2025: some may call it “the Year of the Cyberattack”. This is the year where the once-isolated incident has become a constant drumbeat.
The UK alone has seen high‑profile ransomware incidents disrupt retailers like Marks & Spencer and the Co‑operative Group, with empty shelves and service outages costing hundreds of millions in lost revenue and reputational damage. Jaguar Land Rover has also faced significant disruption, underlining that no sector is immune.
Now, the National Cyber Security Centre (NCSC), part of GCHQ, has published its 2025 Annual Review—and it paints a sobering picture: the NCSC handled 204 nationally significant cyber incidents in the past year, more than double the 89 recorded the year before. Of these, 18 were classed as “highly significant,” meaning they had the potential to disrupt essential services such as government operations, healthcare, and energy supply.
The report stresses that cybersecurity is now a matter of national resilience. Dr. Richard Horne, the NCSC’s Chief Executive, described it as “a matter of business survival,” urging leaders to treat cyber preparedness as a strategic imperative.
What else does the report say?
The review highlights several urgent trends:
· The volume and severity of attacks are rising fast, with a 50% increase in highly significant incidents compared to last year.
· State‑backed actors from China, Russia, Iran, and North Korea remain persistent threats, targeting critical infrastructure and supply chains.
· Ransomware continues to dominate, evolving into professionalized ecosystems that operate like SaaS businesses, complete with subscription models and dashboards. (Yes, cybercriminals are considering their customers’ user experience!)
The NCSC also warns that AI is accelerating the threat landscape, with attackers using LLMs to automate phishing, reconnaissance, and exploit development.
The NCSC’s main message is that prevention alone is no longer enough.
The new cyber defense: what is resilience engineering?
Resilience engineering is about designing systems that can anticipate, absorb, and recover from attacks. Instead of building “perfect” defenses, organizations must plan for failure and build systems that can continue to operate under stress.
In practice, resilience engineering means anticipating weak points, ensuring systems can absorb shocks without catastrophic failure, recover quickly when incidents occur, and adapt based on lessons learned. It’s the digital equivalent of “bend, don’t break”.
Applying resilience engineering to cybersecurity
Resilience engineering may sound like a theory, but it translates into concrete practices:
· Redundancy ensures backup systems can take over instantly if primary ones fail.
· Segmentation isolates critical assets, preventing attackers from moving laterally across networks.
· Automated failover allows Cloud‑based systems to reroute traffic during an attack.
· Chaos testing deliberately simulates failures to expose weaknesses.
· Incident playbooks provide pre‑planned responses that reduce panic and speed recovery.
This approach shifts the focus from keeping attackers out to ensuring business continuity, even when the bad guys get in.
What this means for MSPs
For MSPs, the NCSC’s call is both a challenge and an opportunity. Clients will increasingly expect MSPs to demonstrate resilience, not just security. That means moving beyond patching and firewalls to architecting systems for survivability. It also means embedding resilience into SLAs, offering resilience audits, and positioning resilience as a business enabler rather than a compliance checkbox.
MSPs are uniquely placed to lead this shift, given their role in designing, managing, and monitoring client infrastructures. By adopting resilience engineering principles or partnering with those who specialize in cybersecurity, they can differentiate themselves in a crowded market.
Building resilience into MSP services
To translate resilience engineering into practice, MSPs can start with these five steps:
- Resilience by design: build redundancy and segmentation into client architectures from the outset, ensuring critical services can continue even under attack.
- Continuous testing: run tabletop exercises and chaos engineering drills to expose weaknesses before attackers do.
- Automated recovery: deploy orchestration tools that can spin up clean environments quickly, minimizing downtime.
- Data resilience: implement immutable backups and rapid restore capabilities to protect against ransomware.
- Client education: help boards and executives understand resilience as a strategic priority, not just a technical detail.
By embedding these practices, MSPs can move from being the fixers to strategic resilience partners—a role that will only grow in importance as cyber threats escalate.
From defense to durability
The NCSC’s 2025 Annual Review is a wake‑up call. With cyber incidents now a weekly occurrence, prevention‑only strategies are no longer enough. Resilience engineering offers a blueprint for systems that can bend without breaking.
Those who embrace resilience will not only protect their clients but also differentiate themselves as trusted partners in an era where cyber disruption is inevitable. In today’s threat landscape, resilience isn’t just a defensive measure—it’s the new competitive edge.
