More than four-in-ten UK businesses were hit by a cyber attack last year, marking a decrease on the year prior – but security experts have warned enterprises to still remain vigilant.
The government's latest Cybersecurity Data Breaches Survey revealed that 43% of businesses were affected, with a total of 612,000 cyber attacks or breaches recorded across the year. That's noticeably fewer than in the previous year, when the figure was 50%.
There were 61,000 attacks against charities, affecting three-in-ten, down from 32% in the previous year.
But the fall wasn't spread evenly across the board. While micro and small businesses fell victim to fewer phishing attacks, the figures for medium and large businesses were pretty much the same as in 2024.
Small businesses in particular showed the most improvement in several cyber hygiene practices, with nearly half using cybersecurity risk assessments, up from 41% in 2024.
More than six-in-ten revealed they now have cyber insurance, up from 49% in 2024, and the proportion with a formal cybersecurity policy rose slightly. Meanwhile, 53% now have a business continuity plan, up from 44% in 2024.
High-income charities, though, got worse. Only three-quarters now carry out activities to identify cybersecurity risks, down from 86% in 2024.
Similarly, just one-in-five said they review immediate supplier risks, down from 36% in 2024, and the proportion having a formal cybersecurity strategy in place fell from 47% to 39%.
Cybersecurity is improving, but don’t get complacent
Jonathan Gill, CEO of Panaseer, said that while the survey showed positive signs, complacency could cause bigger problems down the line.
"Most breaches don’t happen because organizations ignored security, but because they believed they were secure when, in reality, they weren’t,” he said.
"They assume they’re covered, but blind spots in visibility mean critical assets go unpatched, misconfigurations slip through the cracks, and security gaps persist without anyone realizing it," Gill added.
The most common type of breach involved phishing attacks, which affected 85% of businesses and 86% of charities.
Matt Cooke, cybersecurity strategist for EMEA at Proofpoint, said this was unsurprising given the continued success of phishing attacks by cyber criminals globally.
"Email has been the number one threat vector for many years now – why? Because it continues to work."
The effects of these breaches included a near-doubling in temporary loss of access to files or networks - 7%, up from 4% in 2024 - while charities reported an increase in loss of access to third-party services at 5%, up from 1% in 2024.
The resulting costs were significant, the survey found, standing at around £1,600 for businesses and £3,240 for charities on average.
Both businesses and charities appear to be pretty poor at dealing with supply chain risks, the survey warned. Only 14% of businesses said they reviewed the risks posed by their immediate suppliers, and only 7% looked at their wider supply chain.
These figures were even worse for charities, at 9% and 4% respectively.
Board-level cybersecurity focus is dwindling
A concerning trend highlighted in the survey centered around board-level responsibility for cybersecurity, which has steadily declined among businesses since 2021.
Just over one-third (38%) of businesses had a board member with responsibility for cybersecurity in 2021 - this has since dropped to 27%.
Cooke noted that this is a “worrying development” and further highlights a degree of complacency among organizations of all sizes.
"Cybersecurity can’t be treated as an after-thought by anyone in an organization - particularly those at board level, who control the purse strings and business priorities."
The findings are expected to inform the upcoming Cyber Security and Resilience Bill, which is set to introduce sweeping changes to shore up national cybersecurity capabilities and impose stricter requirements on businesses.
Etay Maor, chief security strategist at Cato Networks, said the growing threats posed by cyber criminals, and the increased use of AI tools by sophisticated threat groups, poses questions for lawmakers.
"The bill should incorporate measures to address the growing threat of AI-powered attacks, ensuring businesses and consumers are adequately protected from increasingly sophisticated cyber criminals,” he said.
"A holistic approach, encompassing proactive threat prevention, robust incident response, and mandatory reporting of AI-driven attacks, is crucial to effectively mitigate the evolving cyber landscape," Maor added.
MORE FROM ITPRO
-
IBM just unveiled its new z17 mainframe – and it's built with AI performance in mindNews IBM has released the latest version of its mainframe, the z17, aimed at supporting AI workloads and inferencing.
-
Google Cloud Next 2025: Targeting easy AIITPro Podcast Throughout its annual event, Google Cloud has emphasized the importance of simple AI adoption for enterprises and flexibility across deployment
-
Unlock profitability with Cove Data ProtectionWhitepaper Agile risk management starts with a common language
-
Ransomware missteps that can cost youWhitepaper Agile risk management starts with a common language
-
The big book of selling data protectionWhitepaper Agile risk management starts with a common language
-
London council claims it faces 20,000 cyber attacks per dayNews Hammersmith and Fulham Council reportedly faces up to 20,000 attempted cyber attacks each day.
-
Detection is not enough: Exposed assets require rapid mitigation to reduce and eliminate riskWhitepaper Agile risk management starts with a common language
-
850,000 patients may have been affected in the Globe Life breach after firm revises victim listNews US insurer Globe Life has revealed more than 850,000 patients may have been impacted in a data breach after initially believing only around 5,000 were impacted.
-
Tata Technologies hit by ransomware attackNews A ransomware attack forced the technology provider to shut down several IT services
-
Hackers are using a new AI chatbot to wage cyber attacks: GhostGPT lets users write malicious code, create malware, and curate phishing emails – and it costs just $50 to useNews Researchers at Abnormal Security have warned about the rise of GhostGPT, a new chatbot used by cyber criminals to create malicious code and malware.
