UK cyber breaches steady; 43% of businesses hit in 2025-26
In 2025-26, 43% of UK businesses and 28% of charities reported cyber breaches; phishing was most common. Board-level responsibility rose to 31%, while 25% have incident response plans.
The UK government’s 2025-26 Cyber Security Breaches Survey found little change in reported incidents. Over the past 12 months, 43% of businesses and 28% of charities reported at least one security breach or attack.
The risk varied by size. Medium-sized businesses reported a 65% breach rate, large firms 69% and micro businesses 42%.
Phishing was the most common incident, affecting 38% of businesses and 25% of charities. Among organizations that experienced breaches, 69% said phishing caused the most disruption. Ransomware incidents fell to 1% this year from 3% in both 2023-24 and 2024-25. Impersonation attacks dropped to 12% from 17% in 2023.
Governance metrics showed modest change. Thirty-one percent of businesses place responsibility for cybersecurity at board level, up from 27% last year. Only 25% of businesses reported having a formal incident response plan.
Cybersecurity Minister Liz Lloyd warned business leaders to take action. “All business leaders should be gripping this issue and taking action now, especially as AI is making the threat more acute,” she urged, and recommended organizations use the National Cyber Security Centre’s guidance, sign up for its Early Warning service and adopt the Cyber Essentials standard.
Darren Guccione, chief executive of Keeper Security, argued board attention has increased but engagement must deepen. “Board engagement also deserves scrutiny,” he added, noting that cybersecurity should not remain a delegated IT function and that governance needs executive-level accountability before a breach.
Tom Kidwell, co-founder of Ecliptic Dynamics, described the results as “depressingly familiar,” saying breach levels and preparedness had not improved and that many organizations still operate with an “it won’t happen to me” mindset.
Charlotte Wilson, head of enterprise UK&I at Check Point Software, pointed to basic cyber hygiene as an immediate focus. She cited strong password policies, privileged access management and multi-factor authentication as controls often overlooked.
The report and industry figures identified measures organizations can take to reduce risk: use NCSC guidance, install multi-factor authentication, strengthen access controls and formalize incident response plans.
