GCHQ head urges firms to do more to prevent cyberattacks

Companies must assume their digital defences will fail, the head of GCHQ, Anne Keast-Butler, told an audience of executives in London yesterday. 

Speaking at the Predict 2025 conference, the chief of Britain’s cyber and signals intelligence agency stressed that the question for all firms is no longer if an attack will get through, but when.

“What are your contingency plans? Because attacks will get through,” Keast-Butler challenged executives. She emphasized the practical steps required, asking directly: “Your plans… have you got them on paper somewhere in case all your systems really go down? How will you communicate with each other if you’re completely reliant on a system that actually you shut down?”

This urgent warning follows alarming new figures from the National Cyber Security Centre (NCSC), part of GCHQ, which revealed that “highly significant” cyber-attacks have risen by 50% in the past year. Security agencies are now tackling major incidents several times a week.

Keast-Butler noted that the threat landscape is worsening, especially as technologies like Artificial Intelligence (AI) reduce “the entry-level capability” needed for malicious actors to cause damage. While government work is successfully blocking millions of potential hits, major companies must drastically improve their own resilience.

The financial cost of inaction was highlighted by the recent hack against Jaguar Land Rover (JLR). A new report estimates the attack cost the UK economy an estimated £1.9bn, potentially making it the most expensive cyber-attack in British history after JLR was forced to shut down systems across all its factories and offices.

To combat this systemic threat, the GCHQ head argued that security must be elevated to a strategic, board-level concern. She regularly encourages CEOs to seat cybersecurity experts on their boards, noting that without them, “the right questions don’t get asked.”

Finally, Keast-Butler urged companies to overcome their reticence and share information about breaches with government agencies. She noted that “safe spaces” are available to enable this without risking commercially sensitive data, explaining that hesitation “doesn’t help any of us” in making the long-term, strategic system changes needed for collective defense.