Require Cyber Essentials In Your Supply Chain
This is the new advice from the UK Government after the National Cyber-Security Centre (NCSC) reported an increase in nationally significant attacks this year.
The agency revealed that while the total number of incidents remains stable compared to 2023, there has been a marked increase in those classified as “nationally significant,” with 204 such cases recorded this year – more than double the 89 seen last year.
Major retail and manufacturing names, including Marks & Spencer, The Co-op, and Jaguar Land Rover, have faced operational paralysis after criminal hackers targeted their IT systems. These attacks have caused empty shelves and halted production lines, underscoring the fragility of supply chains dependent on uninterrupted digital operations.
The Shift Towards Resilience Engineering
According to NCSC chief executive Richard Horne, organisations must move beyond traditional cyber-defence strategies and focus on “resilience engineering.”
This approach aims to ensure that companies can anticipate, absorb, recover, and adapt in the event of an attack.
“Businesses need a plan for how they would continue to operate without their IT and rebuild it at pace,” Horne said. The NCSC recommends that these contingency plans be stored offline or even on paper to prevent them from being compromised. Plans should include clear instructions for maintaining communication when digital channels fail, as well as analogue workarounds to keep critical operations running.
The concept of cyber resilience is not new, but the NCSC’s decision to feature it so prominently in its annual review reflects growing concerns about the sophistication and persistence of cyber threats. In many cases, attackers have leveraged vulnerabilities in third-party systems, highlighting the interconnected nature of modern business infrastructure.
Supply Chain Risks on the Rise
A significant portion of recent attacks has been traced back to weaknesses in the supply chain. These indirect assaults exploit smaller, less-protected partners to reach larger targets, often with devastating consequences. Despite this, only 14% of UK businesses currently assess the cyber risks posed by their immediate suppliers, leaving a critical gap in the nation’s overall cyber defence posture.
The NCSC and UK government are urging businesses to adopt stricter supply chain security measures. A key step is requiring suppliers to meet Cyber Essentials standards, the government-backed certification scheme designed to ensure organisations have the most important security controls in place. Companies holding Cyber Essentials certification are 92% less likely to make a claim on their cyber insurance, highlighting its practical benefits.
Many government suppliers are already required to hold this certification, and the NCSC is encouraging large private-sector organisations to embed similar standards across their entire supply network. Implementing these technical controls helps prevent common attack methods such as phishing, ransomware, and unauthorised access.
Building a Culture of Preparedness
Beyond technical defences, experts emphasise the importance of building a culture of preparedness across all levels of an organisation. Regular training, simulated attack exercises, and clear crisis communication plans can make the difference between rapid recovery and long-term disruption.
The NCSC advises companies to think in terms of when, not if, a cyber incident will occur. This means ensuring that backup systems, manual procedures, and emergency communication channels are ready to deploy at a moment’s notice. The shift from a purely preventive mindset to one focused on resilience could determine which organisations weather the storm and which face lasting reputational and financial damage.
With cyber threats becoming more complex and widespread, the message from the NCSC is clear: every organisation must be ready to keep operating, even when its technology cannot.
A National Call to Action
The rise in high-impact cyber incidents serves as a wake-up call for both public and private sectors. As the UK economy becomes increasingly digital, the costs of inaction grow higher. Businesses that fail to plan for cyber resilience risk not only financial loss but also the trust of customers and partners.
By combining the principles of resilience engineering, robust supply chain management, and Cyber Essentials certification, organisations can strengthen their defences and ensure continuity in the face of evolving threats.
The NCSC’s annual review makes it clear that resilience is no longer optional, it is the new cornerstone of national cyber security strategy.
As accredited Cyber Essentials Assessors, Agile can help you gain Cyber Essentials accreditation in your business, get in touch with us now to find out what’s involved.