SOURCE: DSIT / Home Office FIELDED: Aug-Dec 2025 SAMPLE: 2,112 businesses PUBLISHED: 30 Apr 2026

UK Cyber Security Breaches Survey 2025/2026

Last year, roughly 612,000 UK businesses got punched. Most of them blamed an email.

A pragmatic, lightly cynical readout of the official numbers, written for the people who actually run the businesses being targeted. No vendor pitches. No vague "the threat landscape is evolving" nonsense. Just the data, the patterns, and what the survey is quietly trying to tell you.

↓ Open the file

01 // SIGNAL ACQUISITION

Things did not get better. They got more boring, in a way that should worry you.

The headline number, 43% of UK businesses experienced some kind of cyber breach or attack in the last twelve months, is exactly the same as the year before. After a high-profile twelve months of household-name retailers being publicly humiliated by ransomware crews, you might have expected that figure to spike. It did not. You also might have expected mass mobilisation in response. That largely did not happen either.

Businesses hit

43%

UK businesses identified at least one cyber breach or attack in the last 12 months.

Approximate count

612k

Estimated UK business population affected. Add 57k charities to that.

Cyber crime victims

19%

Around 267,000 businesses were victims of at least one cyber crime under the Computer Misuse Act.

Repeat trouble

5.19m

Estimated total cyber crimes against UK businesses over the year. Mean per victim sits at 19.

Big Brother is watching you.

// What's left unsaid: so is everyone else, and most of them want your invoice details.

The boring news: prevalence of attacks held flat. Ransomware reports actually fell from 3% to 1% of businesses. The unboring news: for the small minority who do get properly hit, the consequences look meaner than last year. Loss of revenue jumped from 2% to 5%. Reputational damage tripled from 1% to 3%. Micro-businesses recovering within a day fell from 92% to 86%. Translation: the bell curve is the same, but the long tail is uglier.

02 // SIZE PROFILE

Bigger means more breached. It is not personal, you just have more doors.

Tap or click each tier. The breach rate climbs almost linearly with headcount. The standard explanation, that bigger firms simply have better detection, is partly true. The uncomfortable counter-explanation, that smaller firms are getting breached and not finding out, is also probably true. Both can coexist. They usually do.

MICRO BUSINESS // 1-9 STAFF

Cyber crime victim

17%

Has formal IR plan

21%

Staff training run

14%

2FA in place

43%

Owner-operator territory. Cyber security is whoever in the family is "good with computers". The good news: 2FA jumped from 35% to 43%, and external providers crept up from 39% to 44%. Quietly, micro-businesses moved.

03 // SECTOR HEAT MAP

If you sell software, you will get hit. If you sell sandwiches, statistically you might not.

Toggle between breach prevalence and cyber crime prevalence. The most-hit sector by either measure is information and communication. But notice the gap between the two views: that is where defences are working.

There is one quiet upside. The information and communication sector saw cyber crime drop from 43% to 22% year on year, even though overall breach prevalence held flat. That is the cleanest evidence in the whole report that defences actually work when you build them. The attempts kept coming. Fewer of them landed.

04 // THE PHISHING MONOPOLY

Phishing is now functionally the only attack you need to plan for.

Among organisations that experienced any kind of breach, 88% experienced phishing. The proportion experiencing only phishing and nothing else rose from 45% to 51% for businesses, and from 46% to 57% for charities. Everything else has shrunk against it.

88%

of breached orgs
saw phishing

"Receive fraudulent email" is the entire UK threat model.

Share of breached organisations that experienced each attack type:

Phishing88%

Impersonation (you, faked)28%

Malware / spyware16%

Online banking hacks8%

Denial of service6%

Account takeovers5%

Ransomware3%

Words can be like X-rays, if you use them properly.

// Phishing crews understand this. Most boards still don't.

Two things to take from this. First, the marketing budget you might have been about to spend on a flashy XDR could probably go further if half of it bought you continuous, realistic phishing simulation and a proper email gateway. Second, ransomware "going down" in this survey reflects an attempted-attack metric, not a damage metric. The big news-cycle ransomware events still happened. The survey simply does not capture the upper tail well.

