The UK’s cyber defence arm has warned that organisations must be ready to operate through attacks that go beyond data theft and into real-world disruption, as adversaries grow more capable and less predictable.
In a blog published by the National Cyber Security Centre on Monday, Jonathon Ellison, the agency’s director of National Resilience, set out a clear message: planning for cyber incidents can no longer stop at prevention.
“Recent high-profile cyber incidents demonstrate a clear and accelerating trend: highly capable threat actors are increasing both their intent and their ability to target organisations of national economic significance, to cause real-world operational disruption,” Ellison wrote.
“Given the escalating intent and capability of cyber threat actors, organisations must treat the prospect of severe cyber threat as a credible and pressing risk.”
Ellison shifts the conversation away from familiar threats like ransomware and espionage towards incidents that could knock systems offline for prolonged periods, cause significant financial and reputational damage, and in some cases increase risks to public safety and national security. The emphasis is less on keeping attackers out entirely, and more on ensuring organisations can continue to function when – not if – something gets through.
This warning reflects a rapidly evolving threat landscape. Attackers are moving quicker and aiming higher, with automation picking up more of the workload and geopolitical tensions playing out directly in cyberspace. The NCSC also points to the growing role of “frontier AI” – the latest generation of highly capable models – warning these systems are starting to change how cyber operations are carried out, lowering the barrier to entry, speeding up attacks, and making them harder to defend against.
“Preparing for this is a leadership responsibility,” Ellison wrote. “Effective preparation not only protects your organisation’s value, reputation and continuity of operations, it also serves a wider purpose. The ability to continue delivering essential services under sustained cyber pressure is critical to the UK’s national resilience and security. “
Ellison’s warning lands as governments and defence planners place increasing emphasis on national resilience and the protection of critical infrastructure. The next generation of cyber incidents will test not just technical defences, but the ability of organisations – and the people running them – to keep going when those defences fail.
