The head of GCHQ, Anne Keast-Butler, has issued a stark warning to UK businesses, urging them to significantly step up their cyber defences and resilience planning, stressing that, ultimately, “attacks will get through.” Speaking at a recent London conference, the Director of the intelligence and security agency underscored the intensifying threat landscape, noting a significant escalation in the frequency and sophistication of cybercrime, particularly ransomware. Her remarks follow figures released by the National Cyber Security Centre (NCSC), which is part of GCHQ, showing a near 50% rise in “highly significant” cyber-attacks against the UK in the past year, with the agency now dealing with several such incidents per week.
Keast-Butler emphasised that, given the relentless nature of the threat, companies must focus not just on prevention, but on what happens in the aftermath of a breach. She questioned whether businesses had truly tested their contingency plans, even suggesting that firms should maintain physical, paper copies of their crisis strategies in case a major attack renders all digital systems inoperable. “What are your contingency plans? Because attacks will get through,” she stated, pressing leaders to consider how their organisation would communicate and function if their systems were entirely shut down.
The GCHQ chief’s intervention comes in the wake of several high-profile cyber incidents affecting major UK companies this year, including the Co-op Group and Jaguar Land Rover, serving as potent real-world examples of the financial and operational devastation cybercrime can inflict. She highlighted that artificial intelligence is making the threat more diffuse, lowering the “entry level capability” for malicious actors to cause widespread damage.
Furthermore, Keast-Butler called for improved governance, urging company boards to ensure they have members who understand and can ask the right questions about cybersecurity. She stressed the necessity of a collaborative approach between government and business to tackle future threats and encouraged companies not to be reticent about sharing information on attacks, confirming that “safe spaces” have been established for this purpose. The message is clear: cyber risk is a matter of business survival, and inertia is no longer an option.
