Tuesday 14th October was a big day for the UK’s National Cyber Security Centre (NCSC). The organisation, part of GCHQ, published its full annual cyber security report, It’s Time to Act and, interestingly sent an open letter to UK leaders signed by three Cabinet Ministers, the Chancellor of the Exchequer, the CEO of the National Cyber Security Centre, and the Director General of the National Crime Agency.

The number of serious and complex cyber incidents raised to NCSC has increased dramatically so far in 2025, affecting businesses, public services and people’s lives. It was only a few weeks ago that successful cyber-attacks significantly disrupted business operations at Jaguar Land Rover (JLR), which was closely followed by highly publicised attacks on three British retail icons: Marks & Spencer, Harrods, and the Co-op.

This wave of attacks includes those from nation-state actors to sophisticated cybercriminal gangs through to lesser-skilled criminals who bought malware from adversaries selling Ransomware-as-a-Service.

Furthermore, the impact of geopolitics is being played out in Security Operation Centres (SOCs) up and down the country. At Quorum Cyber, we are the front line. And we’re working with allies across the globe to defend the UK, democracy, and our very way of life.

This is the ninth report from the NCSC, however, unlike the time before, this feels far more significant. It as though Richard Horne, CEO of the NCSC, had slapped the table and stood up in front of the country and said, “Enough is enough. It’s time to act.”

The letter to UK leaders and three steps for boards

As part of the NCSC’s public messaging, ministers and cyber security bodies issued an open letter to CEOs and board chairs, especially among FTSE 350 and major UK institutions. It is designed to make leaders sit up, listen and take action. The letter includes three prescribed actions / steps that boards should take:

The board should own cyber risk

It’s really important to understand that these steps are framed as baseline governance obligations, not optional extras and are meant to elevate cyber resilience into the realm of board accountability. It has always been known by cyber security professionals that the cyber risk has to be owned by the board. It is ultimately their responsibility to provide tools and resources for protecting businesses.

The buck ends with the board, and it is very welcome that the advice from NCSC is for companies to discuss cyber security risk as a regular agenda item. The Cyber Governance Code of Practice provides advice to get people started, however, making this an optional code allows organisations to ignore their responsibilities and it may not have the teeth that the UK desperately needs. It’s no longer an option to not invest in cyber security (it is time to act), so why is this not baked into legislation?

This means it’s now critical for the Chief Information Security Officer (CISO) to regularly report to the board – and talk in the board’s language, a subtle and important skill to learn.

The one thing that is key is a shift from preventing cyber security attacks to assume breach and now be ready to recover – a focus on Engineering Resilience (see our CISO’s blog on resilience engineering). It is now a reality that CISOs and CIOs are no longer judged on whether the organisation is being attacked, but on how quickly it can recover – and let’s hope it’s in hours, not weeks.

Take the right actions, ask the right questions

New measures on resilience and recovery for backups will help here as well as key messages:

• When was the last time you practiced a recovery of critical gold systems from scratch?
• When did you test your failover across the network.  And did you test you can failover to the secondary recovery site?”
• Do you have a recovery site?
• Are your backups immutable?
• Have you tested backups?
• Do you know the location of break glass keys and accounts?
• Can you get to your recovery plans if all systems are out?

Access to the NCSC’s early warning service helps boards and their teams stay ahead of emerging threats. But they must also operationalise alerts – not leave them to be ignored by technical teams.

Early warning services and Cyber Essentials – a word of caution

The NCSC’s service is not the only one in operation and whilst useful for small and medium enterprises (SMEs), there’s a concern over its capability for timely intervention and not convinced they have the resources to handle the increase in demand now placed firmly on the NCSC’s shoulders. There are plenty of threat intelligence early warning systems, and relying on one broad service aimed at SMEs may not be advisable. For a CISO, multiple information sources are critical, so yes, add NCSC services, but it’s advisable to sign up to others and cover the whole spectrum across your organisation’s sector and threat intelligence.

The emphasis on Cyber Essentials for organisations and supply chains reflects the concern that advisories will likely infiltrate via third parties and asking them to comply with basic cyber security is only welcomed.

Cyber Essentials is the basics and a bit of an on-off switch for vulnerabilities and assessed once per year. So, although having the minimum in place is good, only running this once per year is very outdated. We now live in a world where vulnerabilities need to be managed continuously through an extended detection and response (XDR) service – resting on your loreals until the moment of renewal is not an option.

Many of the larger more complex organisations can’t possibly resolve all vulnerabilities across all computers and surely a risk-based approach with a defence-in-depth capability, such as NIST and ISO27001, is more appropriate. It is disappointing that the NCSC’ letter to businesses is aimed at FTSE 350 when Cyber Essentials is not designed for the majority of them.

For supply chains – and whilst it is true the defensive perimeter must now include vendors – there are some critical vendors who will not be able to comply to Cyber Essentials, so a risk based approach to the supply chain is going to be required for most organisations.

Whilst focusing on getting the basics right for cyber security – for example, endpoint detection and response (EDR) and vulnerability management, managed detection and response (MDR), security incident tools, multi-factor authentication (MFA), backups –most FTSE 350 companies are likely to already have these in place, and cyber security from a threat and risk perspective is far more important to keeping to UK safe.

Conclusion

It is a big welcome that NCSC have stood up and are now making the board responsible for cyber security across organisations in the UK. I agree that a basic security standard is really important, however, I remain unconvinced especially for the larger FTSE 350 that Cyber Essentials is going to be the magic silver bullet that gets organisations out of jail. Here are three steps to think about when improving cyber resilience.

• Get the basics right
  1. Continuously scan for vulnerabilities – A good EDR tool (for example Microsoft Defender) with suitable coverage across the network and endpoints is essential. Then resolve them regularly. This is the surest way to reduce the risk.
  2. Keep up with regular patching cycles.
  3. Invest in an MDR and get Security Operations teams to work together for strengthening the security health. An XDR solution would help as well, as it combines valuable intelligence from both EDR and MDR solutions
  4. Implement multi-factor authentication – across networks and applications.
  5. Implement passkeys.
  6. Reduce local admin access, system admin and domain admins account down to a minimum, ideally remove them entirely. Invest in PIM and/or PAM solutions and think about just in time access instead.
• Run regular backups and make sure they are immutable.
• Practice Resilience – you are only ever going to be judged by how quickly you recover. This includes recovering from scratch as well as running regular resilience checks across the network layers.

For further information, please contact [email protected], who leads Quorum Cyber’s customer facing cyber teams in the UK.