Nearly half of UK companies hit by cyber assaults
The final cyber safety risk to UK organisations stays “widespread and important” with 43% of companies, 28% of charities and 69% of huge corporations having suffered both an information breach or cyber assault up to now 12 months, and 29% of respondents saying they had been experiencing incidents no less than as soon as each week.
That is in response to the UK authorities’s newest Cyber Safety Breaches Survey for 2025-26, which comes on the tail-end of a 12 month interval that noticed a collection of high-profile incidents focusing on the likes of Marks & Spencer, Co-op Group, and Jaguar Land Rover, in addition to amid elevated concern over the affect of offensive synthetic intelligence (AI) – which was the topic of a warning from authorities ministers earlier in April.
“These figures are a stark reminder of the significance of getting strong cyber safety measures. All enterprise leaders must be gripping this challenge and taking motion now, particularly as AI is making the risk extra acute. Fairly merely, corporations can not afford to not take these steps,” mentioned cyber safety minister Liz Lloyd.
Lloyd has immediately written to the CEOs and chairs of over 180 of Britain’s largest companies to induce as many as doable to signal on to the federal government’s Cyber Resilience Pledge, which was introduced on the Nationwide Cyber Safety Centre’s (NCSC’s) annual CyberUK convention in April and is about to launch later within the 12 months.
Organisations signing as much as the Cyber Resilience Pledge must take three agency actions to enhance their safety:
- Make cyber safety a board-level duty;
- Signal on to the NCSC’s Early Warning service, which is free;
- Acquire the NCSC’s Cyber Necessities certifications throughout their provide chains.
Lloyd mentioned that doing so would assist companies considerably strengthen their defences and hold themselves, their prospects, and the broader economic system, protected. “Companies will not be powerless,” she mentioned.
An bettering image?
Whereas the headline statistics give Westminster good purpose to maintain banging the drum for cyber safety, digging deeper, the info present proof of an bettering image in some regards. The proportion of companies affected by cyber incidents was roughly according to the 2024-25 survey interval, and down from a excessive of fifty% in 2023-24.
Ransomware assaults towards companies additionally appear to have dropped a little bit, with 1% of respondents saying that they had been affected by ransomware, down from 3% a 12 months in the past, whereas the prevalence of phishing assaults – though not considerably down on 2024-25 – is means down on 2023-24, affecting 38% this 12 months in comparison with 42% 24 months in the past. And impersonation breaches or assaults affected 12% in 2025-26, down from 17% in 2023-24. Charities – which the federal government accounts for individually within the report – have additionally seen important drops in impersonation assaults or breaches.
This mentioned, phishing assault volumes stay excessive and are nonetheless probably the most prevalent type of cyber incident, skilled by 38% of companies and 25% of charities, in addition to probably the most disruptive. Those that took half in qualitative interviews for the report tended to agree that phishing assaults had gotten simpler to commit, and had been changing into extra subtle, which was contributing to the rise.
The variety of companies reporting that cyber assaults or breaches led to lack of revenues – or affect to share values – has risen from 2% final 12 months to five% this 12 months, whereas the quantity reporting they skilled reputational harm can also be up, from 1% final 12 months to three% now.
The M&S impact
Choosing aside its knowledge, the federal government mentioned that current high-profile incidents – just like the M&S assault – didn’t appear to be feeding by way of by way of inflicting a wider shift in resilience. It mentioned that whereas one might need anticipated such incidents to spur a rise in vigilance, prioritisation and motion on cyber points has not moved considerably, and long-standing points such because the resilience hole between giant corporations and SMEs persists.
Certainly, SME cyber hygiene has been declining on a lot of measures after bettering within the earlier report – the quantity enterprise danger assessments or placing cyber danger insurance policies or enterprise continuity plans in place appears to be dropping.
TrendAI cyber technique director, Jonathan Lee, mentioned: “This highlights how consciousness of cyber dangers nonetheless hasn’t absolutely transformed into mitigating motion, with no total discount within the stage of profitable cyber assaults 12 months on 12 months.
“Whereas boards report taking extra duty for cyber danger, it’s worrying to see a year-on-year rise within the proportion of organisations that report seeing authorities recommendation and initiatives about cyber safety however go on to do nothing in response. This isn’t simply on UK companies and charities. Authorities must do a greater job with streamlining schemes, manufacturers and channels to make for a single, coherent nationwide voice on cyber literacy that’s accessible – not simply geared in direction of CIOs,” mentioned Lee.
Lee warned that the UK’s fast-digitising society is being constructed on “fragile foundations”, significantly with so many enterprise leaders seemingly in awe of AI to the exclusion of the dangers it poses.
“Whereas that’s excellent news for the federal government’s said intention of constructing the UK the quickest nation within the G7 to roll out AI, it’s a transparent danger so long as complacency about cyber dangers is commonplace,” he famous.
