What the UK Cyber Security Breaches Survey 2025/26 actually tells you
Source: DSIT & Home Office, 2,112 UK businesses surveyed
The Cyber Security Breaches Survey runs annually. This edition covers August to December 2025, with responses from 2,112 UK businesses. It is produced by DSIT and the Home Office. We are not editorialising the numbers below. Everything attributed to a percentage comes directly from the published report.
We have organised the findings into three sections: one for finance directors, one for operations managers, and one for managing directors. Skip to the section most relevant to you.
43%
of UK businesses experienced a breach or attack in the last 12 months
612k
UK businesses affected. The real number behind the percentage
65%
of medium businesses were hit. Much higher than the headline figure
5x
increase in reports of revenue or share value loss compared to last year
The 43% headline has been stable for two years, following a drop from 50% in 2023/24. That stability is not reassurance; it means the attack rate has plateaued at a level where roughly four in ten businesses are affected every year. For medium-sized businesses, the rate is 65%. For large businesses, it is 69%.
The more meaningful trend this year is in the consequences. Reported loss of revenue or share value increased from 2% to 5% of affected businesses. Reported reputational damage tripled. These are self-reported figures from organisations that experienced a breach, and they will undercount the true picture as many incidents go unidentified or unreported.
For Finance Directors
Risk, cost, and what the numbers mean for the balance sheet
The survey does not produce a single average breach cost that applies cleanly to all businesses. The median perceived cost sits at £0 for most businesses, which reflects the fact that many incidents are contained without measurable financial impact. The more useful figure is at the upper end of the distribution.
£10k
95th percentile cost
Top 5% of cases: up to £10,000 for medium and large businesses
The majority of businesses reported low or no financial cost from their most disruptive incident. But the top 5% of cases reached £4,000 for all businesses overall, rising to £10,000 for medium and large businesses. These are perceived costs, which means they exclude indirect losses, staff time, reputational damage, and the cost of recovery work.
5%
reported revenue loss (up from 2%)
Financial impact is being reported more often than it was
Among businesses that experienced a breach, the proportion reporting loss of revenue or share value more than doubled year on year. Reported reputational damage went from 1% to 3%. Both numbers are still relatively small in absolute terms, but the direction is clear.
47%
hold cyber insurance
Under half of businesses are insured against cyber risk
Nearly half of businesses have some form of cyber insurance, with small and medium businesses more likely to be insured (55% and 61% respectively) than businesses overall. What the survey does not capture is whether those policies cover the full scope of a material incident – limits, exclusions, and notification requirements vary widely.
15%
review immediate supplier risk
Supply chain risk is almost universally unreviewed
Only 15% of businesses formally review the cyber security risks posed by their immediate suppliers. Fewer than one in ten look at their wider supply chain. For businesses that rely on third parties for any critical function, i.e. payroll, project management, file storage, communication – that is a gap with direct commercial and liability consequences.
What this means in practiceThe cost of a breach is not predictable until it happens. The more useful frame for a finance director is the cost of not having the controls in place that would have prevented it. Cyber Essentials certification, for example, is increasingly required for public sector contract tendering. The commercial value of holding it can be quantified before any incident occurs.
One finding worth noting: only 31% of businesses have board-level responsibility for cyber security. That figure has increased from 27% last year, which is a positive direction, but it still means most businesses do not have a clear line of accountability at senior level. The survey found that 72% of senior management teams consider cyber a high priority. The gap between stated priority and formal governance is where risk accumulates.
For Operations Managers
The controls most businesses have…and the ones most don’t!
The survey tracks adoption of specific technical controls across all business sizes. The picture divides into two groups: basic controls that most businesses have implemented, and more advanced controls where adoption is significantly lower. The gap between the two groups is where most incidents start.
Basic controls: most businesses have these
Advanced controls: significant gaps remain
Two-factor authentication at 47% is the most striking gap. This is not a technically complex control. It is available free or at low cost on almost every major platform. The survey data does not explain why adoption remains below half, but anecdotally the reasons are usually friction for staff and the absence of anyone with the authority to enforce a policy change across the business.
14%
One in seven businesses holds unprotected personal data
Around one in seven businesses confirmed they hold personal data not protected by anonymisation or encryption. This sits alongside GDPR obligations, which require organisations to take appropriate technical measures to protect personal data. The survey does not assess the nature of the data involved, but for any business holding client records, this is the relevant question to answer.
38%
Phishing remains the dominant attack type…and it is becoming easier to execute!
Phishing accounted for the most disruptive attack in 69% of cases where a breach occurred. The qualitative research found that interviewees perceived phishing as easier for attackers to carry out than in previous years, which they attributed to AI-assisted message construction. The proportion of businesses experiencing phishing as their only breach type increased from 45% to 51% this year.
19%
Staff training has not increased despite rising awareness
Despite a year of high-profile cyber incidents moving the topic up management agendas, the proportion of businesses running staff training and awareness activities remained flat at 19% – the same as the previous year. Awareness of the problem has increased; the operational response has not.
The AI angle
Around a third of businesses are either using AI, in the process of adopting it, or actively considering it. Of that group, only 24% have cyber security practices in place to manage the risks from AI use. This means roughly three quarters of businesses currently using or adopting AI are doing so without a formal governance framework.
Small businesses saw their cyber security practices slip back to 2023/24 levels after improvements the year before. Formal cyber security policies dropped from 59% to 52%. Business continuity plans that address cyber security fell from 53% to 44%. These are not minor shifts. They suggest that any progress made during a period of increased attention tends to erode without ongoing structure to maintain it.
