The Scale of the Challenge

The survey paints a stark picture of the cyber threat facing UK organisations. Just over four in ten businesses (43%) and three in ten charities (30%) reported experiencing some form of cyber security breach or attack in the past 12 months. This translates to approximately 612,000 UK businesses and 61,000 charities that identified cyber incidents during this period.

Whilst there has been a decrease from 2024 figures (down from 50% for businesses), this decline was primarily driven by fewer micro and small businesses identifying phishing attacks. Concerningly, medium and large businesses continue to face high levels of threat, with 67% of medium businesses and 74% of large businesses experiencing breaches or attacks.

Phishing Remains the Dominant Threat

Phishing attacks continue to be the most prevalent and disruptive form of cyber attack, experienced by 85% of businesses and 86% of charities that suffered any form of breach. What makes this particularly concerning is that phishing was also identified as the most disruptive type of attack by 65% of businesses and 63% of charities.

The qualitative research reveals why phishing is so problematic: organisations are spending considerable time dealing with the sheer volume of these attacks, investigating each incident, and training staff. There's also growing concern about AI-powered phishing techniques becoming increasingly sophisticated and mainstream.

The Rise of Ransomware

Whilst overall cyber crime prevalence remained stable, there was a significant increase in ransomware attacks. The percentage of businesses experiencing ransomware crimes increased from less than 0.5% in 2024 to 1% in 2025, equating to an estimated 19,000 businesses affected by ransomware in the past year.

Cyber Hygiene: Progress and Gaps

The survey reveals encouraging progress in some areas, particularly among small businesses, which showed improvements in several key areas:

• Risk assessments: 48% now conduct cyber security risk assessments (up from 41% in 2024)
• Cyber insurance: 62% have cyber insurance coverage (up from 49% in 2024)
• Formal policies: 59% have formal cyber security policies (up from 51% in 2024)
  
• Business continuity: 53% have business continuity plans covering cyber security (up from 44% in 2024)
  
  

However, significant gaps remain in advanced security controls:

• Only 40% of businesses have implemented two-factor authentication
• Just 31% use VPNs for remote access
• Only 30% monitor user activity
  
  

The Cost of Cyber Incidents

The financial impact of cyber breaches varies considerably, but the survey provides important benchmarks:

• Average cost of the most disruptive breach: £1,600 for businesses (£3,550 excluding £0 responses)
• Cyber crime costs: £990 average per business for non-phishing cyber crimes
• Cyber-facilitated fraud: £5,900 average cost per business, highlighting the severe financial impact when breaches lead to fraud
  
  
  

Board Engagement: A Concerning Trend

Despite cyber security remaining a high priority for organisations, there's a troubling decline in board-level responsibility. Only 27% of businesses now have board members with explicit cyber security responsibilities, down from 38% in 2021. This trend suggests a potential disconnect between stated priorities and actual governance structures.

Supply Chain Vulnerabilities

The survey highlights significant weaknesses in supply chain security management:

• Only 14% of businesses formally review risks from immediate suppliers
• Just 7% examine wider supply chain cyber security risks
• Many organisations place significant trust in suppliers without adequate oversight
  
  

Response and Recovery Capabilities

Incident response capabilities vary dramatically by organisation size:

• 75% of large businesses have formal incident response plans
• Only 23% of businesses overall have such plans in place
• External reporting remains uncommon, with only 39% of affected businesses reporting breaches outside their organisation
  
  
  

Key Recommendations for Organisations

Based on these findings, organisations should prioritise:

1. Strengthen Phishing Defences

• Implement comprehensive staff training programmes
• Deploy advanced email filtering and threat detection
• Regular phishing simulation exercises
• Consider AI-powered defence tools to combat AI-powered attacks

2. Enhance Board Engagement

• Ensure clear board-level responsibility for cyber security
• Regular cyber security updates to senior management
• Cyber security expertise development at board level

3. Advance Technical Controls

• Prioritise two-factor authentication implementation
• Deploy VPN solutions for remote access
• Implement user activity monitoring
• Regular security assessments and penetration testing

4. Develop Incident Response Capabilities

• Create and regularly test incident response plans
• Define clear roles and responsibilities
• Establish external reporting procedures
• Consider cyber insurance as part of risk management strategy

5. Address Supply Chain Risks

• Conduct regular supplier security assessments
• Include cyber security requirements in procurement processes
• Map and monitor wider supply chain dependencies
  
  
  

Looking Forward

The 2025 survey demonstrates that whilst some progress is being made, particularly among small businesses in adopting basic cyber hygiene practices, significant challenges remain. The persistent threat from phishing, the rise of ransomware, and the sophistication of AI-powered attacks require organisations to maintain vigilance and continuously evolve their defences.

The disparity between large and small organisations also highlights the need for targeted support and resources to help smaller businesses build adequate cyber resilience. Government initiatives and industry collaboration will be crucial in addressing these gaps and building a more secure digital economy.

As cyber threats continue to evolve, organisations must view cyber security not as a one-time investment but as an ongoing strategic priority requiring constant attention, regular updates, and sustained investment in both technology and people.

At altiacyber, we specialise in helping organisations of all sizes build comprehensive cyber security strategies that address real-world threats. Our expert team can guide you through risk assessments, policy development, technical implementations, and staff training programmes.

Don't wait for a breach to happen. Contact us today for a confidential consultation and discover how we can help protect your organisation against the evolving cyber threat landscape.
Email us at innovate@altiatech.com or call +44 (0)330 332 5482