This post was originally published on this site.
New government research shows that 43% a cyber security breach or attack in the last 12 months, equating to approximately 612,000 UK businesses.
The figure is the same as in last year’s report by the Department for Science, Innovation and Technology.
As in previous years, medium (65%) and large (69%) businesses were more likely to have experienced a cyber breach or attack, but significant numbers of micro (42%) and small (46%) firms were affected.
Phishing was the most prevalent type of breach, experienced by 38% of businesses. It was also the most disruptive incident, highlighted as the worse by 69% of companies.
Among those experiencing a cyber incident, phishing attacks were the only type that has increased among, businesses, from 45% last year to 51% this year.
Ransomware attacks on businesses declined compared with the previous two years (1% this year down from 3% in 2024/2025 and 2023/2024) and phishing attacks and impersonation breaches or attacks, whilst not significantly different to last year, have significantly declined compared to two years ago (38% this year down from 42% in 2023/2024).
Impersonation breaches or attacks decreased to 12% this year, down from 17% in 2023.
Although the majority of firms have implemented basic cyber protections, such as updated malware protection (81%), backing up data securely via a cloud service (74%), password policies (74%), network firewalls (74%) and restricted admin rights (73%), adoption of more advanced and highly recommended controls like two-factor authentication (47% businesses), a virtual private network for staff connecting remotely (36%) and user monitoring (30%) remained lower than other measures.
The proportion of small businesses undertaking cyber security risk assessments fell to 41%, from 48% in 2024/2025), with having a formal cyber security policy covering cyber security risks almost declining to 52% from 59%).
Last week, National Cyber Security Centre (NCSC) CEO Richard Horne said in a speech that the UK faces a “perfect storm” for cyber security.
“The two forces of rapid technological change and rising geopolitical tensions,” he said, “are “creating what feels like tumultuous uncertainty”.
On AI, he added: “We know our adversaries will increasingly apply AI tooling. As we have seen in the media in recent days, frontier AI is rapidly enabling discovery and exploitation of existing vulnerabilities at scale. Illustrating how quickly it will expose where fundamentals of cyber security are still to be addressed, such as code shipped by tech producers with significant vulnerabilities, organisations that are not patching with the completeness or urgency they should or that are failing to grasp the nettle of replacing old legacy systems.”
On global security, he said: “We are living through the most seismic geopolitical shift in modern history.
“As Blaise Metreweli, the chief of MI6, said in December our world is more dangerous and contested now than it has been for decades.
“We are operating in a space between peace and war. And let’s be clear, cyberspace is part of that contest.”
Las month, technology Liz Kendall and security minister Dan Jarvis sent an open letter on AI cyber threats to business leaders.
The letter said:
“Every business in the UK has a part of play. Criminals will not just target government systems and critical infrastructure. They will target ordinary companies, of every size, in every sector. Attackers go where defences are weakest.
“The steps organisations should take to protect against AI-driven cyber threats are the same cyber hygiene measures recommended for traditional cyber threats. We are asking every business leader reading this to take the following steps:
“1. Take cyber security seriously, at the very top of your organisation.
“If your board has not recently discussed cyber risk, do so at your next meeting and then regularly. This is not an issue to delegate to your IT team and forget about. This will only become increasingly important. We urge you and your board to use the Cyber Governance Code of Practiceto ensure your organisation is sufficiently protected. Smaller businesses should also use the NCSC’s Cyber Action Toolkit to help them build their cyber protection. Not all incidents can be prevented, so you should plan and rehearse how your organisation would respond to a significant incident, including consideration of how cyber insurance can support response and recovery. Free cyber insurance is available to small organisations that obtain Cyber Essentials.
“2. Get the basics right with Cyber Essentials.
“Most successful cyber-attacks exploit simple weaknesses: outdated software, weak passwords, missing backups. Cyber Essentials is the government-backed certification scheme that protects against the most common attacks.
“Organisations that hold it are significantly less likely to suffer a damaging cyber incident. For most businesses, getting certified is neither expensive nor difficult. You should also look to embed Cyber Essential requirements across your supply chains, and large organisations should use the NCSC’s Cyber Assessment Framework.
“3. Follow NCSC advice and sign up to their Early Warning Service.
“The National Cyber Security Centre (NCSC) provides free, practical advice, training and guidance at ncsc.gov.uk, for organisations of every size. Advice will also be issued by Regulators for regulated sectors. Early Warning is a free service from NCSC, which can inform organisations of potential cyber attacks and give them invaluable time to act before an incident escalates.
We are entering a period in which the pace of technological change may test every institution in the country.
“The businesses that act now – that treat cyber security as an essential part of running a modern company, not an optional extra – will be the ones best placed to thrive through it and seize its advantages. We urge you to be among them.”
