It’s estimated that one in five, 20pc of businesses and 14pc of charities have been victims of at least one cyber crime in the past year; while just over four in ten businesses (43pc) and three in ten charities (30pc) reported having experienced a cyber security breach or attack in the last 12 months, according to the Cyber Security Breaches Survey 2025, commissioned by the Department for Science, Innovation and Technology (DSIT) and the Home Office.
Phishing attacks remain the most prevalent and disruptive type of breach or attack. As for cost, it’s estimated that the average for the most disruptive breach for each business in the last 12 months was ยฃ1,600 for businesses and ยฃ3,240 for charities. Leaving out those who reported that the cost of their most disruptive breach was zero, the average cost of the most disruptive breach was ยฃ3,550 for businesses and ยฃ8,690 for charities. The survey suggested improvements in small businesses in several cyber hygiene practices, such as more uptake of cyber security risk assessments, and continuity plans. Most businesses and charities have basic technical controls, such as updating malware protection, and having password policies. Relatively few businesses or charities were taking steps to formally review the risks posed by their immediate suppliers and wider supply chain.
Response
As for board engagement and corporate governance, cyber security remains a high priority for the majority. As for response, internal reporting to senior management remains the most common action after a breach or attack; external reporting remains uncommon. While the prevalence of cyber crime overall remained static, the prevalence of ransomware among businesses increased significantly; te estimated percentage of all businesses who experienced a ransomware crime in the last 12 months increased from less than 0.5pc in 2024 to 1pc.
Comments
The changing threat landscape, geopolitical tensions and increasing use of AI by cyber attackers only indicate that the risk is intensifying, said Scott Bridgen, General Manager, Risk and Audit at the platform Diligent.
โBusinesses are aware of this, and weโve seen that security remains at the top of the agenda for boards. In fact, more than 77pc of directors say that their board regularly discusses new risks and their implications for the company. However, the question on how to best respond to this growing threat remains.
โWeโve seen that AI can be a dangerous tool in the hands of cyber attackers, who are using it to automate and refine their methods. These advanced techniques allow cybercriminals to scale their operations, targeting multiple victims simultaneously to increase the overall potential damage. In response, organisations must evolve their defences to protect their assets and mitigate risk. Embracing AI-driven security solutions is a step in the right direction to enhance threat detection and response capabilities, but UK businesses also need an air-tight recovery process if the worst-case scenario becomes a reality. By taking this two-pronged approach, companies can stay one step ahead of attackers and mitigate the impact of a successful attack.โ
Nathaniel Jones, VP of Security and AI Strategy at the cyber firm Darktrace said: “While it is encouraging to see an increase in the number of businesses taking action to minimise risks โ including risk assessments, creating formal policies and taking out cyber insurance policies โ the threat is only increasing. The rising use of AI by attackers combined with the continued popularity of cybercrime as-a-service (CaaS) ecosystems, that provide attackers with pre-made malicious tools and services, is increasing the speed, scale and sophistication of cyber-attacks.
โIn todayโs evolving cyber threat landscape, itโs therefore not a matter of if an organisation will face a cyber incident, but when. When you get knocked down, how quick can you get back up? Thatโs what we mean by cyber resilience. Preparing in advance is essential to put yourself in the strongest position for when a breach occurs, and a proactive approach is by far the best form of defence.
โResilience is the name of the game, and organisations need full visibility across their digital ecosystem to identify vulnerabilities, break down silos, and mitigate threats before an attack happens. AI and machine learning are essential ingredients in this mix. These technologies help free up security teams from time-consuming tasks allowing them to focus on what really matters: keeping businesses and people safe.โ
Etay Maor, Chief Security Strategist at Cato Networks, said: “These findings, alongside the recent consultation on ransomware proposals to increase incident reporting and reduce payments to criminals (concluded April 8), provide invaluable insights that must inform the upcoming Cyber Security and Resilience Bill. Specifically, the Bill should incorporate measures to address the growing threat of AI-powered attacks, ensuring businesses and consumers are adequately protected from increasingly sophisticated cybercriminals. A holistic approach, encompassing proactive threat prevention, robust incident response, and mandatory reporting of AI-driven attacks, is crucial to effectively mitigate the evolving cyber landscape.โ
Jack Kerr, Director at Appdome, said that the survey highlights an often overlooked threat facing businesses: unsecured personal devices entering corporate networks. He said: “With only 54 per cent of organisations having a cybersecurity policy for employee-owned devices, nearly half are effectively leaving the gates wide open to cyberattacks. The return-to-office trend has accelerated the rise of Bring Your Own Device (BYOD), significantly expanding the attack surface. This presents a significant risk to businesses, particularly as Appdomeโs data reveals that over 42pc of consumers have already been targeted by cyberattacks, mobile malware or mobile fraud. And once attackers compromise a user’s personal device, they can potentially use that access as a gateway into corporate apps and networks, putting sensitive business data and systems at risk.
โThe reality is that organisations have little control over what mobile apps employees install on their personal devices. If just one mobile app is targeted, attackers may gain direct access to sensitive data. And the malware, spyware and bots lurking on many personal mobiles can quickly escalate into major threats to the entire corporate network and systems. However, businesses can โ and must โ control the security of their own enterprise mobile applications. If attackers breach initial defences, robust app-level protections can stop them at the next gate.
โTo prevent these devastating scenarios, organisations should implement AI-native security measures within corporate mobile apps, proactively detecting and stopping threats in real time. Embedding AI-driven defences directly into commercial and custom enterprise mobile apps is essential to stay ahead of increasingly sophisticated attacks, ensuring corporate networks and systems remain protected behind multiple layers of security.โ
