Corporate leaders have been warned cybersecurity should become the domain of the boardroom and not just IT chiefs, after a wave of attacks this year costing hundreds of millions.

Richard Horne, chief executive of the National Cyber Security Centre (NCSC), writes in the foreword of the organisation’s annual review that cybersecurity is now “critical” to “business longevity and success”.

Some organisations respond well, despite this year’s headlines, Horne says. “This is what all organisations should aspire to, because almost every business depends on technology to function.

“But for too long, cybersecurity has been regarded as an issue predominantly for technical staff.

“This must change. All business leaders need to take responsibility for their organisation’s cyber resilience.”

Horne’s remarks come in a year in which notable high-profile brands faced devastating cyber-attacks.

An attack on Marks & Spencer, launched in April, is reported to have cost the retailer £300m. In July, four people were arrested in connection with the security breach.

In August, a hack on computer systems at Jaguar Land Rover caused a shutdown of production at factories across the UK, Slovakia, Brazil and India. Reports suggest the cyber-attack will cost the company hundreds of millions. Production at some sites only restarted a week ago.

In his commentary, Horne writes: “The recent cyber-attacks must act as a wake-up call. The new normal is that cyber criminals will target organisations of all sizes, operating in any sector.”

Small companies at risk

Experts point to small suppliers with lower defences being an effective way of targeting big companies.

The Co-op was attacked in April this year. In a commentary for NCSC report, CEO Shirine Khoury-Haq writes that the company’s investment, segregation of systems, frequent testing, and skills of in-house staff helped lay the “foundation” for a strong response.

“While you can plan meticulously, invest in the right tools and run countless exercises, nothing truly prepares you for the moment a real cyber event unfolds.

“The intensity, urgency and unpredictability of a live attack was unlike anything you can rehearse.

“That said, those drills are invaluable—they build muscle memory, sharpen instincts and expose vulnerabilities in your systems.”

The NCSC says that, in the year September 2024 to September 2025, it dealt with 429 incidents requiring the centre’s help. Of those, 206 were “nationally significant incidents”, up on last year’s 89.

A report from the Chartered Institute of Internal Auditors said last month that data security and cybersecurity are currently the biggest concern for chief internal auditors.

Writing for Board Agenda, FTI Consulting expert Kate Brader says: “Boards cannot afford to be passive observers. Their role is to provide strategic oversight, ensuring that businesses are not only prepared for crises but also equipped to emerge stronger.”

The NCSC report says boards must ensure they can “communicate effectively” about cyber risk.

“Unlike financial or legal risk, cyber risk is not always on the board’s agenda. Leaders are fluent in the language of revenue, liability and shareholder value, but cybersecurity is often framed in technical terms that feel disconnected from business strategy.”

NCSC provides guidance to help with the issue: “cyber risk must be translated into business risk so that board members can approve necessary mitigations.”

There is rising alarm over the significance over recent cyber-attacks. It is no longer an issue boards can consider lightly.