Subscribe to our Newsletter.
The National Cyber Security Centre (NCSC) sits at the heart of the UK’s digital defence. Part of GCHQ's, its mission is simple: to make the UK the safest place to live and work online. The NCSC provides free tools, guidance and threat intelligence that help organisations of every size.
One of its flagship initiatives is Cyber Essentials, a government-backed certification that helps UK businesses prove they have the essential technical controls in place to protect against the most common cyber attacks. It’s the UK’s recognised baseline for cyber security - simple, effective, and often a contractual requirement when supplying to larger organisations or the public sector.
Each year, the NCSC publishes its Annual Review, outlining an updated overview and sharing how businesses can improve their defences. The 2025 edition delivers a stark message: the scale and sophistication of cyber threats is rising, and organisations that delay action are putting their operations, finances and reputations at risk.
⚠️ What does the last 12 months look like?
Over the last 12 months, the NCSC handled 1,727 incident tips, with 429 cases requiring formal support. Nearly half of these were classed as nationally significant - marking a 50% increase in serious incidents compared with the previous year.
These aren’t isolated technical events; they’re real-world business disruptions. Attacks on Marks & Spencer, Jaguar Land Rover and The Co-op Group caused supply chain issues, operational downtime and public concern. The review makes it clear, whether you’re a national retailer or an in the SMB space, cyber incidents can have the same destructive impact: lost data, lost revenue, and lost trust.
Meanwhile, ransomware remains the biggest threat to UK organisations, targeting any company that can’t afford prolonged downtime. Attackers are also now using artificial intelligence to supercharge their efforts, creating more convincing phishing campaigns, identifying vulnerabilities faster, and automating post-breach exploitation.
State-sponsored attacks from China, Russia, Iran and North Korea also continue to rise, often targeting suppliers and smaller organisations as a route into larger networks. It’s another reminder that in today’s interconnected economy, every business sits within a digital supply chain - and attackers know it.
🔒 Cyber Essentials: The Starting Point for Every Business
In a year where the NCSC saw a record number of severe incidents, the Cyber Essentials scheme has never been more relevant, It provides a clear framework built around five simple but powerful controls:
Secure configuration
Access control
Malware protection
Patch management
Firewalls and internet gateways
Implementing these measures protects against the vast majority of common attacks - phishing, malware, ransomware, and unauthorised access.
Organisations certified under Cyber Essentials are 92% less likely to make a cyber insurance claim following an incident, according to NCSC data.
Over 39,000 UK businesses gained certification in the past year, a 17% increase, and 75% of those were renewals. Clear evidence that once businesses achieve certification, they see the value in keeping it.
🧩 Cyber Essentials vs. Cyber Essentials Plus
The standard Cyber Essentials certification is self-assessed. It demonstrates that a business understands its cyber risks and has implemented the required safeguards.
Cyber Essentials Plus takes things further, with an independent technical audit that verifies those defences in practice. It includes vulnerability scans, endpoint checks and real-world testing.
For SMBs, Cyber Essentials Plus offers more than just compliance. it provides reassurance to customers and partners that your systems have been independently validated. It’s increasingly a differentiator in tenders, insurance renewals, and partnership discussions.
Think of Cyber Essentials Plus as the MOT for your business’s digital infrastructure. A recurring check that confirms you’re roadworthy and secure.
💼 Leadership, Culture, and Preparedness
The NCSC’s review calls out one of the biggest reasons businesses still fail to act: optimism bias. Too many believe they’re “too small” or “not a target.” The reality is the opposite; smaller organisations often represent the easiest way for attackers to reach larger networks or quickly extort payment.
Cyber resilience isn’t just about technology. It’s about leadership, planning, and culture. Boards and business owners must treat cyber risk with the same seriousness as financial or regulatory risk. The Cyber Governance Code of Practice now provides a framework to help leadership teams understand, manage, and oversee cyber risk effectively.
Creating a strong security culture where staff are trained, incidents are rehearsed, and responsibilities are clear, making recovery faster and reduces impact when things go wrong.
🌐 Final Thoughts
The 2025 NCSC Annual Review isn’t just a warning, it’s a blueprint for action. It proves that cyber threats are growing in both frequency and sophistication, but it also shows that simple, structured steps make a measurable difference.
For UK SMBs, adopting frameworks like Cyber Essentials is the most cost-effective way to protect your data, your customers, and your reputation. It turns cyber security from a technical concern into a business advantage, demonstrating professionalism, trust, and resilience to everyone you work with.
At Mondo Cloud, we believe that cyber resilience is achievable for every business, not just the biggest ones. Because in 2025, protecting your business means protecting your future and the time to act is now.
🎯
Does this spark your curiosity?
If you’re interested in learning more about Cyber Essentials & the benefits it can bring to your business and how you go about achieveing it, don’t hesitate to Get in touch!
Our experts are here to guide you through these processes. Let’s work together to ensure your business is ahead of the curve!
0800 640 4258