05 // ATTACK VECTOR LINEUP

Click any vector. The detail is where the strategy lives.

Each row is an attack type. The percentage is share of all UK businesses (not just breached ones) that experienced it in the last twelve months.

06 // COST PROJECTION

Pick your scenario. Read the damage. Then project your own.

Two calculators. Left: actual percentile data from the survey. Right: a what-if for your own business based on staff time. The official median cost of a most-disruptive breach is £0, because most attacks fail. The interesting numbers live in the tails.

SURVEY DATA // PERCENTILE READOUT v.2025/26

[01] Organisation size

[02] Did the breach have a real outcome?

[03] Include £0 cases?

Median

£0

Half of cases sat below this

Top 10%

£1,500

90th percentile

Top 5%

£4,000

95th percentile, hurts

Costs cover the single most disruptive breach over 12 months. The survey explicitly notes catastrophic cases sit beyond what a sample of this size can resolve. Treat these as the floor, not the ceiling.

WHAT-IF // INCIDENT DAY MODEL your numbers

Drag the sliders. This is a planning aid, not survey data. It estimates the staff-time cost of one bad incident day before you add tools, advisors, customer comms or downtime.

People pulled into the incident 4

Hours lost per person 4

Loaded hourly cost £55

£880

staff time burned

22%

of UK Top-5% cost (£4k)

07 // HYGIENE TELEMETRY

What everyone has, what everyone is missing, and what is quietly regressing.

Most UK businesses have the basics. The advanced controls, the ones that actually stop modern attacks, sit between 30% and 50%. The most concerning regression is in small businesses (10-49 staff), who undid most of the gains they made last year. Risk assessments, formal policies, and continuity plans all fell back to 2023/2024 levels.

Up-to-date malware protection// FOUNDATIONAL

81%

Cloud backups// FOUNDATIONAL

74%

Strong password policy// FOUNDATIONAL

74%

Network firewalls// FOUNDATIONAL

74%

Two-factor authentication anywhere// CRITICAL // up from 40% last year

47%

VPN for remote staff// REMOTE-WORK GAP

36%

Patch within 14 days policy// BIGGEST UNTREATED EXPOSURE

34%

User activity monitoring// DETECTION GAP

33%

Formal incident response plan// 75% ARE WINGING IT

25%

Reviewing immediate suppliers// SUPPLY CHAIN BLIND SPOT

15%

Reviewing wider supply chain// SUPPLY CHAIN BLIND SPOT

The net is vast and infinite.

// Three quarters of UK businesses have no plan for what to do when a piece of it lights up.

08 // READINESS GAUGE

Tick what you already have. The machine will not judge you.

An honest self-assessment for UK business owners. Eight items, derived from the survey's own most-impactful controls. The ring fills as you go. No data leaves this page.

0% unmapped

MFA on email, admin, and financeIdentity is the front door. Lock it properly.

Staff have a real way to report phishingA button or shared mailbox, not just a Christmas-cracker training video.

Backups are tested, not assumedA backup you have never restored is a bedtime story.

Admin rights are restrictedNormal users should not be carrying the keys to the building.

One-page incident response plan existsWho decides, who calls, who reports, who talks to customers.

Critical suppliers have been reviewedEspecially the ones with access to your systems, data, or payments.

AI usage has rulesWhat can be pasted, where data can go, which tools are approved.

Logs are monitored somewhere usefulSecurity alerts should not live in a cupboard no one opens.

09 // GOVERNANCE LAYER

The boardroom is finally noticing. Some of them are even doing something.

For the first time in years, board-level responsibility for cyber security ticked up rather than down. The qualitative interviews credit a year of catastrophic news stories with shifting executive risk appetite. The encouraging trends and the discouraging trends are sitting next to each other.

Cyber as senior-management priority

72% of businesses

stable for 3 years // ↓ for charities

Charities slid from 68% to 60%, driven entirely by low-income charities (53%, down from 64%). High-income charities held steady at 87%.

