NCSC Annual Review 2025

Keypoints

• Typical structure of an annual national cybersecurity review: front matter (forewords, ministerial messages), an executive summary and “at a glance” metrics, a threat landscape chapter, incident management and case studies, resilience/defence capability chapters, services and tools overview, sector-specific interventions, guidance & standards, research and innovation activity, and a forward-looking recommendations/timeline section.
• Front matter sets strategic tone: CEO, ministerial and allied agency messages emphasise that cyber risk is a board-level, economic and national-security issue, not just an IT problem.
• The threat landscape chapter usually details actor types (nation-state, organised cyber crime), high-level trends (destructive intrusions, supply chain targeting, exploitation of legacy systems) and geopolitical drivers for cyber operations.
• Incident management section explains intake and triage processes, and presents operational metrics to quantify demand on national responders and severity of incidents.
• Resilience and engineering chapters focus on practical mitigations (Zero Trust, segmentation, immutable backups, resilience engineering, crisis preparedness) and explain how to translate guidance into operational continuity and recovery planning.
• Services and Active Cyber Defence (ACD) sections document defensive tooling (Early Warning, Takedown, Share and Defend, PDNS, Mail Check, Web Check, SERS) and adoption metrics that demonstrate scale and impact.
• Standards, assurance and industry engagement sections describe assurance schemes (CAF, CHECK, CyAS, Cyber Resilience Audit, Cyber Essentials) and how they create market signals for secure products and services.
• Research, innovation and workforce chapters cover AI security, post-quantum cryptography (PQC), Crypt‑Key developments, NCSC for Startups, CyberFirst/education and collaborations (LASR, international partnerships) that prepare future capability.
• Timeline and policy actions list notable milestones and launches (e.g., Secure Innovation guidance, Cyber Governance Code, CAF v4.0, PQC guidance) to show programmatic delivery across the year.
• Operational metrics: NCSC Incident Management received 1,727 incident tips, triaged to 429 incidents requiring support; 48% (204) were nationally significant and “highly significant” incidents rose by ~50% year-on-year (4% of incidents classified as highly significant).
• Early Warning scale and impact: 13,178 organisations signed up; 316,343 alerts sent to customer IPs in the year; ~131,000 reports sent to IPs of ~1,350 organisations suspected of compromise; ~187,000 IP addresses (4,030 organisations) received vulnerability reports.
• Takedown and Share & Defend outcomes: 1.2 million cyber-enabled commodity campaigns removed; 26,000+ phishing campaigns targeting government disrupted; 79% of confirmed phishing attacks targeting HMG resolved within 24 hours; 50% of takedowns completed within one hour (improvement from ~4 hours previously); Share and Defend blocked millions of attempts to access scam sites.
• Mail Check and Web Check adoption: Mail Check used by 13,193 organisations, 402,796 domains scanned, ~1,014,887 urgent/advisory alerts; Web Check used by 4,624 organisations, 133,913 domains/URLs scanned, ~569,467 alerts.
• Suspicious Email Reporting Service (SERS): over 10.9 million reports in the year and over 45 million reports since 2020; ~412,000 malicious URLs removed since 2020—showing significant public engagement and takedown throughput.
• Sector impacts and case studies: major incidents on retail and automotive (Marks & Spencer, Jaguar Land Rover, Co-op Group) highlighted real-world disruption and commercial loss—M&S costs estimated >£300m; Synnovis ransomware caused ~£32.7m in costs, outsized relative to company profits and contributed to healthcare disruption and at least one reported patient death.
• Critical National Infrastructure (CNI) emphasis: priority to close the gap between sophisticated threats and defensive maturity via TiSP threat intelligence, threat hunting workshops, sector-specific interventions, and preparatory work for the Cyber Security and Resilience Bill.
• Resilience engineering and operational guidance: recommendations to adopt infrastructure-as-code, immutable backups, segmentation, Privileged Access Workstations (PAWS), least privilege, observability/monitoring, chaos engineering, duplicate critical stacks, and exercised crisis runbooks.
• Regulatory and assurance evolution: CAF v4.0 updates include attacker methods & motivations, secure software for essential services, enhanced monitoring/threat hunting, and AI risk coverage—CAF now used across UK regulators and government assurance programmes.
• Cryptography and PQC migration: NCSC timelines published—initial migration plan by 2028, migrate highest-priority services by 2031, complete migration by 2035; pilot PQC consultancy scheme onboarded initial assured providers; RFC guidance contributed to global PQC terminology.
• Crypt‑Key and defence investment: Crypt‑Key remains a core national capability; Joint Crypt Key Programme (JCKP) is a multibillion-pound programme (c.£2.6bn) to modernise keying and protect defence platforms, with new secure key management and international interoperability efforts.
• AI security and autonomous defence: LASR operationalised with research on secure federated learning, attack/defence taxonomies, agentic AI risk work, an AI Security Code of Practice and international standardisation engagement; experiments and roadmaps for autonomous defensive agents and human-AI teaming are underway.
• Authentication and identity shift: active push for passkeys and passwordless adoption, GOV.UK Wallet pilots, and guidance to accelerate move away from passwords for systemic risk reduction; digital identity guidance focuses on registration, authentication, management and secure channels.
• Industry assurance and market shaping: growth in assured suppliers—CHECK (54 companies, ~2,684 pentests), Cyber Incident Response (46 providers), Cyber Resilience Audit (17 providers), Cyber Essentials ecosystem (402 Certification Bodies, 934 Assessors); new Cyber Resilience Test Facilities and CyAS scheme launched to raise supply-side capacity.
• Education, workforce and ecosystem effects: CyberFirst reach expanded (hundreds of thousands engaged; £41.4m social value in 2024–25), NCSC for Startups supported ~70 startups raising >£550m, i100 and Industry 100 secondees amplify private sector expertise inside NCSC, and CYBERUK 2025 demonstrated community scale (3,134 attendees, £2.3m local boost).
• Recurring themes and strategic takeaways: a) threats are increasingly state-capable and destructive; b) attackers exploit legacy systems and operational interdependence; c) defensive posture must scale through automation, sharing and assurance; d) governance must shift to boards and regulators; e) investment in cryptography, AI security, identity and assurance ecosystems is essential; and f) transparency (SBOM/“radical transparency”) and supply-chain visibility are critical to tipping decisions in favour of defenders.
• Actionable recommendations typically highlighted: adopt CAF v4.0, register for Early Warning and ACD services, exercise incident response annually, plan and resource PQC migration now, accelerate passkey adoption, implement resilience engineering patterns, and use NCSC‑assured providers for incident response and assurance work.