Despite over ten thousand UK businesses getting hacked last year, cybersecurity still isn’t on everyone’s agenda.
You’d think that after years of headlines about hospitals getting encrypted into silence and banks coughing up crypto to ransomware gangs, businesses would finally be taking cybersecurity seriously. But you’d be wrong.
The UK government just dropped the Cyber Security Breaches Survey 2025. Between August and December 2024, researchers ran a random-probability telephone and online survey covering 2,180 businesses, 1,081 charities, and 574 educational institutions.
The results paint a picture of a business landscape sleepwalking into the same digital traps year after year. An estimated 8.58 million cyber crimes hit UK businesses in the past 12 months. For every business that got hit, the median number of incidents was four – meaning some companies aren’t just getting burned once.
About 3% of businesses and 1% of charities have fallen victim to cyber-facilitated fraud in the past year, with 72,000 events across the UK. That’s around 40,000 businesses and 2,000 charities getting hit by fraudsters exploiting cyber breaches.
The price of clicking the wrong link
Turns out, getting hacked doesn’t just bruise your ego – it drains your wallet too. On average, UK businesses coughed up £1,600 dealing with their most disruptive cyber breach last year. For charities, that pain hit even harder at £3,240. And those are the soft numbers.
Strip out the organizations that claimed zero cost (bless their optimism), and the damage more than doubled – £3,550 for businesses and a staggering £8,690 for charities. That’s a hell of a price tag for ignoring a dodgy email.
Phishing still runs the block
Phishing is still the king of the digital dirtbags. A full 85% of breached businesses and 86% of hacked charities were hit this way, mostly through click-happy employees and inboxes that look like the Wild West.
While the volume of attacks is dropping slightly among smaller organizations – probably because attackers are moving to bigger targets – medium and large businesses are still getting torched at the same rate as last year.
In interviews, organizations said they’re spending hours training staff and dealing with a flood of dodgy emails, trying to figure out what’s real and what’s just spam with a sinister twist.
The bigger problem is that these scams are getting smarter. Thanks to AI, fake messages and impersonations appear more real than ever. It’s no longer just a bad link from a “Nigerian prince” – it’s a fake CEO asking for a wire transfer, and it sounds legit. Luckily, the research shows that organizations have a growing consciousness of evolving scamming techniques.
Hot on phishing’s heels is ransomware, which has doubled its footprint. Ransomware crime in the last 12 months increased from less than 0.5% in 2024 to 1% in 2025. That might not sound huge, but we’re talking about 19,000 UK businesses now dealing with encryption extortionists.
Small businesses are starting to understand the importance of cybersecurity
Against the odds, small businesses are starting to step up their cyber game. More are running risk assessments, taking out cyber insurance, and making real continuity plans. It’s not full-on military-grade security, but the progress is clear. Cyber insurance rose from 49% to 62%, and over half now have proper policies in place – not just gathering dust in a drawer.
In contrast, some high-income charities seem to be pulling back. Despite strong fundraising, key cyber practices are slipping – fewer are reviewing risks, checking suppliers, or keeping formal strategies in place. Interviews suggest tight budgets might be the reason.
Most organizations have nailed the fundamentals: antivirus software, password rules, firewalls, and cloud backups are widely in place. But the more advanced stuff – like two-factor authentication, VPNs, or user activity monitoring – is still patchy. Big businesses are doing more in terms of training staff, but for smaller ones, there’s still a sense of “just enough” rather than going the extra mile.
Supply chain is still a black hole
Despite every CISO's worst nightmare involving a third-party plug-in blowing a hole in their network, only 14% of businesses bother checking the risks of their immediate suppliers. Just 7% look at the wider supply chain. Among charities, the numbers are even worse: just 9% assess immediate supplier risks, and only 4% extend that to the wider supply chain.
That’s some “see no evil” energy right there. And yet, all it takes is one misconfigured contractor with admin access and no 2FA to turn your network into a hacker’s playground.
Boards are tapping out
According to results, cybersecurity remains a high priority for the majority of businesses (72%) and charities (68%), consistent with previous years. However, the corporate board responsibility has dropped from 38% in 2021 to 27% in 2025.
Meanwhile, large companies are still the only ones consistently training staff and prepping for digital disasters, with 92% of medium businesses and 96% of large businesses doing so, compared to 72% of businesses overall.
While companies mostly trust external guidance on cybersecurity, only 1% of businesses say they get their cyber guidance from the National Cyber Security Centre (NCSC).
Incident response is a mixed bag
Internal reporting still leads, with 76% of businesses and 80% of charities informing senior management after a breach. But when it comes to external reporting, only a third have clear guidelines on when to escalate.
Larger organizations in high-risk sectors like health, finance, and communications are more prepared, with incident response plans in place for 53% of medium businesses and 75% of large ones. Small businesses have also improved, with more implementing internal and external reporting plans in 2025 compared to 2024.
Training is key. After a breach, many organizations focus on staff training and awareness as their main preventive measure, underscoring the growing importance of ongoing education in cybersecurity.
Your email address will not be published. Required fields are markedmarked