Cyber attack levels across the UK have held steady over the past year, but security leaders warn that stability masks deeper structural weaknesses, particularly around AI adoption, supply chain risk, and workforce readiness.

That’s the key takeaway from the latest Cyber Security Breaches Survey 2025/2026, which shows that a significant proportion of organisations continue to face cyber incidents despite incremental improvements in awareness and controls. 

Attack rates unchanged, but exposure persists

The study found that more than four in ten businesses and nearly three in ten charities experienced a cyber incident in the past year, a rate broadly unchanged from the previous survey. 

Rather than signalling a drop in threat activity, experts say the plateau likely reflects better detection and reporting.

Kevin Knight, CEO of Talion, said the findings point to a more informed—but still vulnerable—business landscape: “The Cyber Breaches Study highlights some interesting trends across the UK’s security landscape. Firstly, the volume of breaches organisations face appears to be similar to the numbers from last year. This doesn’t mean attacker activity is declining, it suggests organisations are becoming more aware of cyber crime and doing more to improve their defences.” Meanwhile, larger organisations remain disproportionately affected, reinforcing the link between scale, complexity, and attack surface.

Phishing remains a dominant entry point

Email-based attacks continue to account for the majority of incidents, with phishing far outpacing other techniques. 

The report also indicates that, in many cases, phishing is now the only method used in an attack—suggesting adversaries are doubling down on proven tactics rather than branching out.

Euan Carswell, SOC Team Lead at Barrier Networks, said the human factor remains the weakest link: “With phishing being the primary cause behind most breaches, it is also concerning that only 20% of organisations are routinely training their staff. Employees are the number one line of defence. Organisations will be leaving themselves exposed if they don’t prioritise awareness training.”

Despite the scale of the threat, only a minority of organisations are investing consistently in user education, leaving gaps that attackers continue to exploit.

AI adoption accelerates ahead of security controls

One of the most notable trends in this year’s survey is the rapid uptake of AI tools across organisations—without a corresponding increase in governance.

Roughly a third of organisations are either using AI or exploring its use, yet only a small subset have implemented safeguards to manage associated risks. 

Knight warned that this imbalance could introduce new vulnerabilities: “When it comes to AI adoption, it seems organisations are bringing AI into their environments, but only a small proportion are ensuring their security posture covers those deployments. This is a big concern...employees regularly inputting sensitive information into AI applications must be governed and secured in the same way as other sensitive SaaS platforms.” The challenge will be shifting AI from a productivity tool to a governed enterprise assets.

Supply chain risk remains under-addressed 

Third-party risk continues to be one of the least mature areas of cyber defence. Only a small percentage of organisations formally assess the security of their suppliers, and even fewer extend that scrutiny across their broader supply chain. “If organisations are not validating the security of their supply chain, they risk leaving their own environments wide open to attack.,” Knight said.

Cyber Essentials uptake still lagging 

Government-backed baseline standards are gaining traction—but adoption remains low. Just 5% of businesses report holding Cyber Essentials certification, despite a modest increase year over year. Graeme Gordon, CEO of Converged Solutions Group, said this signals a broader issue with security validation: “While this is an increase… uptake of the certification is worryingly low. Unless organisations have their cyber security posture audited by experts, they can never be fully confident in the effectiveness of their controls," he said.

Gordon added that relying on assumed security can be dangerous: “The worst time to find out your security controls are ineffective is when dealing with a live incident.”

Governance gap persists at the top 

Although cyber risk is increasingly recognised as a business issue, executive ownership is still inconsistent. Only about a third of organisations assign responsibility for cyber security at the board level, leaving many decisions siloed within IT functions. Carswell stressed that this approach is outdated: "Cyber needs to be governed at the board level… It is not an IT issue, it is a business-wide risk and in the very worst scenario it has the power to shutter an organisation.”

The report reinforces a familiar pattern: basic controls are widely implemented, but deeper resilience remains uneven. While organisations are improving visibility and awareness, there are still lags in areas that require sustained investment, including supplier assurance, workforce training, and emerging technology governance. "There remain some concerning gaps within defences.,” Knight said. 

Kelley Damore Chief Content Officer CyberRisk Alliance

Kelley Damore is Chief Content Officer at CyberRisk Alliance, where she leads content strategy across the company’s digital brands, research, communities and live events serving CISOs and security practitioners. At CyberRisk Alliance, she is focused on delivering 365-day engagement, trusted journalism and actionable insights to help security leaders navigate an increasingly complex threat landscape.