The NCSC Annual Review 2024 highlights the progress achieved over the past year in enhancing the UK’s digital security, while also addressing the persistent challenges we face as a nation. This article examines key takeaways from the review, how they align with trends Pervade have observed, and the pivotal roles played by initiatives like Cyber Essentials and Police CyberAlarm.

The review reinforces what’s been seen across many different industries: ransomware remains one of the most pervasive cyber threats. High-profile incidents, such as the financially motivated attack on Synnovis, (a partnership between SYNLAB UK & Ireland, Guy's and St Thomas' NHS Foundation Trust, and King's College Hospital NHS Foundation Trust), disrupted thousands of NHS procedures, demonstrating how a single supply chain breach can ripple through complex networks to cause widespread outages. The Qilin gang, suspected of being behind the attack, forced seven London hospitals run by GSTT and King’s College Trust to cancel numerous operations, blood tests, and blood transfusions, prompting the declaration of a “critical incident.” These trusts provide acute and specialist care to 2 million people across six boroughs in Southeast London. The Synnovis attack highlighted a concerning trend: a shift in focus towards exploiting supply chain vulnerabilities. Instead of targeting robustly defended organisations like the NHS directly, attackers are targeting private companies within the supply chain, which often have fewer resources dedicated to cyber security. Following the WannaCry attack in 2017, the NHS significantly enhanced its defences, but vulnerabilities within the supply chain have become a major point of concern, and it’s essential for organisations to ensure that their vendors adhere to the same rigorous cyber security standards.

This year alone, the NCSC received 317 ransomware activity reports, triaging 20 nationally significant incidents, including impacts on critical institutions like the British Library. This serves as a reminder of why proactive measures, such as adopting Cyber Essentials, are non-negotiable. By implementing its five technical controls, organisations can mitigate the majority of cyber attacks.

Cyber Essentials, celebrating its tenth anniversary in 2024, is a cornerstone of the UK's cyber security framework. The schemes’ success is evident: organisations with Cyber Essentials are 92% less likely to file cyber insurance claims than those without the certification. Last year alone saw a 20% increase in Cyber Essentials certifications, with 33,836 certificates awarded, as well as a 20% rise in Cyber Essentials Plus certificates, with a total of 10,939 being awarded. At Pervade, we’ve witnessed the transformative effect of Cyber Essentials, particularly for small and medium-sized enterprises (SMEs). With 40% of smaller organisations implementing the controls for the first time, it’s clear that the scheme is helping level the playing field in cyber security. However, the NCSC's call to action is loud and clear, that millions of organisations still lack this fundamental protection.

Cyber Essentials and Police CyberAlarm are invaluable tools for organisations striving to enhance their cyber resilience. Cyber Essentials, as highlighted in the Review, provides a clear and accessible framework for achieving baseline cyber security standards. Similarly, Police CyberAlarm supports organisations by delivering real-time threat intelligence, enabling swift responses to emerging risks. Together, these initiatives empower organisations to better protect themselves against cyber threats, ensuring a safer and more secure digital landscape.

As highlighted in the Cyber Threat Assessment on 24th January, artificial intelligence presents both opportunities and challenges. While AI enhances security capabilities, it also amplifies attack vectors, enabling threat actors to conduct more sophisticated attacks. This duality is something we’ve actively seen, particularly as the secure development of AI technologies gains momentum. The NCSC’s annual Workshop on AI Security Technologies (WAIST) demonstrates a collective aim to build understanding of AI security vulnerabilities and strengthen the community working to mitigate them. This year’s delegates included partners from across the Five Eyes Community and UK intelligence community, as well as industry, academia and other international agencies.

The review paints a clear picture: the cyber threat the UK is facing is growing faster than our collective resilience. Cyber threats persist, with the NCSC issuing 12,000 alerts through its Early Warning service last year and Police CyberAlarm alerted Member Organisations to 31,132 vulnerabilities, through regular reporting. Additionally, Police CyberAlarm issued 1181 critical vulnerability notifications and 628 alerts to emerging threats. Meanwhile, geopolitical tensions continue to drive malicious activity, as evidenced by Russia’s use of wiper malware against Ukraine.

Initiatives like the NCSC's Protective DNS offering for schools, which helps block malware and phishing attempts, and the CyberFirst Girls Competition, which has engaged over 69,000 participants since 2017, are shaping a more secure future.

As readers of the NCSC Annual Review 2024 and active contributors to the cyber security ecosystem, we see both challenges and opportunities. The review underscores the urgent need for widespread adoption of best practices, such as those outlined in Cyber Essentials, while emphasising the importance of continued vigilance and proactive measures. At Pervade, we remain committed to supporting organisations across sectors, providing them with cutting-edge tools, actionable insights, and robust frameworks to navigate an ever-evolving threat landscape. Through collective action and shared responsibility among businesses, governments, and individuals, we can close the resilience gap and build a safer digital environment for all.