Table of Contents
Senior executives must do better to prepare for almost inevitable future cyber-attacks and cannot rely on government alone for protection, the UK government has warned.
UK Security Minister, Dan Jarvis, today warned that cybersecurity has remained a concern for the middle management “for too long” and “only gets escalated to the seniors in a crisis.”
“The UK government is creating a strong partnership on cybersecurity, as we have shown through our work on Jaguar Land Rover, but I am clear that businesses cannot be protected by government alone,” he said, speaking at the National Cyber Security Centre’s (NCSC) headquarters in London on October 14.
Richard Horne, the NCSC’s director, stressed: “Ask any organization that’s experiencing a crisis such as a ransomware attack: ultimately, the CEO and the executive committee and other board members will have to run the crisis management.”
“The time to act is now. Every leader, whether you’re one person at your kitchen table or the boss of thousands of people, you must have a plan to defend against criminal cyber-attacks and you must have a plan for continuity. You must know how to keep going without your IT systems should a cyber-attack get through,” Horne continued.
These warnings came as the NCSC’s 2025 Annual Review, published on October 14, showed record-high numbers of “nationally significant” cyber incidents, with 204 events of such impact between September 2024 and August 2025, of which 18 were “highly significant”.
To prompt senior executives to better prepare for cyber threats, the preamble of the NCSC’s Annual Review included a letter from one CEO whose company suffered a high-profile cyber-attack earlier this year.
In this letter, Shirine Khoury-Haq, CEO of the Co-op Group, said: “The buck stops with us as senior leaders. Please continue to consider the best route to protecting your business, but also the best means to defend against an attack, including supporting customers and colleagues, at every possible stage.”
UK Government Urges FTSE 350 CEOs to Strengthen Cyber Defenses
The UK Security Minister also announced that a letter has been sent to all CEOs of FTSE 350 companies, imploring them to better recognize cyber threats.
The message strongly recommends that organizations keep physical copies of their cyber incident response plans at the ready, warning that digital-only preparations may fail in a crisis.
This letter was signed by Jarvis alongside other government ministers including the Chancellor of the Exchequer, Rachel Reeves; Business Secretary, Peter Kyle; Technology Secretary, Liz Kendall; as well as the heads of the NCSC and the National Crime Agency (NCA).
Speaking to Infosecurity, Jonathan Ellison, the NCSC’s director of national resilience, added that the letter also refers to the need for CEOs to think about their supply chain. He pointed to Cyber Essentials as one of the ways in which CEOs can assure that the companies in their supply chain have sufficient cybersecurity in place.
Introduced in 2014, Cyber Essentials is a voluntary a UK government-backed certification scheme which aims to provide organizations with basic controls they should implement to mitigate the risk from common internet-based threats.
Cyber Essentials Uptake Still Too Slow
Despite Ellison imploring firms to consider Cyber Essentials, uptake of the scheme has been relatively slow. This has previously been highlighted by the NCSC as a marker of UK business leaders’ reluctance to invest in foundational cybersecurity protections.
In May 2025 at CYBERUK in Manchester, Ellison warned while 35,000 UK organizations hold the Cyber Essentials certification, this was still far too few. He noted that there are 5.5 million businesses in the UK so the number of those which have completed Cyber Essentials “is nowhere near where we need to be.”
Today, the NCSC’s 2025 Annual Review noted that this number has reached 39,790 businesses.
Speaking to Infosecurity, Ellison highlighted that 2025 “will mark our biggest year in terms of new Cyber Essential certifications attributed to businesses.” However, he reiterated that it is still “not enough.”
He suggested two primary reasons for the slow uptake: “First, for some companies, cybersecurity feels overwhelming. We need to help them take manageable steps enabling them to start this journey. Then, there is the issue of supporting organizations, so we’ve been growing the number of certification bodies and cyber advisors across the country.”
NCSC Launches Cyber Action Toolkit
Two new NCSC services could help accelerate the uptake of Cyber Essentials, Ellison highlighted.
First, in April 2025, the agency launched a Cyber Governance Code of Practice and Cyber Governance Training program designed to help senior executives and board members to better understand cyber risks for their organization and their supply chain.
Then, the NCSC launched the Cyber Action Toolkit on October 14, alongside the publication of its 2025 Annual Review.
This new free, personalized cybersecurity solution toolset aims to turn cyber protection into simple, achievable steps, is primarily designed for sole traders, micro businesses and small organizations.
However, Ellison believes the tool can also be “a pathway to Cyber Essentials”, helping businesses to make more easily achievable steps towards “the minimum cybersecurity standard that we think companies should make.”
