More than two-thirds of organisations have self-disclosed a breach or potential breach to the ICO in the past year.

Up from 53 percent in 2024, the research by Apricorn said the 69 per cent self-disclosing could be interpreted as evidence of a greater sense of awareness and accountability.

In comparison, only eight percent of businesses surveyed were reported by a third party, compared to 14 per cent last year, indicating stronger internal reporting processes and a move away from reactive disclosure. This change suggests that businesses are beginning to take greater ownership over their breach response strategies and are stepping up to take responsibility.

Fielding said: “Self-reporting breaches is a positive step, but if organisations want to reduce how often they’re doing it, they must bridge the gap between written policy and operational readiness.

“This includes clear provisioning of secure tools like hardware-encrypted drives, restricting data movement to known systems, and prioritising the secure handling of data at every endpoint.”

Mobile Policy

The majority of the 200 respondents - 99 percent of organisations - have a mobile or remote working security policy in place, and 95 percent believe their workers understand and follow it. However 46 percent of organisations surveyed admit their remote or mobile workers knowingly put corporate data at risk in the last year, while 61 percent believe their mobile workforce is likely to expose them to a future breach.

Also, 56 percent of organisations now allow staff to use personal devices to access corporate systems and data, a nine percent increase over last year and the highest level recorded by Apricorn since 2019. Although most organisations use software to control access, these tools often lack the visibility and enforcement provided by corporate-issued devices.

The mounting complexity of managing remote technologies is another key concern with more organisations struggling with this than has ever been recorded in the survey. 47 percent of organisations reported that managing all of the technology that employees need and use for mobile/remote working is too complex. Meanwhile, 35 percent say remote working has made it harder to comply with GDPR, potentially due to rising concerns about cyber sovereignty and data localisation requirements.

Fielding warned that businesses cannot afford to confuse policy with protection. “Too many organisations are relying on assumptions that policies are followed, that devices are secure, that staff know what to do, but if organisations want to reduce breach risk, they must give staff the right tools to do the right thing.”

Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.