'Depressingly familiar': Cyber Security Breaches Survey shows work still to be done on cyber preparedness

After a fall last year, the number of security breaches or cyber attacks in the UK stayed stubbornly constant in 2025-26.

According to the government’s 2025/26 Cyber Security Breaches Survey, just over four in ten businesses (43%) and around three in ten charities (28%) fell victim in the last year.

The figure was higher for medium-sized firms, at 65%, and for large businesses at 69% - micro businesses came off best, at 42%.

"These figures are a stark reminder of the importance of having robust cybersecurity measures. All business leaders should be gripping this issue and taking action now, especially as AI is making the threat more acute," said cybersecurity minister Liz Lloyd.

“Businesses are not powerless. Practical steps such as using the NCSC’s free guidance, signing up to their Early Warning service and adopting Cyber Essentials can significantly strengthen defences and help keep businesses, customers and the wider economy safe.”

The most commonly reported incidents were phishing attacks, which hit 38% of businesses and 25% of charities. They were also, according to 69% of victims, the most disruptive type of breach or attack.

The number of ransomware attacks fell to 1% this year, down from 3% in both 2024-2025 and 2023-2024. Meanwhile, phishing attacks and impersonation breaches or attacks are much the same as last year.

Impersonation breaches or attacks fell to 12% this year, down from 17% in 2023.

Modest cyber accountability improvements

Board-level responsibility for cybersecurity among businesses has risen to 31%, up from 27%, reversing a five-year downward trend.

Yet despite this, the survey found that only 25% of businesses have a formal incident response plan in place.

Darren Guccione, CEO and co-founder of Keeper Security, said that despite improvements in terms of board-level responsibility, there’s still room for improvement.

"Board engagement also deserves scrutiny," he said. "Cybersecurity cannot remain a delegated IT function. When a breach occurs, the consequences land at the executive level. Governance structures should reflect that reality before an incident, not after."

“Depressingly familiar"

While the survey found the number of cyber incidents remained roughly the same, security experts have voiced concerns about the lack of progress over the last year.

Tom Kidwell, co-founder of Ecliptic Dynamics, said the survey feels “depressingly familiar” and shows there’s still much work to be done to bolster cyber resilience across the UK.

“Breach levels haven’t shifted, preparedness hasn’t improved, and despite all the noise around breaches causing some serious damage against major brands like Marks and Spencer and the Co-op, too many organizations are still failing to act," he commented.

"Talking about cybersecurity clearly isn’t the same as doing anything meaningful about it. Too many companies are still in the mindset that 'it won’t happen to me'.”

Charlotte Wilson, head of enterprise business UK&I at Check Point Software, said a positive takeaway from the report is a renewed focus on cyber hygiene, an area which many companies often overlook.

“It’s something we see time and time again. Companies are racing to secure the next big threat, but so often they’re missing the foundations (strong password policies, privileged access management, MFA, etc.),” she said.

FOLLOW US ON SOCIAL MEDIA

Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.