A new report released by the U.K. government identified that cybersecurity breaches and attacks remain a common threat, as just over four in ten businesses (43 percent) reported having experienced some form of cybersecurity breach or attack in the last 12 months. The Cyber Security Breaches Survey 2025 noted that this is much higher for medium businesses (70 percent) and large businesses (74 percent). While this marks a decline from 2024, when 50 percent of businesses reported such incidents, the sheer scale signals a significant ongoing challenge. Notably, this decline was primarily among micro and small businesses, which reported fewer phishing attacks. However, medium and large enterprises showed a consistently high exposure, suggesting that scale and complexity remain key risk factors.
The Cyber Security Breaches Survey 2025 was commissioned by the Department for Science, Innovation and Technology (DSIT) and the Home Office. Designed as a reflection of the evolving state of cyber resilience in the UK, the survey draws from quantitative data and qualitative insights gathered between August and December 2024.
With lead analysts Saman Rizvi (DSIT) and Eleanor Fordham (Home Office), the study provides a picture of how businesses, charities, and educational institutions are managing the relentless threat landscape of cyber security. At its core, this research focuses on gaining a deep understanding of the nuanced experiences of U.K. organizations as they confidently navigate an increasingly complex digital threat environment. Its findings inform government strategy and underpin initiatives aimed at creating a secure and trustworthy cyberspace where businesses can thrive and public confidence is upheld.
Cybercrime statistics in the report provided a more focused lens on criminal activity in the digital space. In 2025, 20 percent of businesses were victims of at least one cybercrime, with phishing accounting for the overwhelming majority. However, a worrying development is the rise in ransomware attacks, which doubled from less than 0.5 percent of businesses in 2024 to 1 percent in 2025—translating to an estimated 19,000 organizations affected.
Also, the repeat victimization rate is alarmingly high, with the average business suffering 30 cyber crimes in the past year (median of 4), underscoring the persistent and relentless nature of these threats.
In financial terms, the average cost of cyber crime (excluding phishing) was reported at £990 per business, rising to £1,970 when zero-cost responses were excluded. However, cyber-facilitated fraud—incidents where breaches led to fraudulent activity—carried significantly higher financial burdens, with an average cost of £5,900, rising to £10,000 when zero responses were excluded.
The Cyber Security Breaches Survey 2025 distinguishes between cybersecurity breaches and cyber crime, with the latter defined in legal terms under the Computer Misuse Act 1990. The distinction is vital, as while all cyber crimes are breaches, not all breaches meet the legal criteria of a crime.
Survey results revealed that phishing remains the most prevalent form of attack, with 85 percent of affected businesses citing it as the main source of disruption. There also exists a growing concern about the sophistication of these methods, particularly the rise of AI-driven impersonation techniques, which are becoming more challenging to detect and defend against.
Despite a relatively stable percentage of organizations experiencing negative outcomes post-breach (16 percent for businesses, up marginally from 13 percent in 2024), certain consequences have become more pronounced. Businesses reported a rise in temporary loss of access to networks (7 percent, up from 4 percent), while charities faced increased disruption through loss of access to third-party services (5 percent, up from 1 percent). These disruptions highlight how breaches can impact not only technical systems but also broader operational dependencies.
Encouragingly, the Cyber Security Breaches Survey 2025 revealed an uptick in cyber hygiene among small businesses, marked by improvements in areas such as risk assessments, cyber insurance, formal policies, and continuity planning, suggesting a growing maturity in approach. For instance, 62 percent of small businesses now have cyber insurance, a significant jump from 49 percent in 2024. However, this progress is not universal. High-income charities saw a marked decline in key cyber security activities.
The drop in formal strategies (from 47 percent to 39 percent) and supplier risk assessments (from 36 percent to 21 percent) suggests a tension between ambition and capacity, which may most likely be driven by budget constraints, as qualitative data indicates.
The Cyber Security Breaches Survey 2025 found that the majority of businesses and charities have implemented basic technical controls, such as updated malware protection (77 percent businesses), password policies (73 percent businesses), network firewalls (72 percent businesses), backing up data securely through a cloud service (71 percent businesses) and restricted admin rights (68 percent businesses).
