Every year the government asks thousands of UK businesses, charities, schools, and universities a simple but important question: has your organisation been hit by a cyber attack in the past twelve months? The answers go into the Cyber Security Breaches Survey — the closest thing the UK has to an official annual audit of how the country is holding up. The 2025/2026 edition was published on 30 April, and it makes for instructive reading.
Not alarmist. Not catastrophic. But honest. And some of what it says will be familiar to anyone who has been following the news on this site over the past month.
What actually happened
The survey was carried out between August and December 2025 by independent researchers at Ipsos, on behalf of the Department for Science, Innovation and Technology and the Home Office. It covered 2,112 UK businesses, 1,085 charities, and 577 educational institutions, weighted to be representative of the wider UK population.
The headline finding is this: 43% of UK businesses and 28% of charities reported experiencing at least one cyber security breach or attack in the past twelve months. In raw numbers, that is approximately 612,000 businesses and 57,000 charities. The figure for businesses has remained broadly stable since last year, following a decline the year before.
That is four in ten businesses. More than one in four charities. And those are only the ones that identified an attack and were willing to report it. The survey explicitly notes that hidden attacks and unidentified breaches mean the real figure is likely higher.
Who was affected, and how?
The picture varies significantly by size. Larger organisations are far more likely to be hit: 65% of medium-sized businesses and 69% of large businesses reported a breach, compared with 42% of micro businesses. This is partly because larger organisations have more to go after, and partly because they have better systems to detect attacks in the first place. A small business that was attacked and did not notice would not appear in these figures.
Schools and universities face a particularly intense picture. Almost every higher education institution surveyed — 98% — reported identifying at least one breach or attack in the past year. Among secondary schools, the proportion jumped sharply from 60% last year to 73% this year. And attacks on schools are not occasional events: one in five secondary schools reported being hit at least weekly.
Charities sit in a concerning middle ground — smaller than most businesses, often under-resourced, and yet holding sensitive data about some of the most vulnerable people in society. The survey found that charities have been quietly cutting back on the basics: staff training and awareness activity fell from 21% of charities last year to 17% this year, driven largely by smaller charities with tighter budgets.
What the survey got wrong — or rather, what some headlines got wrong
A number of media reports on this survey led with ransomware figures. It is worth being precise here, because the official numbers are different from some of the secondary reporting.
The survey found that ransomware crimes against businesses actually declined compared with the previous two years — down to 1% of all businesses this year from 3% in both of the two preceding years. That is still around 19,000 UK businesses receiving a ransom demand in a year, which is significant. But it is a fall, not a rise, and some coverage has confused figures from different years of the survey or combined different measures in ways that overstate the trend.
The bigger ransomware story is the financial impact when it does happen, not the frequency. The M&S attack earlier this year — covered on this site in March — illustrated that a single ransomware incident at a large organisation can cost hundreds of millions of pounds and disrupt customers for months. The survey's own data shows that while most breaches cost organisations relatively little individually, the top 5% of cases cost £4,000 or more for smaller businesses, rising to £10,000 or more for medium and large organisations.
The thing the survey keeps coming back to: phishing
Of all the findings in this year's survey, one stands out for its consistency and its relevance to every story this site has covered over the past month.
Phishing is involved in 85% of all business breaches and 86% of all charity breaches. Among organisations that experienced any breach at all, phishing was cited as the most disruptive incident by 69% of them. In schools, 96% of secondary schools and 90% of primary schools that experienced a breach said phishing was the cause.
This is not a technical finding. Phishing is not a flaw in software or a weakness in a firewall. It is a human problem — someone receives a convincing message and responds to it. The survey's own qualitative interviews found that organisations are increasingly noticing that phishing attempts have become harder to spot, better written, and more precisely targeted. Several attributed this directly to the use of AI by attackers, allowing them to produce messages that read naturally and reference real details about the recipient.
One IT manager at a medium-sized business put it plainly in the qualitative interviews: the volume of phishing attempts is going up, and the quality of each attempt is improving. The combination is a growing problem that no technical tool can fully solve on its own.
The supply chain gap
One of the most striking findings in the survey — and one that sits directly alongside everything covered on this site over the past month — is how few organisations are checking the cyber security of the companies they rely on.
