NCSC: Senior Execs Unprepared for Cyber-Attacks
▼ Summary
– The UK government warns senior executives must improve cyber-attack preparation and cannot rely solely on government protection.
– Security Minister Dan Jarvis stated cybersecurity has been delegated to middle management too long and only escalates to senior leaders during crises.
– NCSC director Richard Horne emphasized that CEOs and board members must lead crisis management during attacks and have continuity plans.
– The NCSC’s 2025 Annual Review reported record-high numbers of nationally significant cyber incidents, with 204 events in the past year.
– Co-op Group CEO Shirine Khoury-Haq stressed that senior leaders are ultimately responsible for protecting their business and supporting stakeholders during attacks.
Business leaders across the UK are being urged to take immediate and decisive action to strengthen their organizations against the growing threat of cyber-attacks. Senior executives must do better to prepare for almost inevitable future cyber-attacks and recognize that relying solely on government support is no longer a viable strategy. This call comes directly from the UK government, emphasizing that cybersecurity can no longer be treated as a middle-management issue that only reaches the boardroom during an emergency.
Speaking at the National Cyber Security Centre’s London headquarters, Security Minister Dan Jarvis highlighted the critical need for a collaborative approach. He pointed out that while the government is actively building strong cybersecurity partnerships, as demonstrated by initiatives with companies like Jaguar Land Rover, the responsibility for protection cannot fall to the public sector alone. Businesses must step up and take ownership of their digital defenses.
Richard Horne, a director at the NCSC, reinforced this message by stressing the ultimate accountability of top leadership during a security crisis. When a ransomware attack or other major incident occurs, it is the CEO, the executive committee, and board members who must lead the crisis management response. He emphasized that the time for preparation is now, not after an attack has already happened. Every leader, regardless of the size of their organization, needs a robust plan to defend against criminal cyber activity and a clear continuity strategy to keep operations running if IT systems are compromised.
These urgent warnings are backed by sobering data from the NCSC’s latest Annual Review, which reported a record number of nationally significant cyber incidents. Between September 2024 and August 2025, the agency handled 204 such events, with 18 classified as highly significant, underscoring the escalating frequency and severity of these threats.
To drive the point home for fellow executives, the review featured a personal letter from Shirine Khoury-Haq, CEO of the Co-op Group, whose company experienced a major cyber-attack. She wrote that the ultimate responsibility rests with senior leaders, urging them to not only find the best ways to protect their business but also to develop comprehensive defense and support plans for customers and colleagues at every stage.
(Source: Info Security)
