In his first major speech since joining the organisation in April, Richard Horne, new National Cyber Security Centre CEO, noted how our dependence on technology is being used against all organisations to cause “disruption and destruction”. He also called on organisations to put NCSC guidance and advice into practice across the board, and that the risks facing the UK are widely underestimated. 

As if to prove his point, a ransomware gang has claimed to have stolen 1TB of data from Deloitte UK, something the firm denies. “We are aware of the claims by the threat actor,” the firm said in a statement. “Our investigation indicates that the allegations relate to a single client’s system, which sits outside of the Deloitte network. No Deloitte systems have been impacted.”

As always, this is not restricted to the UK. At the beginning of December, officials from the FBI and Cybersecurity and Infrastructure Security Agency urged the public to move communications onto encrypted apps. 

It followed what looks to be one of the largest compromises in the country’s history, focused on telecommunication companies such as AT&T and Verizon with officials blaming the Chinese state. 

The attack seems to have given hackers access to phone call metadata, particularly around Washington DC, plus access to specific live phone calls and systems that are used by law enforcement to track communications. 

We have seen a prevalence of supply-chain attacks and major disruptions from the reliance on supply chains. This includes the infamous CrowdStrike impacting millions of Microsoft machines due to a poor patch; the cloud provider Snowflake breach leading to 30m records of Santander customers being stolen; and the cyber attack that caused disruption to NHS blood transfusions. Alongside targeting suppliers rather than firms, attackers are becoming more sophisticated at: 

• using AI to help craft phishing emails and generate deepfakes for scamming or spreading disinformation – what once would have been technically challenging is now much more accessible. It is likely that much of the training for detection of suspicious emails may become somewhat obsolete;
• learning to keep their activity within existing tools and processes within the system, therefore concealing suspicious activity to hide from more traditional monitoring tools; and 
• putting people into positions where they have to make hasty decisions that compromise security or provide key information. 

The World Economic Forum has estimated that cybercrime cost the global economy $8tn this year and the NCSC estimated that global ransomware payments alone will have topped $1bn. To stay ahead, organisations should consider implementing the controls from Cyber Essentials – those that do are 92% less likely to make a claim on their cyber insurance than those that don’t.

NCSC resources for your organisation

This year saw a number of resources published or updated by the NCSC that you and your organisation should be aware of and are encouraged to use: 

• Cyber Action Plan: a questionnaire aimed at small businesses that can be completed online in under five minutes and results in tailored advice for businesses on how to improve their cyber security.
• Cyber Advisory Scheme: for small and medium-sized organisations across the UK aiming to improve their basic cyber security and avoid the disruption caused by some of the most common cyber attacks.
• Updated version of Cyber Essentials: a government-backed self-assessment and certification scheme aimed at individuals in organisations that will help you to protect your organisation, whatever its size, against a whole range of the most common cyber attacks. There are updated requirements for IT infrastructure for firms that are certified against the Cyber Essentials standard, which will take effect on 28 April 2025. 
• Cyber Security Playbook: provides support and guidance for local authorities on how to keep ‘smart cities’ safe from threats.
• 10 steps to cyber security guide: aimed at businesses developing an AI tool, this provides 10 steps that should be applied in the early and developmental stages of AI tools, systems and services to avoid situations in the future where security may need to be retrofitted.
• Email security check and Check your cyber security services: these allow small businesses to perform a range of simple online checks using the same publicly available information that is commonly used by cyber criminals.
• Building a security operations centre: a resource to help organisations set up a security monitoring capability in line with their level of threat and available resources.
• Cyber Security Toolkit for Boards: a toolkit that is designed to help board members, including the CFO, govern cyber risk more effectively.