In the main most organisations receive few cyber attacks, and costs are relatively low; but a minority do experience repeated attacks and in some cases extremely high impact costs. That’s according to the latest UK Cyber Security Breaches Survey.
Even where some defences are improving, small businesses declined on a number of cyber hygiene measures after temporary increases last year, the surveyors concluded. They admitted that findings ‘may underestimate the full extent of the prevalence of cyber breaches and attacks’. The survey organisers for UK Government also carried out some ‘qualitative interviews’ which suggested that breaches, particularly related to phishing attacks, appeared to be growing in sophistication. Organisers acknowledged 2025-26 saw a record number of high-profile incidents, and an increase observed in ransomware cyber crimes among charities. The survey pointed to a critical gap in incident response planning among charities.
Background
The annual Cyber Security Breaches Survey is commissioned by the Department for Science, Innovation and Technology (DSIT) and the Home Office as an overview of the cyber security landscape for UK businesses and charities. Separate are results for public sector schools, colleges and universities.
Speech
Meanwhile in a speech about AI sovereignty at the defence and security think-tank Royal United Services Institute (RUSI), Technology Secretary Liz Kendall set out the case for safety and cyber security in use of AI tools, with like-minded nations, for ‘future proofing what we do, working with our partners’. For the speech in full, visit the DSIT website.
Comments
Jamie Akhtar, CEO and co-founder of CyberSmart, described the survey as a useful reminder that cyber risk has moved beyond the IT team. He said: “Cyber risk is now a question of national business resilience. The headline numbers are familiar, but still sobering. Forty-three per cent of UK businesses and 28pc of charities reported a cyber breach or attack in the past 12 months. For medium and large businesses, that rises to 65pc and 69pc. Phishing remains the dominant threat, affecting 38pc of businesses and 25pc of charities, and it now accounts for more than half of all attacks experienced by organisations that were hit.
“What stands out isnโt just the volume of attacks, but the gap between concern and action. Most organisations now understand that cyber security matters, with around seven in ten businesses saying it is a high priority for senior management. Yet only 30pc carried out a cyber risk assessment, only 25pc had a formal incident response plan, just 15pc reviewed the cyber risk posed by their immediate suppliers, and only 3pc require suppliers to hold Cyber Essentials [the UK standard for basic cyber hygiene, as recommended by UK Government].
“SMEs will experience the policy shift more than most. Smaller businesses sit inside larger supply chains but rarely have the time, budget or expertise of the firms above them, and the gap between what regulators now expect and what an SME can do alone is widening. MSPs are how that gap gets closed. The survey shows progress, but it also shows how much work remains. The gap wonโt close on awareness alone. It closes when cyber security is accessible to every business, regardless of size or budget, and when the next practical step is within reach for all of them.”
Charlotte Wilson, Head of Enterprise Business UK and Ireland, at Check Point Software, welcomed the fact that the report brings attention back to the basics of cyber hygiene. She said: “Itโs something we see time and time again. Companies are racing to secure the next big threat, but so often theyโre missing the foundations (strong password policies, privileged access management, MFA [multi factor authentication], et cetera). The report found that phishing attacks remained the most prevalent type of breach by far. Cybercriminals are clearly still exploiting known tactics and AI is only making it easier to create and deploy these emails, so thereโs no sign of this changing.”
Keven Knight, CEO of the cyber firm Talion, noted that the volume of breaches organisations face appears to be similar to the numbers from last year. He said: “This doesnโt mean attacker activity is declining, it suggests organisations are becoming more aware of cyber crime and doing more to improve their defences. However, even despite this, there remain some concerning gaps within defences.
“The two biggest red flags from the study centre on AI adoption and poor supply chain security. If organisations are not validating the security of their supply chain, they risk leaving their own environments wide open to attack. This is something the UK government is concerned about and the introduction of the recent Cyber Pledge will aim to tackle weaknesses in supply chain security, but organisations have a big part to play.
“When it comes to AI adoption, it seems organisations are bringing AI into their environments, but only a small proportion are ensuring their security posture covers those deployments. This is a big concern and organisations must stop viewing AI as platforms purely developed for convenience and productivity.”
Merlin Gillespie, CTO of Cybanetix described the survey as fundamentally flawed because the Government measures the wrong things. Why? He said: “Because it shores up a cyber policy that doesnโt fund resilience. The survey shows the same information every year, because the policy that shapes it hasnโt changed in-line with the problem statement.
“Attacks are getting cheaper, faster and more sophisticated; in no small part because theyโre AI-assisted. Defences arenโt keeping pace, because we are asking businesses to build them voluntarily, unfunded where the outcome is measured with paperwork rather than actual outcomes. Theyโre treating cyber security as though itโs a private sector hygiene problem rather than nationwide public risk.
“CISOs are exhausted, not because they donโt know what to do technically, but because theyโre overwhelmed with risks, compliance, the audit treadmill and signing off supplier questionnaires. UK cyber policy has relegated CISOs into paperwork administrators and theyโre in a doom-spiral. Until the government moves from policy to incentive, and recognises technical changes that can move the dial rather than mandating compliance documents that bury compliance teams, every successive survey will see defences eroded.
“Every year the governmentโs answer is to encourage more certifications, more training and more awareness. Microsoft says that AI is being utilised at all elements of the cyber kill chain, but the survey barely mentions it. The attack surface is changing beneath our feet, and everyone is trying to catch up with the paperwork from last yearโs bill while battling anxiety about the latest novel attack that the average CISO probably has no coverage against or detections to identify.
“Phishing remains a top attack, not because defenders are lazy, itโs because attackers are evolving it faster than a policy framework can adapt. OSINT driven multi-channel attacks using email, WhatApp, and voice are popping. AI driven content is capturing and repurposing real voice and video so instructions look as though theyโre legitimately produced by an in-the-flesh colleague.ย Meanwhile, weโre being asked to combat it with questionnaires and multiple choice tests.
