UK Cyber Chief Warns Firms After Wave of Retail and Supply-Chain Hacks

British organisations are overlooking basic cyber-hygiene measures, widening the gap between rising threats and their ability to defend against them, the head of the National Cyber Security Centre (NCSC) has cautioned. In an open letter to The Times, chief executive Richard Horne said freely available NCSC guidance “is not being followed nearly enough,” leaving companies exposed to ransomware, data theft and operational disruption.

High-Profile Incidents Highlight Vulnerabilities

Recent victims underscore the scale of the problem:

• Marks & Spencer is still addressing customer data theft after an April ransomware attack that stalled online orders.

• Co-Op Group temporarily shut segments of its IT network in response to a separate breach.

• Harrods also confirmed an attempted intrusion.

• Food distributor Peter Green Chilled is battling an ongoing ransomware demand affecting supermarket deliveries.

• The Legal Aid Agency disclosed that hackers accessed millions of sensitive records dating back to 2010.

Serious Attacks Have Doubled

Speaking at this month’s CYBERUK conference, Horne revealed the NCSC has dealt with more than twice the number of nationally significant incidents in recent months compared with the previous year. Despite heightened awareness, he warned that “any business leader who thinks they are exempt from cyber risks should think again.”

Low Uptake of Cyber Essentials

At the core of the agency’s advice is Cyber Essentials, a certification scheme that helps small and medium-sized enterprises implement five basic controls: firewall configuration, secure settings, access management, malware defence and patch management. Organisations that adopt the standard are 92 per cent less likely to file a cyber-insurance claim, yet only about 35,000 of the UK’s 5.5 million businesses held a valid certificate last year.

Jonathon Ellison, NCSC director for resilience, acknowledged that even these steps can appear daunting to micro-businesses. The centre is exploring additional funding and market incentives to drive adoption.

Calls for Stronger Regulation

Security analysts argue that voluntary guidance alone will not close the gap. Experts at the Royal United Services Institute say mandating vendors to ship more secure products would generate change at scale, while academics warn that guidance must be matched by economic levers. The government is drafting a Cyber Resilience Bill to raise security standards across supply chains and critical infrastructure, giving regulators greater enforcement powers.

Immediate Actions for Businesses

The NCSC advises every organisation—regardless of size—to:

1. Implement Cyber Essentials controls without delay.

2. Audit supply-chain security, ensuring third-party partners meet the same baseline.

3. Develop and test an incident-response plan with secure, offline backups.

4. Enable multi-factor authentication on all remote and privileged accounts.

5. Subscribe to NCSC threat alerts to stay informed about emerging risks.

Until these fundamentals become routine, the gap between threat and defence will continue to widen—leaving UK businesses vulnerable to the next wave of ransomware, data-extortion and supply-chain attacks.

Photo Credit: DepositPhotos.com