To present the penultimate part of the UK government’s Cybersecurity Breaches Survey for 2025, in this article we will look at chapter four: ‘Prevalence and impact of cyber breaches or attacks.’

In this chapter, the nature, extent and impact of cyber breaches and attacks on organisations over the past year are analysed, including the financial cost of these incidents.

Now the most important factor here is that the survey only includes the breaches or attacks that organisations were able to identify and willing to report, and there are likely to be hidden and unidentified attacks which are not included, “so the findings reported here may underestimate the full extent of the prevalence of cyber breaches and attacks.”

Essentially if reading these statistics makes you feel that things are bad, they could be a lot worse! In fact if we look at the top takeaway, that just over four in ten businesses (43 percent) and three in ten charities (30 percent) reported having experienced any kind of cyber security breach or attack in the last 12 months - equating to approximately 612,000 businesses and 61,000 charities - the numbers do seem rather high.

Also the year-on-year numbers show a small decline from last year - 50 percent of large and medium-sized businesses. However medium-income charities (42 percent) and high-income charities (64 percent) were significantly more likely to have identified a breach or attack compared to low-income charities (24 percent) and to charities overall (30 percent).

Phishing for Business

The most reported type of attack was phishing, by 94 percent of large businesses compared with 85 percent businesses overall). The survey found that there was a decline in the proportion of businesses reporting phishing attacks (from 42 percent in 2024 to 37 percent in 2025).

Asked why he felt why there was a decline, Rik Ferguson, VP security intelligence at Forescout, said we’re not seeing less phishing, just seeing less reporting. “The hidden story here may be around that user fatigue,” he said. “People are so used to dodgy emails that unless they trigger a visible incident, they go straight to the bin.

“That might sound like resilience, but it’s a double-edged sword. As users stop reporting, we lose valuable threat intel. Worse still, that fatigue could slide into indifference. If people stop paying attention altogether, attackers don’t need to get better, they just need to wait. Ironically, this ‘drop’ in reports could signal not progress, but a slow erosion of our early warning systems.”

The report further found that phishing attacks remained the most prevalent type of breach or attack by far - experienced by 85 percent of businesses and 86 percent of charities that experienced a breach or attack in the last 12 months - and continue to be the most disruptive type of breach or attack, according to 65 percent of businesses and 63 percent of charities that experienced a breach of attack.

Asked why phishing was the most disruptive, the most common reason given was that they impersonate people in emails or online, followed - to a lesser extent - by breaches or attacks being reported as disruptive because they led to being targeted with malware (reported by nine percent for both businesses and charities) or ransomware (reported by seven percent of businesses and one percent of charities). Phishing also resulted in a form of hacking, according to nine percent of businesses and two percent for charities).

“Phishing isn’t hanging around because it’s advanced, it’s hanging around because it works,” Ferguson said. “It’s cheap, scalable, and effective: but there’s a bigger engine driving it now, the booming underground economy of initial access brokers. Identities are ten-a-penny, and credentials phished from one inbox today are tomorrow’s toehold in a corporate network. Phishing feeds that supply chain. This has become about commodifying access and fuelling a thriving ecosystem of ransomware, thieves, and extortionists.

“Credentials are still very often the key to the enterprise, and phishing is where many of those keys are cut. Phishing greases the wheels for all those other payloads you mentioned.”

Other reasons given centred on the time taken to deal with phishing incidents, both time from the staff having to report them and the time taken by the IT or management team to investigate the incidents to assess whether any follow up action was needed.

Immediate Direct Costs

The final section focused on the ‘financial cost of breaches or attacks’ where granular details were given. Perhaps the biggest takeaway here is that the immediate direct costs of a cybersecurity breach or attack were reported as being very similar to the longer-term costs in the aftermath of an incident. In other words, the cost of an incident is similar regardless of whether it is dealt with immediately or later on.

The report claimed that this similar figure was different to 2024, 2023 and 2022 where for micro and small businesses short-term direct costs were recorded as being much higher than longer-term costs.

Further, the average total cost of the most disruptive breach for businesses is slightly higher at £1,600, than 2024 where it was £1,205. 

Finally the average total cost of the most disruptive breach or attack for charities (£3,240 across all breaches and attacks) was much higher than in 2024 (£460 across all breaches).

Jack Jarvis, senior penetration tester at Bridewell said it is likely that the cost of a breach is rising due to cybersecurity defences; as businesses are now expected to move more and more of their services online, it is likely that companies will have a larger footprint on the internet.

“In the news we see cyber-attacks are gaining more of a widespread audience, and can seriously damage the reputation of companies that fall victim,” he said. “Not only this, but a disruption in services over an extended period of time can drastically affect a company's revenue. Budgeting for cybersecurity is now commonplace and usually unanimously agreed upon to spend more for it as a preventative measure.”

Also, Shane Barney, CISO of Keeper Security, said: “On the rising cost of breaches, there is no question that more organisations are investing in robust cyber defences, but those costs aren’t purely preventative.

“When a breach occurs, today’s sophisticated attacks often require a full investigation, longer recovery times, and in some cases, remediation involving third-party experts,” he said. “Our own research found that 73 percent of IT leaders experienced a cyber-attack that resulted in monetary loss, showing that the financial hit is far from theoretical.”

Time and energy can be lost to these investigations, and that is why the most basic types of attack are often the most disruptive. As we have also learned here, many attack types just end up being trashed, so we don’t really have a clear view of how many attacks are attempted. Is this is sign of a vigilant user who doesn’t click through, or one not realising that to report is a help to the infosec team? 

Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.