Cyber attacks against UK businesses have really increased, doubling within a year, according to new figures from the National Cyber Security Centre’s Annual Review 2025. The agency, part of GCHQ, said it handled 204 nationally significant attacks between August 2024 and August 2025. A year earlier, that number stood at 89.
The NCSC said the country now faces 4 major cyber incidents every week. 18 of these were so serious that they needed a coordinated government response.
Dr Richard Horne, Chief Executive of the NCSC, said businesses can no longer treat cyber security as a side issue. “Cyber security is now a matter of business survival and national resilience,” he said. “Hesitation is a vulnerability.”
What Damage Are Companies Facing?
The past year has been really bad for British companies. Marks & Spencer reported £300 million in losses from cyber incidents, while the Co-op Group lost £206 million. Jaguar Land Rover also confirmed breaches but did not reveal the cost.
The NCSC said the financial damage tells only part of the story. Attacks have interrupted deliveries, leaked customer data and just shaken consumer confidence. Manufacturing, logistics and energy networks have all been affected, because cyber threats now touch literally every other part of the economy.
The government has written to the chief executives of all FTSE 350 companies, urging them to make cyber resilience a boardroom issue. The NCSC said that defending a business no longer falls solely on IT teams… It should be a shared responsibility across every department.
How Should Businesses Respond?
To help companies defend themselves in the cyber world, the NCSC has expanded its Cyber Essentials scheme, which gives smaller organisations free cyber insurance if their turnover is under £20 million. It also launched the Cyber Action Toolkit. which is a step-by-step guide to help small businesses strengthen their systems.
The NCSC found that businesses that recovered quickly from attacks had 3 things in common and that is… well-trained staff, clear response plans and up-to-date security systems. It said these measures can often prevent small breaches from becoming national incidents.
The review added that protecting against future attacks will take more than new software. It will require constant awareness, investment and a change in how leaders think about risk.
Ross Sinclair, CEO and founder at EIP said: “The sharp rise in cyber claims highlights how exposed UK businesses have become as cyber threats grow in both speed and complexity. Many businesses still insure their buildings, equipment and stock, yet leave the digital systems that keep their operations running underprotected. Cyber risk is now business risk. When systems fail, operations stop. Treating cyber cover as optional is no longer sustainable.
“The surge in attacks also highlights how fast-moving and indiscriminate cyber threats have become. With login credentials traded openly on the dark web, any organisation, regardless of size or sector, can be targeted. This is now a board-level resilience issue. Companies need to reassess their exposure and ensure their insurance strategy reflects the reality of how they operate today.”
With all of this, its important for companies to start viewing cyber defence and security as a part of economic security, its no longer meant to be just a n optional upgrade.
