A call for cyber resilience from the NCSC Annual Review 2025

The NCSC’s Annual Review 2025 – “It’s time to act” lays out a sharp reminder that cyber risk has graduated from the back-office to the board room. At the South West Cyber Resilience Centre, we see this as a timely wake-up call, especially for organisations across the region whose operations depend on cyber resilience.

1.      The threat is rising, and it’s everywhere

A key message of the Review is that threat actors driven by state-sponsored intent, hacktivism, ransomware and AI-assisted tactics are intensifying in frequency, scope and impact. The NCSC reports that nearly half of all incidents handled were of national significance, and that “highly significant” incidents increased by 50 % over the previous year. For regional businesses and infrastructure that we support in the South West, this means you are very much in scope. No organisation is immune.

2.      Cyber resilience at scale must become part of everyday business

Chapter 2 of the Review emphasises resilience: not just preventing attacks, but planning for response and recovery, and embedding cyber into the operational fabric of organisations. The NCSC says many organisations still wait for a breach before acting, but by then it may be too late. The message for our region: take proactive steps now. Use frameworks such as Cyber Essentials and ensure recovery planning is in place.

3.      Technology is evolving fast. Keep ahead of it.

The Review turns to emerging issues: the future of digital identity, migrating to post-quantum cryptography, the role of AI in both threat and defence. AI is no longer simply a theoretical threat-vector: the NCSC warns that adversaries are using large language models to automate spear-phishing, exploit discovery, and data exfiltration. For the South West region, which nurtures many SMEs, start-ups and public-sector partners, this means awareness, investment and strategic planning are essential. Defence isn’t optional.

4.      It’s not “someone else’s problem”

One of the strongest themes is collective responsibility: government, industry, academia, small businesses, and citizens all play a role. From our vantage at SWCRC, this rings true: cyber resilience is not just for large organisations. Local authorities, SMEs, infrastructure operators, charities: all must participate. We encourage organisations in the South West to engage with our programmes and existing guidance from the NCSC. We also note the NCSC’s invitation: “All business leaders need to take responsibility for their organisation’s cyber resilience.” That must translate into action.

5.      What this means for organisations in the South West

• Review your cyber security now: ensure senior leadership understands cyber risk as operational and strategic, not just IT.

• Conduct or refresh resilience planning: “What if our systems go down for 24-48 hours?” “What if ransomware hits us tomorrow?”

• Prioritise patching vulnerabilities and updating systems: the Review highlights how vulnerabilities are still being exploited in older systems.

• Embrace collaboration: incident sharing, threat-intelligence exchange, peer networks. We at SWCRC can help connect organisations.

• Look ahead: technologies such as post-quantum crypto, digital identity frameworks and AI-resilience will matter soon. Assess your roadmap now.

Final thoughts

 The 2025 Annual Review from the NCSC is not just a report: it is a call to action. For the South West region, the implications are clear and the landscape is shifting, threats are increasing and doing nothing is not an option. The South West Cyber Resilience Centre stands ready to support you: whether you are a small business, a public-sector partner or a charity, we can help you turn this call into real-world progress.

Because to borrow the NCSC’s refrain: It’s time to act.