News • 17 June 2026

Hostile States Behind 75% of
UK Infrastructure Cyber Attacks.

The NCSC Warning

Speaking at the RUSI Annual Security Lecture on 17 June 2026, NCSC Chief Executive Dr Richard Horne revealed that his organisation managed more than 200 cyber incidents affecting UK critical national infrastructure in the past year alone. Around 75% of those incidents are believed to be linked to hostile state actors, with Russia, China, and Iran identified as the primary threats.

Dr Horne warned that cyber security should not be treated as a risk to be managed, but as an ongoing contest against capable adversaries, and that too many organisations are still failing to get the fundamentals right.

Key Findings

What the NCSC
reported

01
200+ INCIDENTS IN ONE YEAR

The NCSC managed over 200 cyber incidents affecting the UK’s critical national infrastructure and its supporting ecosystem in the twelve months to May 2026. That is more than one serious incident every two days.

02
75% LINKED TO STATE ACTORS

Three quarters of those incidents are believed to be connected to hostile states. Russia, China, and Iran were named as the primary actors targeting the systems that underpin essential UK services.

03
AI THREAT ASSESSED FOR 2028

The NCSC has assessed that by 2028, AI-enabled cyber capabilities will likely be used by attackers to exploit known vulnerabilities in legacy technology at scale across critical national infrastructure.

04
FUNDAMENTALS STILL NOT IN PLACE

Despite years of guidance, the NCSC says too many significant incidents are still happening because basic security measures have not been implemented. The foundations are the problem, not the sophistication of the attacks.

Context

Why this matters for
every business

Critical Infrastructure Is the Target

This is not just about government systems. Energy, transport, healthcare, water, and the supply chains around them are all in scope. If your business supports or connects to these sectors, you are part of the target surface.

A Contest, Not a Checklist

The NCSC is clear that treating cyber security as a compliance exercise misses the point entirely. The adversaries adapt, probe, and then wait. Security has to be a continuous effort, not an annual review.

AI Will Accelerate the Threat

The NCSC assessment is that within two years, AI-enabled tools will allow attackers to find and exploit weaknesses in legacy technology faster and at greater scale than anything seen before.

Legacy Technology Is the Weak Point

Old systems running outdated software are the entry points that state actors look for. If it has not been patched, updated, or replaced, it is a standing invitation.

No One Is a Spectator

The NCSC message is that everyone is involved - from boardrooms to IT helpdesks to people working from home. Cyber security is not something a single team handles on its own. The whole business is part of the defence.

Fundamentals Are the Answer

The consistent message from the NCSC is that most incidents succeed because the basics are not in place. Patching, access controls, multi-factor authentication, and tested backups still prevent the majority of successful attacks.

Action

What your business
should do now

AUDIT YOUR FUNDAMENTALS

Patching schedules, access controls, multi-factor authentication, and backup testing. The NCSC has repeated for years that most successful attacks exploit the absence of these basics. If any of them are missing or inconsistent in your organisation, that is where to start.

PREPARE FOR AI-POWERED THREATS

The timeline is 2028. That is not far away. Start thinking about how AI might be used against your business. Legacy systems and known vulnerabilities are the first things AI-enabled tools will target at scale. If you are running old software, the window to act is narrowing.

TREAT CYBER AS AN ONGOING CONTEST

Security is not something you complete. It is an ongoing effort that requires regular review, updated staff training, active monitoring, and a willingness to adapt. The adversaries are persistent, patient, and well-funded. Your approach has to match that.

Key Numbers

The scale of the threat

200+ Incidents

The NCSC managed more than 200 cyber incidents affecting UK critical national infrastructure in a single year, averaging more than one serious incident every two days.

75% State-Linked

Three quarters of those incidents are believed to be the work of hostile nation states, not criminal gangs, not opportunists, but state-sponsored operations with strategic objectives.

2028 AI Timeline

The NCSC assesses that by 2028, AI-enabled cyber capabilities will be used to exploit known vulnerabilities in legacy technology at scale. That gives organisations less than two years to prepare.

3 Hostile States Named

Russia, China, and Iran were specifically identified as the primary hostile states targeting the UK’s critical infrastructure, each with different methods and strategic objectives.

Privacy Policy

At Workflo, we are committed to protecting your privacy and ensuring the security of your personal data. This privacy policy outlines how we collect, use, disclose, and protect your personal information as a data controller. By engaging our services, you acknowledge and consent to the practices described in this policy.

Information We Collect

We may collect and process the following types of personal data:

  • Contact information, including your name, address, phone number, and email address.
  • Financial information, such as billing details and payment records.
  • Information necessary to provide our services, including project details and relevant documentation.
  • Communication records and correspondence with you.
  • Any other information you provide to us voluntarily.

Purpose and Legal Basis for Processing

We process personal data for the following purposes:

  • Your consent given at the time of engaging our services.
  • The processing is necessary for the performance of our contract with you.
  • Compliance with legal obligations.

