The NCSC’s Annual Review 2025 paints a clear picture of where the UK stands on cyber awareness and resilience and it’s a wake-up call. Serious cyber incidents have more than doubled in just one year, with 429 handled between September 2024 and August 2025. Of those, nearly half were classed as ‘nationally significant'.
It’s a record surge that signals that the threat landscape is evolving faster than most organisations can defend against it.
Phishing and identity abuse still rule the roost
Phishing remains the number one attack route and it’s getting smarter. Attackers are blending classic social engineering with identity-based tactics, from impersonating help desks to hijacking trusted accounts. They increasingly target specific roles or departments, crafting highly convincing messages and exploiting current events, organisational changes, or even personal information to gain trust. These attacks are carefully timed and context-aware, making them difficult to detect and avoid.
AI is also lowering the barrier to entry. Generative tools can now produce polished, convincing messages, meaning cyber criminals no longer need deep technical skills to inflict serious harm. Deepfake audio and AI-generated content further expand their reach, enabling attacks across email, messaging apps, and social media. The result? More attacks, more often, with less effort and a higher likelihood of success, putting organisations under continuous pressure to stay vigilant, proactive, and prepared for evolving threats.
The threat and defence gap
Despite ongoing investment in technology, the review highlights that many organisations still fall short when it comes to cyber awareness and training, with the main downfalls being company-wide culture and human defences. External audits often uncover deeper weaknesses within organisations than internal assessments seem to find.
Cyber risk is still too often viewed as an IT problem rather than a business-wide one. Leadership engagement and governance are lagging and until that changes, cultural transformation will remain out of reach.
The human layer remains the most vulnerable
No firewall, endpoint agent or AI tool can compensate for a workforce that isn’t equipped or empowered to act. The review reinforces what we’ve long believed at Boxphish, that resilience starts with employee awareness.
A cyber aware culture is not built through a once-a-year learning course, whether that be online or in person. It’s developed through consistent reinforcement, real-world simulations, and visible leadership support.
Attackers are evolving. Training must evolve too.
What organisations should do next
To close the gap, the NCSC recommends a shift in mindset, from compliance to culture. Some key actions stand out:
- Elevate cyber awareness into a strategic initiative, not a checkbox.
- Deliver role based, relevant training that connects to real world risk.
- Simulate phishing, social engineering and even AI-generated content.
- Create a culture of open reporting and learning, without scrutiny, fear of embarrassment or punishment.
- Embed accountability at senior levels.
- Integrate awareness with technical measures like MFA and identity monitoring.
- Extend training to suppliers and partners.
- Measure progress using frameworks, such as the Cyber Assessment Framework.
With new regulation on the horizon, including the Cyber Security & Resilience Bill, organisations will soon need to demonstrate maturity, not just claim that they have it. Proof of culture, awareness and governance will be as important as technical defences.
Making awareness a competitive advantage
The organisations that treat awareness as strategic, not supplemental, will be the ones that survive and thrive. Culture change takes time, but the cost of inaction is already clear.
Every phishing email not clicked upon, every suspicious message reported, and every leader who champions cyber resilience helps close the gap.
At Boxphish, we believe awareness isn’t just training, it’s transformation. And in 2025, that transformation can’t be put on hold!
