When Six Ministers Co-Sign a Letter to Your CEO, It's Time to Listen
Right. Let's talk about something that should have every business leader in the UK paying attention. When the Chancellor of the Exchequer, three Cabinet Ministers, the CEO of the National Cyber Security Centre, and the Director General of the National Crime Agency personally co-sign a letter dated 13 October 2025 to business leaders, you don't file it away with the rest of your corporate correspondence. You read it. Then you act on it.
Because here's the thing: this isn't another government warning that you can safely ignore while you get on with the "real" work of running your business. The NCSC handled 204 nationally significant cyber incidents over the past year, with 18 classified as "highly significant." That's a 50% increase in highly significant incidents for the third consecutive year. When nearly half of all incidents handled by the NCSC are nationally significant, we're not talking about isolated problems anymore. We're talking about a fundamental threat to how British businesses operate.
And before you think this is just big enterprise problems that don't affect you, let me stop you right there. Empty shelves at Marks & Spencer. Healthcare disruption that contributed to at least one patient death. The Co-op CEO writing about the "significant impact" of a cyber attack on colleagues and members. These aren't abstract threats in a government report. These are real businesses, real disruptions, and real costs that are changing how we think about cyber security in the UK.
The Numbers That Should Keep You Up at Night
The NCSC received 1,727 incident tips over the past year. They triaged those into 429 incidents requiring support from their Incident Management team. Of those 429 incidents, 204 were nationally significant. That's 48% of all incidents. Think about that. Nearly half of everything the NCSC deals with is serious enough to threaten essential services, the economy, or a large portion of the UK population.
And those 18 highly significant incidents? Those are attacks "having a serious impact on central government, UK essential services, a large proportion of the UK population, or the UK economy." We're not talking about someone's website going down for an afternoon. We're talking about attacks that affect how millions of people live their daily lives.
Dr Richard Horne, the CEO of NCSC, put it bluntly: "Over the last year, cyber attacks on household brands have brought the NCSC's work to the forefront of public consciousness. Empty shelves and stalled production lines are a stark reminder that cyber attacks no longer just affect computers and data, but real business, real products, and real lives."
He's right. When Marks & Spencer gets hit with ransomware and the estimated cost to the company and its insurers exceeds £300 million, that's not an IT problem. That's an existential business threat. When a ransomware incident at pathology services provider Synnovis leads to significant clinical healthcare disruption across London and costs £32.7 million (far outstripping their £4.3 million profit for 2023), and directly contributes to at least one patient death, we're talking about cyber attacks that kill people.
The Supply Chain Problem Nobody Wants to Talk About
Here's where it gets personal for every business reading this, regardless of size. The ministerial letter points out that just 14% of UK businesses assess the cyber risks posed by their immediate suppliers. Fourteen percent. That means 86% of UK businesses are running blind on one of their most significant cyber vulnerabilities.
Supply chain cyber attacks are creating domino effects across the economy. When one company in a supply chain gets compromised, it doesn't just affect that company. It affects every business that depends on them, every customer they serve, and every partner they work with. It's like a digital contagion that spreads through business relationships.
And let's be honest about what this means in practice. Your supplier gets ransomwared. Suddenly you can't fulfill orders. Your customers start looking elsewhere. Your reputation takes a hit. Your revenue drops. All because someone else didn't take cyber security seriously enough. That's the brutal reality of supply chain risk.
Three Things the Government Actually Wants You to Do
Now, I spent years at the NCSC, and I know how government communications usually work. They're long on warnings and short on practical actions. But this letter is different. The government has laid out three specific, actionable requests that will genuinely improve your cyber resilience:
1. Make Cyber Risk a Board-Level Priority
The government has developed a Cyber Governance Code of Practice with industry leaders. It sets out critical actions boards and directors should take to govern cyber risk effectively. And they've provided free training that all board members are encouraged to complete.
Here's what this means in practice: cyber security can't just be your IT manager's problem anymore. Executive and non-executive directors need to prioritize this and ensure it's considered in strategic decision-making. Not all cyber attacks can be prevented (anyone who tells you otherwise is selling you something), so a critical part of good governance is rehearsing how you would respond to a major incident.
You need to plan and exercise how you would continue operations and rebuild following a destructive cyber incident. Not "if" it happens. "When" it happens. Because the statistics are clear: the question isn't whether you'll face a cyber incident, but when, and whether you'll be prepared for it.
2. Sign Up to the NCSC's Early Warning Service
This one's straightforward and free. The NCSC's Early Warning service informs organizations of potential cyber attacks on their network, giving you invaluable time to detect and stop a cyber incident before it escalates.
