to fully address vulnerabilities and enhance resilience, and invite you to work with us to protect our economy and society." ®
Get our [16]Tech Resources
[1] https://www.ncsc.gov.uk/collection/ncsc-annual-review-2025
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aO5zlE8oc2Eu9cMkzDyU7AAAABE&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://www.theregister.com/2024/12/03/ncsc_annual_review/
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aO5zlE8oc2Eu9cMkzDyU7AAAABE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aO5zlE8oc2Eu9cMkzDyU7AAAABE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aO5zlE8oc2Eu9cMkzDyU7AAAABE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aO5zlE8oc2Eu9cMkzDyU7AAAABE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2025/09/29/uk_russia_cyber_war/
[9] https://www.theregister.com/2025/09/26/cisco_firewall_flaws/
[10] https://www.theregister.com/2025/09/23/jaguar_landrover_shutdown_extended/
[11] https://www.theregister.com/2025/07/22/uk_to_ban_ransomware_payments/
[12] https://www.theregister.com/2025/08/11/ms_restores_click_collect_following/
[13] https://www.theregister.com/2025/09/25/empty_shelves_empty_coffers_coop/
[14] https://www.theregister.com/2025/10/06/jlr_phased_production/
[15] https://www.gov.uk/government/publications/ministerial-letter-on-cyber-security-to-leading-uk-companies/ministerial-letter-on-cyber-security
[16] https://whitepapers.theregister.com/
Do as I say, not as I do !
Government needs to get it's own house in order first.
" nothing can prepare a company's top brass for the dreaded call informing them of an attack"
Well, having it on the company's risk register with a realistic cost impact and audited probability based on their currently assessed preparedness would help prepare them - if only by giving them a cost/benefit case for actuall doing something. If they were also required to reflect the factored risk on their balance sheet and set reserves aside then it would be top of shareholder's minds every time the company or the analysts reported on their financials and when their share price dropped cos they'd done nothing to mitigate a very real risk the board might realize that not doing something about their company's security could affect their bonuses.
Until there's a "very real risk" of board members losing their freedom (jail/gaol), they will do nothing.
If it becomes too expensive not to comply, they will listen, because it hurts shareholders.
And if there's a real risk to the board, they will outsource the risk to a third party.
Maybe Rishi could help companies avoid the dangers of TCS and encourage them to use Infosys instead?
Oh dear, my sarcasm jar seems to have emptied unexpectedly.
Anything of substance?
So what you've reported can be summed up as, "Oy you, do something!"
Did the report include any real advice, or have you declined to repeat that part?
Re: Anything of substance?
Well,you could follow the link and read it. Being kind, I've had a skim, and two thirds of it anyone round here could have written with no preparation or research, and the other third most of us could have written just from Reg content and the occasional informed comment in this forum. The report has some good but necessarily generic recommendations in Chapter 2, but in searching the pdf for a few keywords I didn't find any reference to outsourcing, nor spot any content relating to the very common breach theme of the breach being at an outsourcer or off-prem services supplier. With the finger pointing at Totally Crap Services for three recent notable breaches, I'd have thought that vulnerabilities not just across the software stack, but across the services stack ought to be a topic in its own right.
Re: Anything of substance?
The Beeb reports more on the letter to CEOs (worth taking a look as it takes a complementary view the TFA's https://www.bbc.co.uk/news/articles/ced61xv967lo ).
The headline there is that they say to have a plan on paper (quite likely a fair number of CEOs might not realise having on their PA's PC won't help when that's down with the rest) and it should cover falling back to manual operation as well as recover. It's also the sort of sound advice any of us could have given but, of course, as it would have come from us it wouldn't count for much. The same advice coming from govt. stands a better chance of being heeded. Iet's hope it is heeded because, done properly, it's far from trivial and it would involve taking a serious look at their current defences and maybe even deciding to do something about them as a result.
Short version
We're toast :(
Re: Short version
Yes but look on the bright side, we're toasty but with a tasty smear of marmite on top.
Profit...
There's a new investment strategy called #buythebreach.
When a company stock price dips due to a cyber event, buy in at the low price and await the recovery.
Example: Tata Motors is down by 41%.
Example: Crowdstrike dropped 50% last July after their software broke many companies' IT. It's now up more than 100% from that low.
(No I don't participate.)
They are doing it wrong.
Your IT security does not depend upon patching software or paying IT consultants more.
The solution is cheaper and architectural. The threat comes from allowing your primary networks/data stores have access to the public internet. Your primary systems should never connect to the public internet. Internet facing systems should contain data transiently, and just hold light and fluffy stuff - no problem if it is hacked and easily replaced after a ransomware attack.
So that means having the bulk of your stuff on prem and secure. No SaaS, no Cloud, no AI and two screens per desk, one for your secure intranet, one for internet connected. Air gapped by a member of staff.
The stuff that the tech industry want to sell you, makes you inherently insecure.
You should hold the minimum data, preferably offline, on physical media (feasibly paper). Because data is a risk not an asset, and 'big data' was a scam.
No accessible honey pot of data, no reason to hack you.
And you should use much simpler, non-networked systems where you can, hybrid with paper, forms and phones, if you are a smaller entity like a school. If something works on paper, it is rank idiocy to digitise it and then connect it to the internet.
The suggestions above make you securer by design. Because anything connected to the net is vulnerable.
The only thing the NCSC do that actually makes a difference is take so long to fix ransomware attacks that the potential cost to any business hit by them should make them reconsider their infosec.
Re: They are doing it wrong.
In the early days of Cyberattacks I learned to do it all after my company started to get daily worldwide attacks, once I learned how to do it I attacked my company internet options and after seeing how everything was being done I worked to stop it happening by doing our local hacking myself. One I hacked my own company I was able to prevent it ever since.
So doing hacking outside your own world is wrong, but it's very educational and help make you escape the hacking world.
Re: They are doing it wrong.
I still remember ransomware encrypting a drive with a note to bring cash at this and that location to receive unlock password in the post. No internet involved.
UK would still be in the EU, it should have implemented a local version of NIS2.
And companies go towards protection.
"The NCSC doesn't name them"
The Beeb's story also includes the Harrods breach as nationally significant. I suppose it tells us something about what's significant to the Beeb.
BBC's tech failure.
Tech has been fundamental to modern life for decades, but BBC TV has had piss-all coverage of technology since the 1980s. Cookery, antiques, furnishing your home, gardening, fishing, sports. They are happy to devote hours to everything else, but have studiously avoided explaining tech to their viewers, despite their public service remit. Their failure here has been an absolute disgrace for decades. All they do is run moral panic scare stories on the news. Much of the lack of knowledge of basic tech in the UK stems from this. Ditto ITV, but they don't have the public service remit of the BBC.
Oh FFS El Reg, don't start putting those wretched ****ing adverts that crawl up from the base of the screen on here as well.
Nerve
Haha the nerve they got. Government gutted British IT sector and now has pikachu face that things are looking pear shaped.