Alston & Bird Privacy, Cyber & Data Strategy Blog

UK Cyber Security Breaches Survey 2025/2026: Key Takeaways

By and

The UK Government has published its 2025/2026 Cyber Security Breaches Survey, which is drawn from information received from thousands of UK businesses.

The 2025/2026 survey paints a picture of a cyber threat landscape that is stable in its scale but shifting in its character. The publicity surrounding high-profile incidents has not yet resulted in a sustained economy-wide improvement in resilience. The resilience gap between larger organisations and smaller ones persists, and new risks arising from AI adoption are emerging faster than security practices can keep pace.

Included below are the headline facts and figures extracted from the survey. A copy of the full survey can be found here.

Scale of Impact

  • 43% of businesses who responded to the survey reported a cyber security breach in the last 12 months.
  • Larger businesses appear to be significantly more exposed based on reported incidents. 65% of medium and 69% of large businesses reported experiencing a breach, compared to 42% of micro and 46% of small businesses.
  • Businesses reporting loss of revenue or share value rose from 2% to 5%.
  • Businesses reporting reputational damage rose from 1% to 3%.

Threat Landscape

  • Phishing attacks remain by far the most prevalent type of breach, experienced by 38% of respondent businesses, and rated as the most disruptive type of breach or attack by 69% of affected businesses.
  • Qualitative interviews highlighted a perception that phishing attacks have become easier for attackers to commit and are growing in sophistication.
  • Ransomware attacks on businesses declined to 1% of survey participants, down from 3% in both of the two preceding years.

Prevalence of Cybercrimes

In the context of the survey, “cybercrimes” refers to specific crimes under the Computer Misuse Act 1990 (broadly defined as crimes involving gaining unauthorised access, or causing damage, to computers, networks, data or other digital devices, or the information held on those devices).

  • 19% of respondent businesses were victims of at least one cybercrime.
  • Phishing accounted for 93% of business
  • The median number of cybercrimes was three per business, though a mean of 19 indicates significant repeat victimisation among a subset of organisations.

AI Adoption and Security Readiness

A new area explored in this year’s survey is the intersection of AI adoption and cyber security.

  • Approximately a third of businesses are either using AI, are in the process of adopting it, or actively considering doing so.
  • Of this group, only 24% reported having cyber security practices or processes in place to manage the associated risks. A third of businesses had no plans to implement cyber security practices or processes to manage the associated risks.

Cyber Hygiene: Progress and Regression

Basic technical controls remain widely deployed:

  • Malware protection: 81%
  • Cloud backups: 74%
  • Password policies: 74%
  • Firewalls: 74%
  • Restricted admin rights: 73%
  • Adoption advanced controls such as two-factor authentication and VPNs is increasing but they remain less common, with deployment rates of 47% and 36%, respectively.

There are still concerns with the protection of personal data:

  • 14% of businesses held personal data that was not protected by anonymisation or encryption.
  • Only 51% of businesses had specific rules for storing and moving personal data files.

Supply chain risk management continues to lag:

  • Only 15% of businesses said they reviewed the risks posed by their immediate suppliers, and just 6% of businesses had assessed risks in their wider supply chain.
  • The figure rises in larger businesses, with 48% of large businesses reporting that they had reviewed immediate suppliers.

Board Engagement and Governance

  • 72% of businesses consider cyber security a high priority for senior management.
  • Board-level responsibility for cyber security was seen in 31% of businesses (up from 27% last year).

Incident Response and Recovery

  • Only 25% of businesses have a formal incident response plan, meaning that most businesses that experienced a breach reacted without a defined strategy.
  • 81% of businesses informed directors or trustees following a breach.
  • Only 40% of businesses reported their most disruptive breach externally.
  • 61% of businesses took action to prevent future incidents, most commonly through people or training changes.

The 2025/2026 survey results point to a clear set of practical priorities for organisations:

  • Review personal data protection controls — confirm that all personal data stores are subject to appropriate technical safeguards, including anonymisation or encryption where applicable.
  • Establish or refresh your incident response plan — ensure your plan covers roles, escalation paths, regulatory notification timelines, and recovery steps so that your organisation is not forced to improvise during a breach.
  • Extend security due diligence to your supply chain — map key processors and sub-processors, and embed cyber security requirements into procurement and contract management.
  • Assess AI-related cyber risks now — conduct a risk assessment before deployment, not after, and put dedicated cyber security processes in place for any AI tools your organisation adopts.
  • Invest in anti-phishing resilience — prioritise regular staff awareness training and simulated phishing exercises, given that phishing remains by far the most common and most disruptive attack vector.
  • Secure board-level engagement — ensure cyber security is a standing agenda item with at least quarterly updates, particularly in mid-sized organisations where reporting frequency is declining.
  • Monitor for financial and reputational impact – during and shortly after an incident, it can be a challenge to quantify the financial and reputational impact of a cybersecurity incident (as demonstrated by the low figures set out under ‘Scale of Impact’ above). It is important for originations to continue to monitor such impact to ensure appropriate mitigation measures and accurate corporate disclosures.
LinkedIn
Avatar photo

About Hanna Hewitt

Hanna helps clients navigate cybersecurity and data protection matters in the U.K., European Union, and beyond. She assists clients throughout the lifecycle of a cyber incident: helping with immediate response, working with forensic providers to eradicate and contain cyber threats, and advising clients on their regulatory and contractual obligations. At only two years qualified, she has managed over 20 large international incidents, often acting as the main point of contact for clients.

[Read Bio]

Avatar photo

About Kelly Hagedorn

Kelly leverages her significant enforcement background to help clients mitigate risk under UK and EU data protection laws and support global clients on regulatory issues involving data privacy regulation and litigation.

[Read Bio]

Share to...
BufferCopyFlipboardHacker NewsLineLinkedInMessengerMixPinterestPocketPrintRedditSMSTelegramTumblrVKWhatsAppXingYummly