More than four-in-ten UK businesses were hit by a cyber attack last year, marking a decrease on the year prior – but security experts have warned enterprises to still remain vigilant.
The government’s latest Cybersecurity Data Breaches Survey revealed that 43% of businesses were affected, with a total of 612,000 cyber attacks or breaches recorded across the year. That’s noticeably fewer than in the previous year, when the figure was 50%.
There were 61,000 attacks against charities, affecting three-in-ten, down from 32% in the previous year.
But the fall wasn’t spread evenly across the board. While micro and small businesses fell victim to fewer phishing attacks, the figures for medium and large businesses were pretty much the same as in 2024.
Small businesses in particular showed the most improvement in several cyber hygiene practices, with nearly half using cybersecurity risk assessments, up from 41% in 2024.
More than six-in-ten revealed they now have cyber insurance, up from 49% in 2024, and the proportion with a formal cybersecurity policy rose slightly. Meanwhile, 53% now have a business continuity plan, up from 44% in 2024.
High-income charities, though, got worse. Only three-quarters now carry out activities to identify cybersecurity risks, down from 86% in 2024.
Similarly, just one-in-five said they review immediate supplier risks, down from 36% in 2024, and the proportion having a formal cybersecurity strategy in place fell from 47% to 39%.
Cybersecurity is improving, but don’t get complacent
Jonathan Gill, CEO of Panaseer, said that while the survey showed positive signs, complacency could cause bigger problems down the line.
“Most breaches don’t happen because organizations ignored security, but because they believed they were secure when, in reality, they weren’t,” he said.
“They assume they’re covered, but blind spots in visibility mean critical assets go unpatched, misconfigurations slip through the cracks, and security gaps persist without anyone realizing it,” Gill added.
The most common type of breach involved phishing attacks, which affected 85% of businesses and 86% of charities.
Matt Cooke, cybersecurity strategist for EMEA at Proofpoint, said this was unsurprising given the continued success of phishing attacks by cyber criminals globally.
“Email has been the number one threat vector for many years now – why? Because it continues to work.”
The effects of these breaches included a near-doubling in temporary loss of access to files or networks – 7%, up from 4% in 2024 – while charities reported an increase in loss of access to third-party services at 5%, up from 1% in 2024.
The resulting costs were significant, the survey found, standing at around £1,600 for businesses and £3,240 for charities on average.
Both businesses and charities appear to be pretty poor at dealing with supply chain risks, the survey warned. Only 14% of businesses said they reviewed the risks posed by their immediate suppliers, and only 7% looked at their wider supply chain.
These figures were even worse for charities, at 9% and 4% respectively.
Board-level cybersecurity focus is dwindling
A concerning trend highlighted in the survey centered around board-level responsibility for cybersecurity, which has steadily declined among businesses since 2021.
Just over one-third (38%) of businesses had a board member with responsibility for cybersecurity in 2021 – this has since dropped to 27%.
Cooke noted that this is a “worrying development” and further highlights a degree of complacency among organizations of all sizes.
“Cybersecurity can’t be treated as an after-thought by anyone in an organization – particularly those at board level, who control the purse strings and business priorities.”
The findings are expected to inform the upcoming Cyber Security and Resilience Bill, which is set to introduce sweeping changes to shore up national cybersecurity capabilities and impose stricter requirements on businesses.
Etay Maor, chief security strategist at Cato Networks, said the growing threats posed by cyber criminals, and the increased use of AI tools by sophisticated threat groups, poses questions for lawmakers.
“The bill should incorporate measures to address the growing threat of AI-powered attacks, ensuring businesses and consumers are adequately protected from increasingly sophisticated cyber criminals,” he said.
“A holistic approach, encompassing proactive threat prevention, robust incident response, and mandatory reporting of AI-driven attacks, is crucial to effectively mitigate the evolving cyber landscape,” Maor added.
