NCSC 2025 Review: UK Cyber Threats, Supply Chains, and the rise of AI

Written By Mark Faithfull

It’s Time to Act: What the 2025 NCSC Annual Review Means for UK Business Leaders

Every year, the National Cyber Security Centre (NCSC) publishes its annual review — part state-of-the-nation report, part wake-up call. The 2025 edition carries a blunt message: cyber security is no longer an IT problem. It’s a boardroom responsibility.

The New Normal of Disruption

Over the past year, the UK has witnessed a wave of cyber incidents that brought household names to a standstill. When supermarket tills went down and factory lines halted, it wasn’t a software glitch — it was a cyber crisis. Marks & Spencer, Co-op, and Jaguar Land Rover were among those disrupted by attacks that rippled through their supply chains, highlighting how fragile our interconnected economy has become.

The NCSC describes this as “the new normal” — a world where cyber attacks don’t just hit individual companies, but cascade through the suppliers and service providers that keep them running. Nearly half of all incidents handled by the NCSC in 2025 were of national significance, and the number of “highly significant” attacks rose for the third year in a row.

The message is clear: if your business relies on suppliers, you are part of the target zone.

The Supply Chain Blind Spot

Despite this reality, just 14% of UK businesses reviewed the cyber risk of their immediate suppliers in the last year. That statistic — quietly buried in the NCSC’s review — should stop any leader in their tracks. It means that the vast majority of organisations are still trusting their supply chains blindly, assuming their partners are as careful as they are.

In practice, that assumption rarely holds. One vulnerable contractor, one outdated laptop, or one shared login can open the door to an attacker — not just for that business, but for everyone connected to it.

This is exactly the gap that Cyber Swift’s Supply Chain Portal was built to close. Designed by Cool Waters Cyber, it gives organisations a practical way to see and manage the cyber health of their suppliers. It connects directly to certification data — such as Cyber Essentials, IASME Cyber Assurance, or ISO 27001 — and turns it into an interactive dashboard that shows who is secure, who’s expiring, and who’s falling behind. It’s a way for leaders to turn good intentions about supply-chain security into real, trackable action.

As the NCSC points out, the government is now calling on large organisations to lead by example — improving the adoption of Cyber Essentials throughout their supply chains. Cyber Swift makes that call actionable, making it easy to monitor, report and help suppliers get certified, without adding layers of bureaucracy.

The Age of Leadership Accountability

In her contribution to this year’s review, Co-op Group CEO Shirine Khoury-Haq spoke candidly about the chaos her company faced during a recent cyber attack. Despite strong technical defences, recovery required leadership resolve, not just IT expertise. “Preparation buys you time,” she said, “but leadership determines how you use it.”

NCSC CEO Richard Horne echoes that sentiment: “Any leader who fails to prepare for a cyber incident is jeopardising their business’s future.”

That preparation now extends well beyond your own firewall. It includes the readiness of your suppliers, contractors, and partners — anyone whose systems touch yours. The NCSC’s Cyber Governance Code of Practice is designed to help boards weave that thinking into everyday decision-making. Cyber resilience isn’t about buying more tools — it’s about building the culture and accountability to use them effectively.

The Economics of Prevention

Many companies still wait until after a breach to take cyber security seriously. The NCSC calls this “waiting for the breach” — a behaviour as common as it is costly. Recovery can take months, drain budgets, and cause lasting reputational harm. In contrast, proactive measures such as Cyber Essentials certification, staff awareness training, and supply-chain assurance are affordable and proven to reduce risk.

The numbers are striking: organisations with Cyber Essentials are 92% less likely to make an insurance claim after a cyber incident. Yet too few have extended this protection across their supplier base.

This is where platforms like Cyber Swift add real-world value. Instead of chasing spreadsheets and supplier declarations, businesses can use an automated system to track who’s compliant, prompt renewals, and share results directly with stakeholders. It transforms compliance from a tick-box exercise into a living, breathing part of your governance process.

Building Resilience at Scale

The word that appears most often in this year’s review is resilience. The NCSC’s focus has shifted from pure prevention to the ability to operate through disruption and recover quickly. That means good backups, segmented networks, and clear recovery plans — but also trusted partners who can step in when things go wrong.

For smaller organisations, the NCSC offers free tools like its Early Warning service and Cyber Action Plan. For larger and regulated businesses, the challenge is visibility: knowing which suppliers are exposing them to risk. Cyber Swift’s Supply Chain Portal bridges that gap, giving procurement and compliance teams real-time insight into the cyber posture of their entire network.

Resilience, after all, is not a one-off project — it’s an ongoing relationship between people, technology, and trust.

The Technology Horizon

The NCSC also looks to the decade ahead, highlighting three trends reshaping the cyber landscape:

  • Artificial Intelligence: Criminals are already using AI to craft realistic phishing attacks and analyse stolen data faster than ever. Yet AI also offers defenders a way to spot anomalies and automate responses at scale.

  • Passkeys: The move away from passwords is accelerating. Passkeys — secure, device-based logins — will soon become a baseline expectation, slashing credential theft.

  • Quantum Security: Preparing for the post-quantum era isn’t science fiction. The NCSC urges all organisations to start identifying systems that rely on encryption so they can migrate to quantum-safe alternatives well before 2035.

A Call to Action

The title of this year’s NCSC review says it all: “It’s Time to Act.”
That means acting within your organisation — ensuring your people are trained, your systems are protected, and your data is backed up — but also acting across your supply chain.

Because as this year’s review makes painfully clear, you’re only as strong as the weakest link in your network.

At Cool Waters Cyber, we’re helping UK businesses take that next step — from awareness to action. Through Cyber Swift, we make it easy to see your entire supply chain’s cyber readiness, manage compliance, and help your partners get certified. It’s how leaders can move from hoping their suppliers are secure, to knowing they are.

Cyber resilience has become one of the defining business issues of our time. The question for every board is no longer if a cyber incident will happen — but how ready you’ll be when it does.

About Cool Waters Cyber

Cool Waters Cyber is an NCSC Assured Service Provider and IASME Certification Body helping organisations of all sizes achieve real-world cyber resilience. Through our managed services, certification support, and our Cyber Swift supply-chain portal, we help businesses take control of their cyber security and compliance with confidence.
👉 Learn more or book a consultation

Mark Faithfull
Next

The Hidden Cyber Risks in Your Supply Chain