However, adoption of more advanced controls like two-factor authentication (40 percent businesses), a virtual private network for staff connecting remotely (31 percent businesses), and user monitoring (30 percent businesses) remains lower than other measures. Staff training and awareness raising activities on cyber security were more prevalent in large businesses (76 percent compared to 19 percent businesses overall). Whilst a consistent increase among large businesses on this measure was observed in recent years, the proportion of large businesses in 2025 remains in line with 2024 (74 percent).
The Cyber Security Breaches Survey 2025 identified that risk management strategies remain static at the aggregate level, with 29 percent of businesses conducting cyber risk assessments, similar to 31 percent in 2024. Yet, within this consistency lies a deeper story of divergence. Small businesses are making strides—48 percent now conduct risk assessments, a significant rise from 41 percent last year. In contrast, high-income charities are moving in the opposite direction.
Supply chain vulnerabilities remain a blind spot, the report identified. Only 14 percent of businesses formally reviewed risks posed by their immediate suppliers, with even fewer examining the wider supply chain. This oversight is concerning, given the growing trend of supply chain compromises, which can be used as vectors for broader systemic attacks. Larger organizations, unsurprisingly, fare better here, likely due to both resource availability and the complexity of their vendor ecosystems. The report also found that cyber insurance uptake has grown overall, now covering 45 percent of businesses, though, again, small and medium enterprises lead this positive change.
The report also revealed that the boardroom remains a critical arena for cyber governance, but one where concerning trends are emerging. While cyber security remains a high priority for 72 percent of businesses, board-level responsibility has declined. Only 27 percent of businesses report having a board member responsible for cybersecurity, down from 38 percent in 2021. This decline hints at a possible disconnect between strategic importance and executive oversight, a gap that could have serious implications for long-term resilience.
Large businesses continue to demonstrate higher prioritization, with 96 percent treating cyber security as a top concern, reflecting the greater exposure of these entities, as well as potentially stronger regulatory and stakeholder pressures.
The U.K. Cyber Security Breaches Survey 2025 also pointed out that incident response remains largely internally focused, with most organizations (76 percent of businesses) reporting breaches to senior leadership. However, external reporting is much less common, partly due to the lack of clear guidance—only a third have documentation specifying when and how to escalate incidents externally. Larger organizations and those in regulated sectors such as health and finance show stronger alignment with best practice incident response, with documented procedures and plans in place.
Following a breach, the most common preventive measure is staff training or communication, a low-cost but effective response that reflects an understanding of the human element in cyber security.
Commenting on the Cyber Security Breaches Survey 2025, Matt Cooke, cybersecurity strategist for EMEA at Proofpoint, stated in an emailed statement, “The trend of board-level responsibility for cyber security declining is a particularly worrying development. Cyber security can’t be treated as an after-thought by anyone in an organisation – particularly those at board level, who control the purse strings and business priorities.”
Cooke added that previous research has found that both CISOs (70 percent) and board members (73 percent) were aligned in the feeling that a material cyber attack is likely to impact their organisation in the next 12 months, which highlights an alarming issue if cybersecurity is not adequately prioritized.
“The 2025 Cybersecurity Breaches Survey underscores the urgent need for stronger cyber defenses across UK businesses, and it comes as no surprise – the survey highlights a potential gap in investment in security monitoring and cyber security strategies,” Etay Maor, chief security strategist at Cato Networks, wrote in an emailed statement. “The increased prevalence of ransomware attacks and the persistent threat of phishing represent a risk to businesses as attack techniques become more sophisticated, especially in the realm of generative AI crafting more convincing phishing campaigns.”
He added that while the survey noted a concerning trend of declining board-level responsibility for cybersecurity, it’s essential that leadership recognizes cyber risk as a core business concern. Boards should ensure that robust security strategies are in place, including incident response plans that specifically address ransomware scenarios.
“To combat the rise in ransomware, organizations should implement a multi-layered security architecture that combines threat intelligence feeds, heuristic analysis, and advanced machine learning to detect and block attacks at various stages,” according to Maor. “This includes preventing initial infiltration through phishing, as well as limiting the spread of ransomware within the network.”
In conclusion, the Cyber Security Breaches Survey 2025 emphasizes that while progress is being made in certain areas, evolving threats like phishing and ransomware and disparities between different types of organizations highlight persistent vulnerabilities. The observed strengthening of cyber hygiene among small businesses, promoting official guidance and initiatives, improving incident response capabilities, encouraging transparent reporting, managing supply chain risks, and empowering boards with cyber knowledge are crucial steps toward building a more secure and resilient cyber landscape for the U.K.