For Managing Directors
Governance, accountability, and the questions worth asking
The survey separates what businesses say from what they have formally put in place. The gap between those two things is where most governance problems live.
| Statement | % of businesses | Assessment |
|---|---|---|
| Cyber security is a high priority for senior management | 72% | Stated priority |
| Board-level responsibility for cyber security is assigned | 31% | Governance gap |
| Formal cyber security strategy is in place | 57% of medium, 70% of large | Variable |
| Formal incident response plan exists | 25% overall; 57% medium, 76% large | Most don't have one |
| Cyber security risk assessment conducted | 30% | Underperforming |
| Hold Cyber Essentials certification | 5% overall (up from 3% last year) | Increasing |
| Sought external cyber security guidance | 44% | Positive signal |
The board responsibility figure (31%) is worth sitting with. Seven in ten senior management teams say cyber is a high priority. Under a third have formally assigned responsibility for it at board level. That gap tends to produce the same outcome in most organisations: everyone considers it someone else’s problem until something happens.
The incident response number is similarly revealing. Only 25% of businesses have a formal incident response plan. For medium businesses the figure is 57%, and for large businesses 76%, which suggests that size and formality correlate, as you would expect. For a business of 10 to 100 people, the question is whether the size is a reason not to have a plan, or a reason to treat the absence of one as a decision that needs revisiting.
5%
hold Cyber Essentials (up from 3%)
Cyber Essentials uptake is growing from a low base
The proportion of businesses holding Cyber Essentials certification has increased, driven particularly by large businesses (21% to 35%) and small businesses (5% to 12%). The certification is a prerequisite for most public sector contracts, and a growing number of private sector supply chains are beginning to require it. Having the controls in place but not the certification is a position many businesses are in – the survey found that 24% of businesses already have all five Cyber Essentials control areas implemented.
44%
sought external guidance
External IT providers are the most commonly used source of guidance
Among businesses that sought external guidance on cyber security, IT consultants and providers were the most commonly cited source (27% of businesses). Fewer than 2% named government bodies like the NCSC by name without prompting. This reflects how cyber security decisions actually work in practice for most businesses; through the IT relationship, not through government resources.
The AI governance gap
Around a third of businesses are currently using AI, adopting it, or actively considering it. Of those, only 24% have cyber security practices in place to manage the risks from AI use. The survey did not define what constitutes an adequate practice — but for a managing director, the relevant question is whether there is a written policy that staff have been made aware of, covering which tools are permitted and what data should not be shared with them.
The Controls Picture
What Cyber Essentials actually covers, and what it leaves out
Cyber Essentials is a government-backed certification scheme covering five control areas. The scheme is not comprehensive, but rather, a baseline. The survey found that 24% of businesses already have the technical controls in all five areas, but only 5% hold the certification. The gap between implementation and formal verification matters when tendering for work.
- Firewalls: boundary controls to protect internet-facing services and devices
- Secure configuration: default settings removed, unnecessary services disabled, accounts with default credentials changed
- User access control: standard user accounts for day-to-day work, admin rights limited to those who genuinely need them
- Malware protection: up-to-date antivirus or application controls that prevent unknown software from running
- Patch management: software, operating systems, and firmware kept up to date within 14 days of a critical patch being released
What the survey found about these controls
The basic controls (malware protection, firewalls, password policies) are in place for most businesses. The gaps are in the more operationally demanding controls: consistent patch management, restricted admin rights that are maintained as staff change, and the ongoing upkeep that Cyber Essentials requires as a continuous standard rather than a point-in-time check.
The 2026 iteration of Cyber Essentials (v3.3, sometimes referred to as “Danzell”) introduced updated guidance on cloud services, home working environments, and multi-factor authentication requirements. Businesses that achieved certification under an older version should confirm whether their current implementation still meets the updated standard.
What to do next
Three questions worth answering before anything else
Finance Directors
Do you know what your exposure looks like if a breach occurs?
Check what your cyber insurance actually covers, including the limit, exclusions, and what notification obligations are triggered. Then confirm whether you review cyber risk posed by your immediate suppliers.
Operations Managers
Which of the five Cyber Essentials controls are you missing?
Work through the five areas listed above. Two-factor authentication and patch management are where most businesses have gaps. The question is not whether you have a policy – it’s whether the policy is actually enforced.
Managing Directors
Who is formally accountable for cyber security at board level?
If the answer is nobody, that is the first thing to resolve. The second is whether you have a written incident response plan. It does not need to be long, but it needs to exist and to have been reviewed in the last 12 months.
The survey findings do not suggest that most businesses are negligent. They suggest that most businesses are under-resourced for the scope of the problem, and that the gap between stated priority and formal governance is where risk tends to accumulate. The practical question is not how to solve everything at once – it is which gap creates the most immediate exposure and how to close it.
About this post
Rodell Gordon is a Digital Marketing Executive at Cubit Technology. With experience supporting over a dozen different industries, from smart homes to urban greening solutions, he joined Cubit to help agencies develop their IT infrastructure with managed IT solutions.
- Want to suggest a topic for our next blog?
- Interested in learning more about this topic?
- Looking to connect with other agency staff?
Drop us a message here!
All statistics in this article are drawn directly from the Cyber Security Breaches Survey 2025/26, published 30 April 2026 by the Department for Science, Innovation and Technology (DSIT) and the Home Office. The survey covered 2,112 UK businesses. Cubit Technology has not modified or extrapolated the figures — any interpretation is labelled as such.