Over 13,000 organizations are already signed up. In the past year, the service sent 316,343 alerts to IP addresses belonging to customers. That's 316,343 opportunities to stop an attack before it became a crisis.
Think about what that means for your business. An early warning that attackers are probing your defenses could be the difference between a minor security incident and a catastrophic breach. And it costs you nothing but the time to register.
3. Require Cyber Essentials in Your Supply Chain
Remember that supply chain problem we talked about? Here's how you start fixing it. Cyber Essentials is a government-backed scheme that certifies organizations have key cyber protections in place to prevent common cyber attacks. It's the minimum cyber security standard businesses should seek to obtain.
And here's a statistic that should make every finance director pay attention: organizations with Cyber Essentials are 92% less likely to make a claim on their cyber insurance. Ninety-two percent. That's not a marginal improvement. That's a fundamental reduction in risk.
The government already requires most of its suppliers to meet Cyber Essentials standards. They're asking business leaders to embed the same requirements across their own supply chains and implement the Cyber Essentials technical controls on their own systems.
What This Actually Means for Your Business
I know what you're thinking. You're busy. You've got a business to run. You don't have time to become a cyber security expert. You certainly don't have an enterprise-level budget for cyber security.
I get it. I come from a working-class background in Glasgow. I understand the real-world constraints small businesses face. But here's the thing: you don't need to become a cyber security expert, and you don't need an enterprise-level budget. You just need to take these three actions seriously.
More than 90% of company boards now recognize cyber security as a critical priority. That recognition is important. But as the ministerial letter points out, "We now need to convert this priority into concrete actions to fully address vulnerabilities and enhance resilience."
Recognition without action is just expensive awareness. And in the current threat environment, expensive awareness will get you breached.
The Free Resources You're Not Using
Let me be very clear about something: the government has actually provided the tools, frameworks, and resources you need. Many of them are free. The problem isn't lack of resources. The problem is that businesses aren't using them.
The Cyber Governance Code of Practice? Free, with free board training at ncsc.gov.uk/cyber-governance-for-boards.
The NCSC Early Warning service? Free. Just register at MyNCSC.
Cyber Essentials certification? Not free, but affordable even for small businesses, and it makes you 92% less likely to make an insurance claim.
The NCSC Cyber Assessment Framework (CAF) v4.0? Free tool to improve cyber resilience for critical services.
The Cyber Action Toolkit? Free, personalized cyber security solution for sole traders, micro businesses, and small organizations.
The resources are there. The question is whether you'll use them before you become part of next year's incident statistics.
What Happens If You Don't Act
Let me paint you a picture of what "not acting" looks like in practice. I'm drawing from real incidents I've worked on, both during my time at the NCSC and in commercial roles.
Day 1: You get a call at 6am. Your IT systems are encrypted. There's a ransom note on every computer. Your business has stopped.
Day 2: You can't fulfill orders. You can't contact customers. Your staff are sitting idle because they can't access any systems. Your revenue is zero, but your costs haven't stopped.
Day 3: Customers are getting angry. Some are going to competitors. Your reputation is taking damage on social media. The press is asking questions.
Week 2: You're starting to understand the full scope. Not just the ransomware, but months of data exfiltration. Customer data. Financial records. Intellectual property. All stolen.
Week 4: The regulators are involved. ICO wants to know why your data protection wasn't adequate. Your customers want to know why their data was compromised. Your board wants to know how this happened.
Month 3: You're still recovering. Some systems are back up. Many aren't. You've lost major customers. Your insurance is covering some costs, but not all. Your business may not survive.
That's not a hypothetical. That's what happens when businesses don't take cyber security seriously until it's too late. And it's happening with increasing frequency across the UK.
The Bottom Line
Richard Horne, the NCSC CEO, said something that every business leader needs to internalize: "Cyber security is now critical to business longevity and success. It is time to act."
Not time to think about it. Not time to add it to next quarter's strategic review. Time to act.
The ministerial letter makes it clear: "Cyber resilience is a critical enabler of economic growth, so getting this right will promote growth and foster a stable environment for investment and innovation."
Getting it wrong? Getting it wrong means you're taking unnecessary risks with your business's future, your customers' data, your employees' livelihoods, and potentially even people's lives (as the Synnovis incident tragically demonstrated).
Dan Jarvis MBE MP, Minister for Security, put it simply: "Cyber security has never been more pivotal to our national security and our economic health."
Anne Keast-Butler, Director of GCHQ, gave the most practical advice: "Don't be an easy target; prioritize cyber risk management, embed it into your governance, and lead from the top."
What to Do This Week
Forget long-term strategic planning for a moment. Here's what you can do this week:
Today: Read the full ministerial letter. Understand the threat landscape. This isn't optional background reading. This is understanding the environment your business operates in.
