October is Cybersecurity Awareness Month, and it coincides with the publication of new figures from the UK’s National Cyber Security Centre (NCSC) in its 2025 annual report. The headlines make for concerning reading - between September 2024 and August 2025, the organization handled 204 ‘nationally significant’ cyber incidents (those in the upper three categories of the UK government’s cyber attack classification model).

That represents a 130% increase compared to the previous year, when there were 89 such incidents. Of those 204 incidents, 4% (8) were classified as “highly significant” and resulted in a serious impact on central government, UK essential services, a large proportion of the population, or the economy.

The number of highly significant incidents has increased for the third consecutive year, marking a 50% year-over-year rise. In total, the NCSC received 1,727 incident tips, of which 429 required direct NCSC support.

The threat landscape in 2025

The big question here is what is driving this surge in activity? The NCSC attributes the problem to a more complex and volatile threat environment, driven by both state and non-state actors.

Nation-state threats remain a key concern, with China, Russia, Iran and North Korea (DPRK) all cited for campaigns targeting UK and allied networks. In addition, Russia continues to conduct disruptive cyber operations linked to its war in Ukraine, while Iranian activity has escalated around the Israel-Gaza conflict. China-linked threat actors have also been connected to large-scale botnets and espionage campaigns, while the DPRK continues to run financially-motivated attacks on crypto and defence targets, including UK entities.

Hacktivist groups sympathetic to Russia and other regimes have increased low-skill but high-volume attacks on UK and NATO organisations. The NCSC also notes the growing use of AI to enhance cyber operations, including the automation of spear-phishing, reconnaissance and exploit development.

Adding to the challenge is a rapidly expanding commercial cyber intrusion market, which is making sophisticated tools more accessible, thereby lowering the barrier to entry for new attackers. The report argues that “the cumulative effect [of this activity] is significant, leading to increased diversification, intensification and frequency of cyber threats across every sector in the UK.”

Other key takeaways from the NCSC Annual Review 2025 include:

• Ransomware remains the most disruptive risk, with recent attacks causing significant disruption to major UK retailers and manufacturers.

• Attackers are increasingly using AI tools to enhance phishing, reconnaissance and exploit development.

• The NCSC warns that too many organisations still act only after an incident occurs. Boards are urged to treat cyber as a business risk, not a technical one.

The Glasswall perspective

Among the various important takeaways from this report is the recognition that detection and response alone are no longer sufficient to manage the current or future cyber threat landscape. AI-driven and file-based threats can now bypass traditional detection tools by exploiting vulnerabilities in trusted formats and supply chains.

Glasswall advocates for a proactive, prevention-first approach that removes malicious content before it can execute and cause harm. Our Content Disarm and Reconstruction (CDR) solutions also align with the NCSC’s broader push for automated, scalable resilience and for reducing reliance on human detection and reactive response cycles.