The Cyber Security Breaches Survey 2025, commissioned by the UK Department for Science, Innovation and Technology (DSIT) and the Home Office, revealed that 43% of UK businesses and 30% of charities had experienced a cyber breach or attack in the past year. While these statistics show a slight decline from the previous year, they still underscore the significant cybersecurity challenges faced by organizations in the UK.
Phishing emerged as the top threat, with 85% of affected businesses and 86% of charities attributing attacks to this method. Cybercriminals often use social engineering tactics through phishing emails to deceive individuals into divulging personal and financial information. Matt Cooke, a cybersecurity strategist at Proofpoint, pointed out that phishing remains a pervasive issue for UK businesses, with cybercriminals targeting individuals for financial gain through social engineering schemes.
Moreover, experts raised concerns about the use of artificial intelligence (AI) by cybercriminals to enhance the scale and credibility of their attacks. AI tools can aid in creating realistic phishing emails, fake images, and simulated phone calls, making it harder for targets to distinguish between legitimate and malicious communications.
One alarming trend highlighted in the report is the decline in board-level oversight of cyber-resilience. Senior executives are increasingly relinquishing responsibility for cybersecurity strategy, leaving organizations vulnerable to sophisticated attacks. This lack of executive accountability has financial repercussions, with the average cost of a cyber breach per business amounting to £1600 and £3240 for charities.
Simon Whittaker, a representative of the CyberUp Campaign, emphasized the urgent need for legal reform in light of the survey results. Whittaker underscored that the Computer Misuse Act 1990 is outdated and inadequate for addressing modern cyber threats, potentially penalizing cybersecurity professionals essential for defending against attacks.
Despite some organizations seeking external cybersecurity guidance, the survey revealed a drop in large businesses availing these services compared to the previous year. The importance of legal frameworks and executive accountability was underscored, particularly in light of recent updates to the Cyber Security and Resilience Bill and the government’s initiatives to combat ransomware attacks.
Overall, experts caution that without robust legal support and increased executive accountability, the UK’s digital infrastructure remains at risk. The survey findings serve as a reminder of the ongoing cyber threats faced by organizations and the imperative to bolster cybersecurity measures to safeguard against evolving cyber risks.