While progress is being made in certain areas, evolving threats like phishing and ransomware, and disparities between different types of organisations highlight persistent vulnerabilities.

According to the 2025 Cyber Security Breaches Survey, there is an observed strengthening of cyber hygiene among small businesses, as well as promoting official guidance and initiatives, and improving incident response capabilities.

Encouraging and Empowering

The survey, produced by the Department for Science, Innovation & Technology and Home Office, also said there was ”encouraging” transparent reporting, and empowering boards with cyber knowledge.

Following the launch of the Cyber Guidance Code of Practice this week, and the recent revelation of the proposed contents of the Cyber Security and Resilience Bill, this year’s survey determined there is a “complex and evolving cyber security landscape for UK businesses and charities.” 

Responsibility and Guidance

Amongst the plethora of findings, it was determined that there was a decline in board-level responsibility for cybersecurity since 2021, and while the overall proportion of organisations seeking external information or guidance remained stable, large businesses demonstrated a decrease on this measure.

Etay Maor, chief security strategist at Cato Networks said while the survey noted a concerning trend of declining board-level responsibility for cybersecurity, it's essential that leadership recognises cyber risk as a core business concern. “Boards should ensure that robust security strategies are in place, including incident response plans that specifically address ransomware scenarios,” he said.

Also, while small businesses are making progress in adopting cyber hygiene practices, high-income charities face challenges in maintaining momentum, potentially due to funding limitations.

There was also demonstrated improved adoption of key cyber hygiene practices: small businesses demonstrated improved adoption of key cyber hygiene practices, while larger organisations benefit from formal strategies and established processes and were more likely to have formal cybersecurity strategies in place and to regularly review them. 

Breaches and Attacks

While the overall prevalence of cyber breaches or attacks among businesses has decreased compared to 2024, the number of affected organisations remains substantial (estimated 612,000 businesses).

The prevalence of cyber breaches and attacks remains high among medium and large businesses. For charities, the prevalence has remained stable since 2024, with an estimated 61,000 charities experiencing cyber breaches and attacks over the last 12 months.

Dan Lattimer, AVP, EMEA West at Semperis, said: “Every organisation, no matter its size or industry, should expect to become the target of a cyber-attack. Businesses must do their utmost to be prepared. While there is no way of stopping attacks from happening, ultimately, it’s the speed of the response to a cyber incident that can determine how big its impact is – and to what extent an organisation is able to limit the damage.”

Cybercrime

In the cybercrime statistics, phishing was the most common enabler of cyber-facilitated fraud, while other forms like hacking, ransomware, viruses, and denial of service attacks were less common.

The prevalence of both cyber breaches and attacks and cybercrimes in micro and small businesses was lower than in medium and large businesses; indicating poorer identification and reporting practices in smaller organisations with less sophisticated cybersecurity monitoring in place.

Matt Cooke, cybersecurity strategist EMEA at Proofpoint, said: “Phishing continues to plague UK businesses, so it comes as no surprise that this remains the number one threat in this year’s report. Email has been the number one threat vector for many years now – why? Because it continues to work. Cybercriminals target people with social engineering attempts via phishing emails, tricking people into doing what they want, mainly for financial gain.”

SC UK analysed the four chapters of the 2024 survey in a series of articles, looking at:

Impact of Cybercrime

Awareness and Attitudes

Tools, Guidance and Responsibility

Dealing with Breaches or Attacks

Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.