Boards with explicit cyber responsibility

31% of businesses

↑ 27% last year, reverses 5-year decline

Large businesses 68%. Finance and information sector lead. Transport and retail still drag the average down.

Have a formal incident response plan

25% of businesses

flat // 76% large vs only 21% micro

This is the gap that turns a containable incident into a corporate-existential one. Qualitative interviews are full of "we have a document but we have never tested it".

AI use without AI risk policy

76% of AI users

31% using/considering // only 24% have policy

Among the third of UK businesses using or considering AI, three quarters have no specific cyber processes for AI risk. Adoption is outrunning governance.

It is sometimes an appropriate response to reality to go insane.

// Or write an AI usage policy. Slightly less dramatic. Equally valid.

10 // RECOMMENDED ACTIONS

Six things a UK business owner can actually do next week, in order of return on effort.

The temptation when reading reports like this is to nod, close the tab, and tell yourself you'll think about it on Monday. These are the moves the data actually supports, not the ones a vendor will sell you.

Phishing-resistant MFA on email and bank.

Not SMS codes. Authenticator apps minimum, hardware keys if you can swing it. Phishing is 88% of your problem and MFA cuts the legs off most of it.

ii.

Run one realistic phishing simulation per quarter.

The expensive cyber awareness LMS is fine. The thing that actually changes behaviour is sending a fake invoice email and letting Janet from accounts get caught in a low-stakes way.

iii.

Write an incident response plan. One page. Test it.

Three quarters of UK businesses don't have one. The plan does not need to be elegant. It needs to answer: who calls who, what gets unplugged, where the backups are, and who talks to the press.

iv.

Cyber Essentials. Seriously, this year.

Awareness ticked up to 17%. Adherence ticked up to 5%. The qualitative section is full of MSPs and insurers asking for it. Increasingly required by procurement. Quietly free money on the table.

Ask one supplier for proof.

Only 15% of UK businesses review immediate suppliers. Six per cent look further. You don't need a programme. Ask one critical supplier for their Cyber Essentials cert. Then the next one.

vi.

Get cyber insurance, or honestly assess why you haven't.

39% of uninsured businesses said they had not heard of cyber insurance. The cover is not the most valuable bit. The 24/7 incident response retainer that comes with most policies is.

BOARD-LEVEL TRANSLATION

Cyber security is not an IT hobby. It is business continuity wearing a black hoodie.

The businesses that cope better tend to have clearer ownership, better controls, better-rehearsed response, and a calmer view of what can go wrong. That does not mean buying every shiny platform. It means knowing your data, your suppliers, your critical systems, your people, and your first 24 hours after something goes wrong.

11 // SECURE TRANSMISSION

Want a quiet conversation about your own 612?

If anything in this briefing made you tilt your head, drop the details below. No sales script, no auto-sequence, no "let's hop on a quick call to learn about your needs". Just a real reply from a real person who's read the same report you have.

This is the part where most websites tell you they're different and aren't.

So the short version: you tell me what's keeping you up at night, I tell you whether it's a real problem, a hyped problem, or a different problem in a hat. If we're a fit, we keep talking. If not, you've still got a useful answer.

What 313SEC tends to handle:

Cyber Essentials / Plus, properly done, not box-ticked
Incident response planning that survives contact with reality
Phishing simulation and email defence that actually works
Supplier review for the suppliers that matter
Honest reads on whether your stack is overspending or underspending

Open a channel.

Required fields marked. Honesty optional but appreciated.

Name*

Company

Email*

Org size

What's the question?*

Anything else worth knowing?

I'm happy to be replied to about this enquiry. No newsletter, no auto-sequence, no list.

Transmission failed. Please try again or email directly.

Submission goes via Formspree. Replies come from a human within a working day or two. Your data is not added to any list.

✓

Transmission received.

You'll get a real reply, from a real person, within a couple of working days. No sequence, no list. Cheers for reading.