This Week: Sign up for the NCSC Early Warning service. It's free and takes less than an hour. Go to MyNCSC and register. There's no excuse for not doing this.
Also This Week: Check if your board has cyber security as a standing agenda item. If it doesn't, add it. And not as "any other business" at the end. As a regular, substantive agenda item with proper discussion time.
Before Friday: Verify that you have multi-factor authentication enabled across critical systems. If you don't, you're essentially leaving your front door unlocked and wondering why you keep getting burgled.
Next Month's Actions
Once you've handled the immediate priorities, move on to these:
Review the Cyber Governance Code of Practice with your board. Schedule the free board training on cyber governance. Actually take the training. Don't just tick the box.
Assess your supply chain. What percentage of your suppliers have Cyber Essentials? If you don't know, find out. If the number is low, start requiring it for new contracts and renewals.
Plan and book a cyber incident response exercise. Not a theoretical discussion. An actual exercise where you simulate a major incident and test whether your response plans actually work.
Review your business continuity and recovery plans. When was the last time you tested them? If the answer is "never" or "more than a year ago," they're probably useless.
Long-Term Strategic Actions
Finally, over the next quarter:
If you haven't already, implement Cyber Essentials technical controls. Get certified. Make it a requirement for your suppliers.
Use the NCSC Cyber Assessment Framework to evaluate your critical services. Actually work through it. Don't just read it and put it in a folder somewhere.
Document and test your recovery procedures for total environment loss. What happens if everything is encrypted? How do you rebuild? How long does it take? Do you even know?
Why This Matters More Than You Think
Look, I know this sounds like typical security person doom-mongering. I know you've heard warnings about cyber threats before. But this time is different, and here's why:
When the Chancellor, three Cabinet Ministers, the CEO of NCSC, and the Director General of the National Crime Agency personally co-sign a letter to business leaders, that's not routine communication. That's "we have serious intelligence about serious threats and we need you to take this seriously" communication.
When nearly half of all incidents handled by the NCSC are nationally significant, and highly significant incidents have increased 50% for the third consecutive year, that's not a temporary spike. That's a trend. And trends don't reverse themselves without deliberate action.
When attacks on household brands create empty shelves in supermarkets, disrupt healthcare to the point of contributing to patient deaths, and cost single organizations over £300 million, that's not abstract risk. That's concrete, catastrophic business failure happening to organizations that thought they were too big or too prepared to be seriously affected.
The Shirine Khoury-Haq, CEO of The Co-op Group, wrote: "While you can plan meticulously, invest in the right tools and run countless exercises, nothing truly prepares you for the moment a real cyber event unfolds. The intensity, urgency and unpredictability of a live attack is unlike anything you can rehearse."
She's right. But that doesn't mean you shouldn't plan, invest in tools, and run exercises. It means you should do those things knowing that when the real attack comes, it will still be harder than you expected. And if you haven't done the preparation, you'll have no chance at all.
The Choice Is Yours
The government has provided the tools. The NCSC has provided the frameworks. The resources are available, many of them free. The threat intelligence is clear. The statistics are alarming. The real-world examples are devastating.
What you do with all of that information is up to you.
You can implement the three requests from the ministerial letter. You can make cyber security a board-level priority. You can sign up for Early Warning. You can require Cyber Essentials in your supply chain. You can take the free training, use the free tools, and follow the free guidance.
Or you can decide that you're too busy, that it probably won't happen to you, that you'll get to it eventually, that it's not really that urgent.
But understand this: when (not if) you face a serious cyber incident, nobody is going to care that you were busy. Your customers won't care. Your regulators won't care. Your insurance company won't care. And your board definitely won't care.
They'll just want to know why you didn't take reasonable steps to protect the business when the government literally sent you a letter signed by six senior figures telling you exactly what those reasonable steps should be.
Richard Horne's warning stands: "Any leader who fails to prepare for that scenario is jeopardizing their business's future... It is time to act."
Not tomorrow. Not next quarter. Not when you've dealt with more urgent priorities. Now.
Because the criminals targeting your business aren't waiting for you to be ready. They're working right now to find your vulnerabilities, compromise your suppliers, and encrypt your systems. The only question is whether you'll be prepared when they succeed.
The ministerial letter ends with this: "We are encouraged to see that more than 90% of company boards now recognize cyber security as a critical priority. We now need to convert this priority into concrete actions to fully address vulnerabilities and enhance resilience."
Convert recognition into action. That's the challenge. That's what separates businesses that survive cyber incidents from businesses that don't.
The choice is yours. Choose wisely.