1 week ago
9
UK businesses experienced nearly 8.6 million cyber crimes over the last 12 months. (Photo: Shutterstock)
The proportion of UK businesses reporting cybersecurity breaches or attacks declined to 43% in 2025, compared to 50% the previous year, according to the UK Cyber Security Breaches Survey 2025. The study, commissioned by the Department for Science, Innovation and Technology (DSIT) and the Home Office, was based on responses from 2,180 businesses and 1,081 charities between August and December 2024, alongside 44 qualitative interviews.
The decline was largely attributed to reduced phishing incidents among micro and small businesses. Despite this, an estimated 612,000 businesses and 61,000 charities experienced a breach or attack over the past year. Prevalence among medium and large businesses remained high, at 67% and 74% respectively, similar to levels reported in 2024.
Phishing remained dominant, while ransomware incidents increased
Phishing remained the most commonly reported breach type. Among those organisations that suffered an incident, 85% of businesses and 86% of charities identified phishing as the primary cause. Respondents noted that such attacks were time-intensive to manage, often requiring staff training and internal investigation.
Ransomware attacks, while affecting a smaller proportion of organisations, increased in prevalence. One per cent of all businesses reported being targeted by ransomware in 2025, compared with less than 0.5% the previous year. This equates to approximately 19,000 ransomware incidents, suggesting a rise in more complex cyber threats.
“The 2025 survey emphasises that while progress is being made in certain areas, evolving threats like phishing and ransomware, and disparities between different types of organisations highlight persistent vulnerabilities,” stated the DSIT. “The observed strengthening of cyber hygiene among small businesses, promoting official guidance and initiatives, improving incident response capabilities, encouraging transparent reporting, managing supply chain risks, and empowering boards with cyber knowledge are all crucial steps toward building a more secure and resilient cyber landscape for the UK.”
The survey drew a distinction between general breaches and cyber crimes, defined in line with the Computer Misuse Act 1990. Around 20% of businesses and 14% of charities reported at least one cyber crime in the past 12 months. This represents approximately 283,000 businesses and 29,000 charities. Among organisations that identified any breach or attack, nearly half also reported being victims of cybercrime.
Businesses affected by cybercrime experienced an average of 30 separate incidents in the last year. For charities, the average was 16. Overall, the business sector was estimated to have faced 8.58 million cyber crimes, including about 680,000 non-phishing attacks. Charities were affected by approximately 453,000 crimes.
The average cost of the most disruptive breach was £1,600 for businesses and £3,240 for charities. When organisations that reported no financial cost were excluded, the average rose to £3,550 for businesses and £8,690 for charities. The cost of cybercrime specifically (excluding phishing) was estimated at £990 per business, or £1,970 excluding zero-cost cases.
A further 3% of businesses and 1% of charities reported incidents of cyber-facilitated fraud. These events carried higher average costs of £5,900 per business, increasing to £10,000 when excluding those who reported no financial loss.
Despite improvements in some areas, the survey found gaps in preparedness. Only 40% of businesses used two-factor authentication and just 31% implemented virtual private networks for remote access. Board-level responsibility for cybersecurity declined to 27%, compared with 38% in 2021, a development met with alarm by Proofpoint analyst Matt Cooke.
“The trend of board-level responsibility for cyber security declining is a particularly worrying development,” said Proofpoint’s cybersecurity strategist for the EMEA region. “Previous research has found that both CISOs (70%) and board members (73%) were aligned in the feeling that a material cyber attack is likely to impact their organisation in the next 12 months, which highlights an alarming issue if cyber security is not adequately prioritised.”
