Last week, at the CYBERUK conference in Glasgow, the head of the UK's National Cyber Security Centre delivered a number that should stop any board in its tracks. The NCSC is handling four nationally significant cyber incidents every week. That figure has held steady since Richard Horne first disclosed it last October. What has changed is who is behind them.
Criminal gangs and ransomware operators remain the most common threat facing most organisations. But the majority of the most serious incidents the NCSC is now handling originate, directly or indirectly, from nation states principally China, Russia and Iran. Russia is deploying tactics and techniques developed during the conflict in Ukraine against western targets. China's intelligence and military agencies, in Horne's own words, now display an eye-watering level of sophistication. Iran is using cyber operations as an extension of geopolitical pressure, including against individuals and organisations on British soil.
Alongside this, Horne confirmed a 50% rise in highly significant attacks compared to the previous year. The trajectory is clear.
The instinctive response to nation-state threat language is to file it under "not our problem." CNI operators, defence contractors, government agencies - surely that is where the focus sits?
That view is increasingly difficult to sustain. Nation-state actors do not always target their ultimate objective directly. They move through supply chains, through professional services firms, through law firms handling sensitive transactions, through consultancies with access to client systems. Your organisation may not be the target. But you may be the route.
The attacks on Marks and Spencer, the Co-op and Jaguar Land Rover, cited by the government at CYBERUK as context for its £90 million resilience investment, were not infrastructure attacks. They were business disruption events with significant financial and reputational consequences. The methods used - and the actors increasingly involved in such campaigns - are evolving toward the same sophistication now being discussed at a national security level.
ISO 27001:2022 gives organisations a clear framework for thinking about this, if they are using it properly. Clause 6.1 requires you to assess risk in the context of your actual threat environment - not a generic one from three years ago. Control A.5.7 requires threat intelligence to be collected, analysed and acted upon. Control A.5.19 requires you to manage the security risks in your supply chain relationships.
The honest question for most organisations is whether their risk assessment reflects the current threat landscape, or whether it reflects the landscape as it was understood when the ISMS was first built. If it has not been meaningfully updated since geopolitical tensions began escalating, the gap between the document and reality is growing.
None of this requires a crisis response. It requires a considered one.
• Review your risk register against the current threat context. If nation-state-affiliated actors are not represented as a plausible threat vector, even indirectly, your register needs updating. This is not about catastrophising - it is about honest scoping.
• Check whether your organisation is subscribed to and actively monitoring NCSC alerts and advisories. This is free, takes minutes to set up, and is one of the simplest demonstrations of A.5.7 in practice.
• Have a frank conversation with your supply chain. If critical suppliers hold access to your systems or data, understand their security posture. A.5.19 requires this, but the business case for it has never been stronger.
• Bring the threat picture to your board. The government has written directly to FTSE 350 chairs asking them to treat cyber resilience as a board-level responsibility. If that conversation has not happened in your organisation, CYBERUK 2026 is a timely prompt to start it.
• Revisit your business continuity planning. The scenario that matters most is no longer "what if we get ransomed" - it is "what if a disruptive attack causes extended unavailability with no ransom option and no straightforward recovery path."
The NCS's message from Glasgow was not that every organisation is under imminent attack. It was that the conditions creating risk are worsening faster than most organisations are responding. The practical response to that is not fear - it is making sure your foundations are solid before they are tested.