NCSC Iran Cyber Warning: What UK Businesses Should Do
NCSC Iran Cyber Warning: What UK Businesses Should Do
One hundred and forty-nine distributed denial-of-service (DDoS) attacks in 72 hours. A hundred and ten organisations across 16 countries targeted by 12 hacktivist groups between 28 February and 2 March 2026. Most of those attacks hit the Middle East, not the UK. But the National Cyber Security Centre (NCSC) published an advisory on 2 March telling UK organisations to take action anyway, and that NCSC Iran cyber warning is worth reading carefully.
The advisory isn't about panic, it's about checking the basics. Read the NCSC's recommended actions next to a Cyber Essentials assessment checklist and you'll notice something: they cover almost exactly the same ground.
What the NCSC actually said
The NCSC's language was deliberately measured in their assessment: "There is likely no current significant change in the direct cyber threat from Iran to the UK." But they followed that with a caveat that matters more than the reassurance: "due to the fast-evolving nature of the conflict, this assessment may be subject to change."
They also flagged a specific risk category. If your organisation has a presence in the Middle East, or if your supply chain touches the region, the NCSC rates the indirect cyber threat as "almost certainly heightened."
Three threat types made the advisory: DDoS attacks, phishing campaigns, and industrial control system (ICS) targeting. The DDoS threat is the noisiest, but the phishing threat is the one most likely to actually reach a UK business.
Who should pay attention
The obvious answer is organisations with Middle East connections, but the practical answer is broader than that.
The hacktivist groups behind the 149 attacks don't do careful target selection. Government targets made up 47.8% of attacks, finance 11.9%, and telecoms 6.7%. The rest scattered across other sectors without any obvious pattern, which tells you all you need to know about how these groups pick targets.
If you supply a government department, an NHS trust in Manchester or Birmingham, a defence contractor, or any organisation in the 13 critical national infrastructure sectors, you're in the indirect risk category whether or not you have Middle East operations. Supply chain attacks work by finding the weakest link. That's usually a smaller supplier with less security.
The UK saw 204 nationally significant cyber incidents in the 12 months to August 2025, up from 89 the previous year. That's a 130% increase year on year. NHS trusts in Glasgow, local authorities in Leeds, financial services firms across every region have all been affected. Iran, Russia, China, and North Korea were all named as top threat actors. This advisory sits on top of that existing threat level.
The NCSC checklist (and what CE already covers)
There's specific guidance on what to do when the cyber threat level is heightened. Here's how those recommendations map to the five Cyber Essentials controls.
Patching
CE requirement and NCSC recommendation: patch desktops, laptops, mobiles, third-party software, and firmware with automatic updates enabled, and patch internet-facing services for known vulnerabilities.
Cyber Essentials says: apply critical and high-risk patches (those with a Common Vulnerability Scoring System score of 7.0 or above) within 14 days of release.
Iranian threat groups consistently exploit known vulnerabilities in unpatched software. Their most common entry point in observed incidents has been unpatched VPN appliances. If your Fortinet or Citrix appliance is a patch behind, that's the front door they're walking through.
If you're CE compliant, your patching should already cover this. But "CE compliant" means every device, not just the ones you tested last time. The 14-day window applies to your entire estate.
Access controls and MFA
Heightened threat recommendation: verify MFA is configured and enabled. Review and remove old or unused accounts. Review privileged and administrative access, and use strong, unique passwords.
Cyber Essentials says: MFA on all cloud services, separate admin accounts from standard accounts, and remove unnecessary user accounts.
Iranian actors use password spraying and multi-factor authentication (MFA) push bombing, which means repeatedly sending MFA notifications until someone approves one out of frustration. The defence against password spraying is account lockout after failed attempts, which CE requires. The defence against push bombing is phishing-resistant MFA like FIDO2 hardware keys, which goes beyond CE but aligns with CE Plus.
If your cloud services have MFA enabled and your admin accounts are separate from daily-use accounts, you've covered the access control portion of this advisory.
Firewalls
Heightened threat recommendation: verify firewall rules are correct, remove temporary rules that are no longer needed, and review your external attack surface.
Cyber Essentials says: boundary firewalls on all internet-facing devices, with default inbound action set to block and all inbound allow rules documented with business justification.
The crossover here is direct and obvious. If you passed CE, your firewall configuration should already meet this standard. But the NCSC is asking you to check it again right now. Temporary rules have a way of becoming permanent. If you added an exception six months ago for a specific project and never removed it, that's the kind of gap this advisory is about.
Malware protection
Heightened threat recommendation: install antivirus and confirm it's active with updated signatures.
Cyber Essentials says: anti-malware software must be kept up to date, scan files automatically on access, and prevent connections to malicious websites.
This is the most straightforward mapping of the five. If your antivirus is running and updating, you're covered. If someone's disabled it on their laptop because it was "slowing things down," now is the time to fix that. Don't be shocked when you check and find it turned off on a machine you assumed was protected.
What CE doesn't cover
Here's where honesty matters more than making a sale.
CE does not protect against DDoS attacks, because DDoS hits your bandwidth rather than your devices. The five controls are about securing what's inside your network boundary. If someone floods your internet connection with traffic, your firewall configuration won't help.
