The NCSC Annual Review 2025 delivers a reality check. Highly significant cyber incidents have increased by 50 percent year over year. It's time to act.
Mike Tyson’s famous words have never been more relevant to cyber security.
The NCSC Annual Review 2025 delivers a reality check. Highly significant cyber incidents have increased by 50 percent year over year, with nationally significant incidents now representing 48 percent of all cases. That marks the third consecutive annual rise in severe incidents.
The message from government could not be clearer. Five senior ministers, including the Chancellor, and the CEO of the NCSC have recently written directly to FTSE 350 companies with an urgent warning: “Hostile cyber activity in the UK is growing more intense, frequent and sophisticated.”
This is not hyperbole. It is the highest levels of government telling business leaders that the threat has fundamentally changed.
The tone has shifted from better resiliency to a call to arms for structural, regulatory and governance changes. This is not academic positioning. It is recognition that the UK’s hyper-connectivity creates shared vulnerability where everyone has a role to play.
The Co-op CEO’s brutal honesty captures this reality: “While you can plan meticulously, invest in the right tools and run countless exercises, nothing truly prepares you for the moment a real cyber event unfolds.”
The cost of getting this wrong is staggering. Marks & Spencer’s ransomware attack is estimated to have cost over £300 million. The Synnovis incident cost £32.7 million and was linked to at least one patient fatality, according to the NCSC. These are not IT problems. They are existential business crises with real human consequences.
Technology, automation, and AI must shorten response times, but organisations need to test that these controls actually work. The NCSC’s message is clear: do not just buy it, prove it works. The real question is not whether you have advanced tools, but whether you can demonstrate they reduce the time to detect and contain real attacks.
This is where chaos engineering becomes essential. The NCSC advocates deliberately introducing failure to validate detection and recovery capabilities. It is not enough to assume your automated defences work. You need to break things deliberately to prove they can be fixed.
At CovertSwarm, we take the same principle further. We attack constantly to validate resilience in the same way real adversaries would.
Despite all the talk of AI-powered threats and nation-state actors, the most devastating attacks still exploit basic weaknesses. The NCSC’s insight is clear: even sophisticated attackers exploit basic vulnerabilities.
Organisations with Cyber Essentials certification are 92 percent less likely to make insurance claims, yet adoption remains frustratingly low due to optimism bias: the dangerous assumption that cyber attacks will not happen to them.
This reveals the industry’s misplaced obsession with advanced threats while ignoring fundamental cyber hygiene. Identity remains the critical weak point in most organisations, with social engineering and weak controls providing easy entry points for attackers of all sophistication levels.
Cyber security has moved from IT to the C-suite, and the government is making this non-negotiable. The ministerial letter demands three specific actions: make cyber risk a board-level priority, sign up to Early Warning services, and require Cyber Essentials across supply chains.
This shift echoes the post-2008 drive for corporate accountability. The era of cyber negligence is closing fast.
The NCSC’s new Cyber Governance Training ensures boards can no longer claim ignorance. Expect tougher oversight and personal consequences for negligence. The days of treating cyber security as someone else’s problem are over.
Annual penetration tests and compliance theatre are corporate negligence in a constant-threat world. The NCSC data exposes a fundamental mismatch: while organisations test episodically, attackers operate continuously.
The NCSC’s proposed Cyber Adversary Simulation framework reinforces this shift. Continuous attack simulation and resilience auditing are the direction of travel because constant threat demands constant attack.
The NCSC’s message is unambiguous: “It’s time to act.”
Do not wait for the breach. Move from reactive to proactive. Prove resilience through continuous preparation, automated response, and deliberate failure testing that demonstrates you can withstand real attacks.
At CovertSwarm, we call this the Constant Cyber Attack model. Resilience is not a quarterly exercise. It is a daily discipline. The question is not whether you will get punched in the face. It is whether you will still be standing when it happens. Organisations must accept the uncomfortable truth that sporadic testing over limited time will not close the cyber risk gap.
In a world where attackers ignore rules, schedules, and scope limitations, only continuous adversary simulation can provide the assurance that your defences work when it matters most. The time for annual security theatre has passed.
Resilience comes from constant preparation, and constant preparation requires constant attack.