A year of escalating threats and evolving defences.
The National Cyber Security Centre (NCSC)’s Annual Review 2025 paints a clear picture of a world where cyber risks are deepening and diversifying. From ransomware and supply-chain attacks to vulnerabilities in everyday cloud systems, the UK’s digital resilience is being tested on all fronts.
But it’s not all bad news. The report also highlights significant progress – particularly in public-private collaboration, better frameworks for resilience, and practical steps that every organisation can take to build a stronger security posture.
At Cloud9 Security, we’ve distilled the key takeaways from this year’s NCSC review, and explored how businesses can apply them in practice, including how Cloud9’s M365 Optimise service can help you implement essential improvements and save you time and money.
1. The cyber threat is intensifying – and no sector is immune
The NCSC’s incident-management team faced a record number of nationally significant incidents this year, with ransomware continuing to dominate. Attacks against UK retail, finance, engineering and manufacturing were especially severe, but the report stresses that “no sector is exempt”.
High-profile examples, including the DragonForce ransomware attack that disrupted Co-op Group and the £300 million fallout at Marks & Spencer, demonstrate how both data and customer trust are at stake.
Cloud9 Insight:
Even mid-sized organisations are now part of the same threat landscape as large enterprises. Proactive visibility into cloud environments, especially Microsoft 365 licensing, configuration and identity settings, is critical to prevent misconfigurations and spot vulnerable accounts before they’re exploited.
Our M365 Optimise service automates this visibility, surfacing high-risk users, unused licences and weak security controls across your Microsoft tenant. The service includes monthly reviews where our cloud security specialists will make recommendations and guidance on implementation of enhancements.
2. Legacy systems remain a weak link
One of the NCSC’s sharpest warnings concerns the persistence of outdated infrastructure. Legacy platforms increase the cost and impact of every breach, while complicating recovery. The Review calls for “engineering resilience against critical loss” — going beyond prevention to ensure businesses can operate and recover quickly after disruption.
Cloud9 Insight:
Identifying legacy dependencies and strengthening baseline controls are fundamental to building this resilience.
M365 Optimise works as an ongoing ‘Microsoft Secure Score improvement programme’ to directly support this goal.
3. Supply-chain security and assurance are becoming non-negotiable
The NCSC spotlights supply-chain exposure as a major area of systemic risk, highlighting initiatives such as CHECK penetration testing, the Cyber Assessment Framework 4.0, and new Cyber Resilience Test Facilities for connected products. It also expands its Cyber Essentials certification programme, now delivered through 400+ certification bodies across the UK, to raise baseline hygiene standards among SMEs.
Cloud9 Insight:
Many organisations rely on managed service providers (MSPs) who, in turn, depend on a complex ecosystem of cloud vendors and resellers.
M365 Optimise complements NCSC guidance by validating Microsoft 365 configurations, access policies and MFA enforcement across clients. When adopted throughout a supply chain, government-backed security standards such as Cyber Essentials Plus and Center for Internet Security (CIS) benchmarks can be met.
4. AI, post-quantum cryptography and emerging tech demand new vigilance
The NCSC emphasises that resilience is only as strong as the technology it’s built on. It is actively shaping global standards for AI security and post-quantum cryptography, warning that organisations must begin preparing now for future cryptographic migration deadlines – with milestones set for 2028, 2031 and 2035.
The Centre also launched an ETSI standard for AI security, aiming to set a benchmark for protecting AI-enabled systems.
Cloud9 Insight:
Businesses adopting AI or automating processes within Microsoft 365 need robust identity and access governance.
Through M365 Optimise, Cloud9 can ensure data-handling practices and permissions align with current and forthcoming security frameworks — mitigating risks before AI and automation scale.
5. Culture and leadership are at the heart of resilience
A strong theme throughout the Review is that cyber security is a board-level issue. Despite more incidents and guidance than ever, too many organisations still “act only after a breach has occurred”.
To drive change, the NCSC introduced a Cyber Governance Code of Practice and training for board members, designed to help leaders “govern cyber risks with confidence.”
Cloud9 Insight:
Leadership teams need highly technical data to be converted into clear, actionable insights that inform business decisions.
Cloud9’s consulting approach mirrors this shift from reactive to proactive governance. M365 Optimise includes an initial presentation of findings to senior leadership and regular monthly reviews — exactly the kind of informed oversight the NCSC advocates.
6. Practical actions NCSC urges every organisation to take
The NCSC’s core recommendations can be summarised as:
Conclusion: Turning resilience into advantage
The NCSC Annual Review 2025 makes one message unmistakably clear: cyber risk is now a core business risk. But organisations that invest in visibility, governance and collaboration can turn that challenge into a competitive advantage. At Cloud9 Security, we believe cyber resilience shouldn’t just be about defence. It should enable confidence, innovation and growth.
If you’d like to understand how your organisation measures up against the NCSC’s guidance, book a free M365 Optimise assessment today. We’ll show you where your greatest security and efficiency gains lie — and how to achieve them with minimal disruption.