The 2025 UK Cyber Security Breaches Survey – the good, the bad and the ugly

The 2025 Cyber Security Breaches Survey, commissioned by the UK's Department for Science, Innovation and Technology (DSIT) and the Home Office, offers a comprehensive overview of the current cyber threat landscape affecting UK businesses, charities, and educational institutions. Conducted between August and December 2024, the survey provides valuable insights into the prevalence of cyber incidents, organisational responses, and emerging trends in cybersecurity.​

Reported Breaches down but overall incidents up

One notable finding is the decline in reported cyber breaches among UK businesses. In the past 12 months, 43% of businesses reported experiencing a cybersecurity breach or attack, down from 50% in the previous year. This decrease suggests that organisations may be adopting more effective cybersecurity measures. However, it's important to interpret this data cautiously, as underreporting or a lack of detection could also contribute to the lower figures.​

Despite this decrease the overall volume of cybercrime has increased. UK businesses experienced approximately 8.58 million cybercrimes over the past year, up from 7.8 million in the previous 12 months. This rise indicates that while individual organisations may report fewer incidents, the broader cyber threat environment is becoming more active and complex.

Phishing Remains Predominant

Phishing attacks continue to be the most prevalent form of cyber threat. According to the survey, 85% of businesses that identified a breach or attack reported phishing incidents, a slight increase from 84% the previous year. Whilst many phishing e-mails are still of a low quality; it is generally believed that an increasing number of phishing campaigns are being run on the back of AI platforms.

With criminals trying to leverage weaknesses with your staffing to get into your network – you need to foster a positive culture of internal blame-free reporting supported with regular and effective staff awareness sessions.

Phishing remains the main way into your company

Increased Board-Level Engagement

There is a positive trend in organisational governance regarding cybersecurity. The survey indicates that 61% of large businesses and 51% of charities now have board-level responsibility for cybersecurity, up from 55% and 45%, respectively, in the previous year. This increased engagement at the leadership level is crucial for integrating cybersecurity into overall business strategy and risk management.​ 

Challenges in Supply Chain Security

Despite advancements in internal cybersecurity practices, organisations face challenges in managing supply chain risks. The survey notes a decline in formal supplier cybersecurity assessments, dropping from 28% to 23%. This decrease suggests that while organisations may be strengthening their own defences, they may not be adequately addressing vulnerabilities introduced through third-party relationships.​  This is particularly puzzling when viewed against a rise in supply chain attacks. 

Awareness and Adoption of Cyber Essentials

The Cyber Essentials scheme – a government backed Cyber standard - designed to help organisations protect against common cyber threats, remains underused. And this despite government stats which support the fact that organisations with a CE certification are 92% less likely to face a cyber breach against organisations without it.

That said

• Only 12% of businesses and 11% of charities are aware of the scheme.​

• A mere 3% report adhering to its guidelines.​

• 
  

What does the survey really tell us?

The survey reveals a complex cybersecurity landscape in the UK.

The Good. Last year there were several positive developments, such as decreased reported breaches and increased leadership engagement.

The bad. Challenges remain, particularly in addressing the rising volume of cybercrime and securing supply chains. Organisations must continue to evolve their cybersecurity strategies, emphasising not only internal defences but also the security of their broader networks and partnerships.​

The Ugly. The rate of rise in risk continues to outstrip the rate of uptake of sensible precautions. This is likely to result in further increases in both experienced attacks, breaches, and financial losses. Without significant positive changes I would expect to see new government regulation to mandate the standards that are needed for a more cyber secure UK business landscape.

What next?

The Eastern Cyber Resilience Centre is a government funded police led organisation that has been specifically created to support small businesses and charities across the Eastern Region to become more cyber resilient. We have access to a ton of fully funded assessment tools and guidance to kick start your cyber journey. And we collaborate with police and government agencies to ensure that organisations get the help they need. So pop along to our website (www.ecrcentre.co.uk) and sign up to our newsletter or ask for a free consultation and find out how you can protect your business today.