Cybercrime in the UK is often framed as a national issue, and that’s true, but that risk has never been evenly spread, says Mark Edgeworth, pictured, CEO at Hicomply, an information security management platform.
Exposure varies significantly between organisations, shaped less by geography and more by how businesses are structured, governed and prepared.
According to the Cyber Security Breaches Survey 2025, 43 per cent of UK businesses and 30pc of charities reported experiencing a cyber breach or attack, which translates into an estimated 8.58 million crimes against businesses and another 453,000 affecting charities. Alongside that, the Cifas Fraudscape 2025 Report shows that more than 421,000 fraud cases were recorded in 2024, along with billions in losses. An interesting question is why some organisations are consistently more exposed than others.
Exposure is not random
Clear patterns begin to emerge when you look at the underlying drivers of exposure. Regions with a high concentration of SMEs tend to carry more risk. Smaller organisations often don’t have the luxury of dedicated security teams or mature governance structures, so they move quickly, adopt new systems as they go and build complexity without always building control alongside it.
On the sector front, areas with strong footprints in financial services, retail, healthcare or education are naturally more attractive targets because of the data they hold. However, some of the most damaging incidents over the past year have taken place in less scrutinised sectors, particularly charities, nurseries and care organisations, where the data is deeply personal and the consequences far more human.
Then there’s maturity. Some regions benefit from stronger digital ecosystems, deeper talent pools and a more embedded understanding of cyber risk, whilst others are still catching up, particularly where digital transformation has outpaced governance.
Put those factors together and exposure starts to look more like a by-product of how organisations are built and managed.
From cyber incidents to compliance failures
Over the past 12 months, we’ve seen that when something goes wrong, attention quickly shifts from how the attack happened to whether the organisation had the right controls in place, whether risks were properly understood and whether recognised standards were being followed. This shift brings implications for regulation, customer trust and long-term business performance.
Of the businesses and charities who experienced at least one cyber crime in the past year, a smaller but significant proportion saw those incidents translate directly into fraud. That link between breach and financial loss is tightening, and with it, expectations around accountability.
Why frameworks are becoming the dividing line
The organisations that come through incidents strongest are those that put the structure in place long before anything goes wrong, with frameworks like ISO 27001 forcingorganisations to think about risk in a systematic way. They require clear ownership, defined controls and ongoing review, not just a one-off effort, creating a baseline that can be evidenced. That distinction is becoming critical.
Businesses are now expected to prove that they take security seriously, whether that’s to a regulator, customer or investor. Without that proof, organisations are finding themselves on the back foot before an incident even occurs.
We’re also seeing this reinforced through frameworks like CAF and emerging standards around AI governance, where the expectation is demonstrable, auditable resilience.
The commercial reality of poor compliance
There’s still a tendency in some organisations to treat compliance as something to be dealt with later or once growth is established, but investors wouldn’t accept weak financial controls in a business and they’re increasingly applying the same logic to cybersecurity and compliance.
Organisations with strong compliance frameworks are finding it easier to win new business, particularly in sectors where data security is critical, which opens doors to new markets and supply chains. On the other hand, those that delay are starting to feel the effect, with more questions, more friction and in some cases, missed opportunities.
A more realistic view of organisational risk
The idea that some regions are ‘more at risk’ can be misleading if it’s taken at face value, because geography isn’t the root cause. What we’re really seeing is variation in how organisations approach governance, risk and compliance.
Regions with higher exposure are often home to businesses that are earlier in their maturity journey or operating in sectors where the pace of change has outstripped the controls around it. That’s important, because it means the gap is addressable.
What leadership teams should take from this
The starting point is visibility, knowing where your risks sit and how they could materialise. What follows is the discipline to put structure around them, whether that’s through recognised frameworks, clearer ownership or more consistent oversight.
Organisations that manage incidents well have a level of preparedness that comes from having thought these scenarios through in advance. That preparation shows up in how quickly decisions are made, how clearly responsibilities are defined and how confidently the business can respond under pressure.
Compliance sits at the centre of that, as a way of bringing consistency, accountability and proof into how the organisation operates. The ability to evidence good practice is becoming just as important as the controls themselves.
Cyber risk may be a national conversation, but its impact is always local to the organisation experiencing it. Leadership teams that recognise that, and act early, are the ones who keep control when others are trying to regain it.