Please note that providing us with certain personal data is a requirement of our contract with you. If you fail to provide the requested information, we may be unable to provide our services effectively.

Disclosure of Personal Data

We may share your personal data with the following parties:

  • HM Revenue and Customs (HMRC) for tax compliance purposes.
  • Professional indemnity insurers for insurance coverage.
  • Debt collection service providers for recovering outstanding payments.
  • Product manufacturers, if necessary for warranty claims or technical support.

Additionally, we may disclose personal data if required or permitted by law, including:

  • Law enforcement agencies, upon their lawful request.
  • Courts and tribunals in connection with legal proceedings.
  • The Information Commissioner's Office (ICO) as required by data protection regulations.

Should you request us not to share your personal data with the above parties, we may need to cease our services.

Third-Party Service Providers

We may engage third-party service providers, including service agents, debt recovery agents, field tracing agents, and subcontractors, to assist in delivering our services and fulfilling our legitimate interests. These providers are bound by contractual obligations to handle your personal data securely and only process it for the specified purposes.

Subject Access Requests (SARs)

You have the right to request access to the personal data we hold about you, subject to applicable laws. To submit a subject access request, please send a written request to the address provided below. To expedite the process, include relevant details to verify your identity and locate the requested information, such as your name, address, work address, date of work, and relevant invoice numbers.

We are committed to responding to SARs promptly, within one month of receipt, as required by the Data Protection Act 2018 (DPA 2018). However, there may be circumstances where we are permitted to refuse access, such as when there has been little or no change to the data since a previous request.

You may authorise someone else, such as a friend, relative, or solicitor, to request information on your behalf. To grant such authorisation, please sign a letter stating your consent and the authorised person's details.

Rectification of Personal Data

If you believe that any personal data we hold about you is inaccurate or incomplete, please notify us promptly. We will take reasonable steps to rectify and update the information as necessary.

Withdrawal of Consent

If you have provided consent for the processing of your personal data, you have the right to withdraw that consent at any time. To withdraw your consent, please inform us promptly. Please note that the withdrawal of consent does not affect the lawfulness of processing prior to the withdrawal, and we may still have a legal basis to process your data in certain circumstances.

Marketing Activities and Data Usage

At Workflo, we may use your personal data for limited marketing activities, subject to your consent where required by applicable laws.

  • Consent: We will obtain your explicit consent before using your personal data for direct marketing purposes, where required by applicable data protection laws.
  • Marketing Communications: With your consent, we may send you marketing communications via email, phone calls, or other means of communication.
  • Opt-out: You have the right to opt-out of receiving marketing communications from us at any time.
  • Data Sharing: We will not share your personal data with third parties for their direct marketing purposes without obtaining your consent.
  • Data Retention: We will retain your personal data for marketing purposes only as long as your consent is valid or as required by applicable laws.

Marketing, Contact Form and Data Usage

We may use personal data you submit via our website forms for the purposes of responding to your enquiry, providing you with the correct information, product, or service you have requested, and, with your consent, sending you marketing information related to our services.

  • Consent: When completing a form on our website, you will be asked to confirm your consent for Workflo to process your personal data in accordance with this Privacy Policy.
  • Opt-out: You can withdraw your consent and opt out of marketing communications at any time by following the unsubscribe link in our emails or contacting us.
  • Data Sharing: We will never share your personal data with third parties for their direct marketing purposes without your consent.

Automated Decision-Making

We do not engage in automated decision-making processes that significantly impact you or involve sensitive personal data.

Use of CCTV

In order to ensure the security and safety of our premises, we utilise Closed-Circuit Television (CCTV) surveillance systems. The primary purpose is to prevent and detect unlawful activities, protect the security of our premises, assets, and personnel, and enhance the safety of individuals within the premises.

Data Security

We take data security seriously and implement appropriate technical and organisational measures to protect personal data from unauthorised access, loss, alteration, or disclosure. These measures include encryption, access controls, regular security assessments, and employee training on data protection.

Data Breach Notification

In the event of a data breach that poses a risk to the rights and freedoms of individuals, we will promptly notify the relevant authorities and affected individuals, as required by applicable data protection laws.

Cookies and Tracking Technologies

Our website may use cookies or other tracking technologies to enhance user experience. For more information on our use of cookies, please review our Cookie Policy.

Third-Party Links/Websites

Our website may contain links to third-party websites or services. Please note that our privacy policy does not apply to those external sites, and we encourage you to review the privacy policies of those sites.

Children's Privacy

Our services are not intended for children under a certain age. We do not knowingly collect personal data from children.

Changes to the Privacy Policy

We may update this privacy policy from time to time to reflect changes to our data handling practices or legal requirements. The most current version of the policy will be available on our website.

Contact Information

For any questions or concerns related to data protection or this privacy policy, please contact:

Kirsty Cole
privacy@workflo.solutions
Workflo
Workflo House Unit 16 Shairps Business Park
Houston Ind Estate, Livingston
West Lothian EH54 5FD
Phone: 0330 055 9435

Call Us