CE also doesn't cover incident response planning, threat intelligence feeds, network logging, or ICS security. Those are all recommended when the threat level is heightened, and they're all beyond CE scope.
If your business runs internet-facing services that customers rely on, talk to your ISP or hosting provider about DDoS mitigation. The NCSC has a dedicated DDoS guidance collection covering upstream defences, content delivery network options, and rapid scaling.
If you operate operational technology (OT) or industrial control systems, there's separate ICS targeting guidance available. That's a different conversation from CE entirely.
Three things to do this week
You don't need to redesign your security posture. You need to verify what you already have in place.
Check your patches. Run a vulnerability scan or just check your patch management tool. Are there any critical patches older than 14 days that haven't been applied? Focus on internet-facing devices first: firewalls, VPN concentrators, email gateways. Iranian advanced persistent threat (APT) groups consistently exploit unpatched network edge devices. If your Fortinet, Citrix, or Palo Alto appliance is behind on patches, that's priority one.
Verify MFA is actually on. Not just enabled in the admin console, but actively enforced on every user account for every cloud service. Check for accounts that were exempt "temporarily." Check for service accounts that bypass MFA. Under the Danzell requirements from April 2026, any cloud service that supports MFA must have it enforced, and social media accounts used for business are in scope too.
Sign up for NCSC Early Warning. It's free, it's at my.ncsc.gov.uk, and it takes five minutes. You register your public internet protocol (IP) addresses and domain names. The NCSC then sends you alerts when they detect malicious activity targeting your infrastructure, averaging 2,000 alerts per month across all users. There's no reason not to use it and most UK businesses don't. (as noted in the October 2024 governance review).
What CE covers and what it doesn't
| NCSC Recommendation | CE Control | Covered? |
|---|---|---|
| Patch all devices within 14 days | Security Update Management | Yes |
| Verify MFA on cloud services | User Access Control | Yes |
| Review firewall rules | Firewalls | Yes |
| Antivirus active and updated | Malware Protection | Yes |
| Change default passwords | Secure Configuration | Yes |
| Remove unnecessary accounts | User Access Control | Yes |
| DDoS mitigation | None | No |
| Incident response planning | None | No |
| Network monitoring | None | No |
| ICS security | None | No |
| Threat intelligence feeds | None | No |
The five CE controls cover the majority of what Iranian state actors use to break into networks: brute force attacks, credential theft, exploitation of unpatched systems, and default passwords. Those are the techniques documented across multiple joint government advisories.
CE doesn't cover the hacktivist DDoS attacks that make the headlines. But the DDoS attacks are disruption, and most of them targeted the Middle East, not the UK. The state-sponsored intrusions are the ones that steal data and cause lasting damage. CE addresses that category directly with all five controls.
CE maps to the Protect function of the NIST Cybersecurity Framework. That's one of six functions in the framework. The gaps in the table above, DDoS mitigation, incident response, network monitoring, map to Detect, Respond, and Govern. CE was never designed to cover those. Cyber 365 covers all six, with CE as step one.
The heightened threat guidance starts with this: "The most important thing for organisations of all sizes is to make sure that the fundamentals of cyber security are in place." That's what CE is: the fundamentals. The government is telling you to do exactly what CE already requires, just more urgently.
Keep up with Cyber Essentials changes
New requirements, deadline changes, and assessment tips with no spam and no sales pitches.
Subscribe to the newsletter | Follow Daniel on LinkedIn
Related articles
- Cyber Essentials 14-Day Patching: What the Requirement Actually Means
- MFA on Cloud Services for Cyber Essentials
- Your Managed IT Provider Is About to Be Regulated
- Why Cyber Essentials Isn't Enough
Sources
- NCSC Advisory: Actions following conflict in the Middle East (2 March 2026)
- NCSC Guidance: Actions to take when the cyber threat is heightened
- NCSC: DDoS Guidance Collection
- NCSC Early Warning Service
- NCSC Annual Review 2025
- Cybersecurity and Infrastructure Security Agency (CISA) Advisory AA24-290A: Iranian Cyber Actors' Brute Force and Credential Access Activity (October 2024)
- Radware threat intelligence data via The Hacker News (March 2026)
Get cybersecurity insights delivered
Join our newsletter for practical security guidance, Cyber Essentials updates, and threat alerts. No spam, just actionable advice for UK businesses.
Related Guides
Cyber Essentials Plus in 5 Days: NHS Wales Contractor Case Study
How Net Sec Group delivered Cyber Essentials and CE Plus certification to an NHS Wales contractor in 5 days to meet a contract deadline. The full process from scoping to certification.
How Long Does a Cyber Essentials Plus Assessment Take?
CE Plus testing takes 1-3 days depending on your sample size. But the timeline starts at basic CE and has mandatory windows you can't compress.
Cyber Essentials Plus Assessment Process: What Actually Happens
Five test cases, a sampling methodology, and a 30-day remediation window. Here's what the CE Plus assessment covers and what to expect.
Ready to get certified?
Book your Cyber Essentials certification or check your readiness with a free quiz.