Only 15% of businesses formally reviewed the cyber security risks posed by their immediate suppliers. When it comes to the wider supply chain — the suppliers of their suppliers — the figure drops to just 6%.
This month alone this site has covered a medical equipment supplier attack that rippled into NHS hospitals, a poisoned software library that reached millions of developers, and a WordPress plugin update that compromised websites around the world. In each case, the victim organisations were not attacked directly. They were affected through a supplier they trusted. The survey's finding that only 6% of UK businesses formally check their wider supply chain is not a footnote. It is a significant vulnerability, hiding in plain sight.
The good news
The survey is not all bad news, and your editorial principles require saying so.
Micro businesses — the smallest organisations, often with the fewest resources — improved on several measures this year. The proportion requiring two-factor authentication rose from 35% to 43%. The proportion limiting access to company-owned devices rose from 58% to 64%. The proportion using an external cyber security provider rose from 39% to 44%. Small, quiet progress, but real.
The proportion of businesses holding the Cyber Essentials certification — the government's baseline standard for cyber security — more than doubled among large businesses, from 21% to 35%, and more than doubled among small businesses, from 5% to 12%. These are organisations actively choosing to be measured against a standard and held accountable for meeting it.
And 92% of businesses that experienced a breach reported being back to normal within 24 hours. Most attacks, most of the time, do not cause lasting damage. That is worth knowing.
What does this mean for me?
If you run a small business or charity, the survey is a useful mirror. The basics — updated malware protection, secure backups, password policies — are in place for most organisations. The gaps are in the slightly more advanced measures: two-factor authentication is only in use at 47% of businesses, and only 25% have a formal plan for what to do when an attack happens. Both of those are fixable.
If you are a parent, the education findings deserve attention. Your child's school is being targeted — frequently, and increasingly by attacks that are harder to spot because they are assisted by AI. The best schools are running their own internal phishing tests on staff, monitoring results, and using them to drive training. It is worth asking your school what their approach is.
If you work somewhere that relies on suppliers — which is almost everywhere — the supply chain finding is the one most worth raising. Checking that the companies you depend on are themselves secure is no longer optional. It is where most of the risk now lives.
For everyone: the survey's own conclusion is measured but clear. The threat has not gone away. In some areas it is growing. The organisations that are improving are those that have made security part of how they operate every day — not something they think about once a year when a survey like this lands.
The broader lesson
This survey covers the period August to December 2025 — before the spring wave of supply chain attacks that dominated the news through March and April 2026. The next edition will measure a period that includes Stryker, litellm, Smart Slider, and the rest of the month we have just lived through. Those numbers, when they arrive, will be worth watching.
What the current survey makes plain is that the fundamental problem has not changed. Most cyber incidents begin with a human decision — to click, to trust, to defer an update, to assume that a supplier is secure. The technology involved is almost secondary. The survey counted 5.19 million cyber crimes against UK businesses last year. The vast majority of them started with a convincing message in someone's inbox.
That is not a technology problem with a technology solution. It is a human problem that requires human attention — awareness, habits, and the willingness to pause before acting on something that asks you to act quickly.
🧠 The Human Factor
| Technology involved | The full spectrum of UK digital infrastructure — businesses, charities, schools, and universities — as measured across 2,112 businesses, 1,085 charities, and 577 educational institutions surveyed between August and December 2025 |
| Root cause | Phishing — human-targeted deception — remains the dominant entry point in 85–86% of all breaches, with AI now making attacks more convincing and harder to distinguish from legitimate communication |
| What was at risk | Credentials, financial data, customer records, and operational continuity across hundreds of thousands of UK organisations — with schools and charities among the most exposed relative to their resources |
| Prevention | Two-factor authentication; formal incident response plans; supply chain security checks; regular staff awareness training; Cyber Essentials certification as a measurable baseline |
References and sources
- UK Government: Cyber Security Breaches Survey 2025/2026 — Department for Science, Innovation and Technology and the Home Office, published 30 April 2026 — gov.uk
- UK Government: Cyber Security Breaches Survey 2025/2026: Education Institutions Findings — gov.uk
- NCC Group: News Reaction: UK Cyber Security Breaches Survey 2025/2026 shows persistent risk and gaps in readiness (May 2026) — nccgroup.com
- dataprotection.education: The Cyber Security Breaches Survey 2025/2026 — Key Advice for Schools (May 2026)