9 min read

Four key learnings from the NCSC’s seventh annual review

The National Cyber Security Centre’s (NCSC) seventh annual review details how both public and private sector organisations must keep pace with the unpredictable threat landscape as the size and severity of cyber incidents continue to grow.

The report investigates threats to the UK’s cybersecurity and critical national infrastructure (CNI) including the emergence of state-aligned actors, the continuation of Russia’s illegal invasion of Ukraine, and the potential risks of AI.

The NCSC, part of GCHQ, warns that the UK must accelerate work to keep pace with evolving threats, and places even greater emphasis on the security robustness of the nation’s most critical sectors.

Here are our four top takeaways from the NCSC’s seventh annual review, with input from Founder and Advisor to national bodies, local providers and healthtech companies, Liam Cahill:

1. Call to action in managing cybersecurity risk

“Cyber resilience is essential to the UK’s economic and national security interests. The NCSC’s services and interventions are working to enhance the UK’s ability to prepare, respond, recover, and learn from cyber attacks, to make the UK the safest place to live and work online.” NCSC Annual Review 2023


Cybersecurity threats are increasing in number and severity. This year the NCSC saw a 64% increase in reports compared to last year, with the highest proportion of incidents resulting from the exploitation of public-facing applications. 

As a result, the NCSC states that organisations must consider cybersecurity to be of equal value to their commercial objectives, recognising that, for many, cybersecurity simply isn’t as important as day to day operations. 

While the annual review states that the NCSC doesn't believe anyone has “both the intent and capability to significantly disrupt infrastructure in the UK”, it stresses that organizations must not become lax in their cybersecurity. Improving security can take years and requires buy in from all areas of an organization, from threat detection to prevention. In this sense, prevention is better than cure on the matter of cybersecurity.

2. The threat of artificial intelligence (AI)

The report finds that, as technology develops, cyber security threats are also evolving, resulting in the exploitation of AI technology and the amplification of attacks in both speed and scale. As a result, the NCSC and wider government are aligned in activities to assess and respond to potential threats posed by AI:


“Our primary objective is to ensure that cyber security does not become a secondary consideration but is recognised as an essential precondition for the safety, reliability, predictability, and ethics of AI systems. Taking a ‘secure by design’ approach to development will help society and organisations realise the benefits of advances in AI, but also help to build wider trust that AI is safe and secure to use.” NCSC Annual Review 2023

3. Evolution and protection of critical national infrastructure (CNI)

Critical national infrastructure consists of the systems that keep the UK’s economy functioning and the government operating efficiently.

Historically, CNI referred to physical assets, such as buildings, housing, energy and infrastructure. However, the UK is now equally dependent on digital infrastructure, meaning systems underpinning communications, financial networks, and the internet. These systems, compared to physical assets, are more liable to change and are highly distributed. 

The NCSC acknowledges both the great opportunities of rapid digitalisation, as well as the risks, and an organisation's approach to managing them. For the public sector, stakeholder engagement platforms have escalated service delivery and underpin the running of our healthcare systems, schools, and local authorities. However, if one of these systems is to be impacted by either a malicious attack or even unintentional human error, service delivery is very likely to be effected.

The report highlights the need for organisations to work towards understanding how to address periods of temporary heightened threat in order to minimize the likelihood of a successful attack, as well as taking action to reduce the impact should an attack occur:

“We need to understand where organizations commonly struggle to address security challenges and how adversaries are attempting to exploit those weaknesses, so that we can work as a community to address such gaps.” NCSC Annual Review 2023

4. How to improve digital security with user-friendly tech

“We need to understand where organisations commonly struggle to address security challenges and how adversaries are attempting to exploit those weaknesses, so that we can work as a community to address such gaps.” NCSC Annual Review 2023


The government’s Cyber Aware campaign poses two simple suggestions for improving cyber resilience: use a password based on three random words, and secure accounts with two-step verification. These are small but actionable steps that all small businesses and individuals can take today to improve digital security.

In addition, the NCSC acknowledges a need for products and services to fix basic vulnerabilities on websites, email, and infrastructure, with an emphasis on user-experience and accessibility. IT leaders realise that technology must be accessible for all, from employees to end-users, and that a balance must be found between user-experience and security. Only then will a secure-first approach become widespread for organisations.

To learn how we are empowering over 8000 organisations globally to protect their sensitive digital communications, prevent unauthorised access to data, and avoid the leading causes of data incidents, read our customer stories, or contact us to find out more.

First published -
Last updated - 20/11/23
Free demo
Free demo
Free demo

Ready for a deeper dive? So are we.