43% Breached and Nobody Is Surprised: What the DSIT Survey Really Tells Us About UK Business Security
Hello, Mauven here.
The Department for Science, Innovation and Technology published the Cyber Security Breaches Survey 2025/2026 on 30 April. I have spent the past fortnight reading the main report, the technical annex, and the industry reactions. Here is what the survey actually tells us, and what it very carefully does not.
The Headline That Is Not a Headline
43% of UK businesses and 28% of charities reported experiencing a cyber security breach or attack in the past twelve months. That extrapolates to approximately 612,000 businesses and 57,000 charities.
That number has barely shifted in three years. 22% of businesses reported cyber crime in 2023/2024, 20% in 2024/2025, and 19% in 2025/2026. The movement is within the margin of error. This is not progress. It is a baseline that nobody has managed to move.
The survey itself acknowledges this likely underestimates the true scale, because it only captures incidents that organisations were able to identify and were willing to report. If you cannot detect a breach (and as we discussed on Monday’s podcast, most small businesses have no logging to detect anything), it does not appear in the survey. The real number is worse than 43%.
The Cost Is Moving Even If the Breach Rate Is Not
What has changed, and what should make directors sit up, is the financial impact.
Reported loss of revenue or share value among businesses that identified breaches rose year-on-year from 2% to 5%. Reputational damage went from 1% to 3%. Those are not large percentages in isolation, but they represent a doubling and tripling respectively, and they come against a backdrop where the overall breach rate has not improved.
In other words: getting hit is not becoming less common, but it is becoming more expensive. The mean average cost per business that quantified breach losses was reported as approximately £10,000 by DSIT. For small businesses operating on tight margins, that figure is not trivial. For some, it is existential.
Phishing Owns the Breach Economy
Phishing was reported by 38% of all businesses and 25% of charities. Among organisations that experienced any kind of breach, phishing was involved in around 85% of business incidents and 86% of charity incidents.
I want to be clear about what this means. The dominant attack vector against UK organisations is not sophisticated zero-day exploitation. It is not nation-state actors deploying custom malware. It is an email that tricks someone into clicking a link or handing over credentials. The single most common way into a UK business in 2026 is a message that looks legitimate but is not.
This should narrow the conversation for any small business deciding where to spend limited security resources. If phishing does 85% of the work, then email security, identity controls, MFA, and staff awareness training are not optional extras. They are the primary defence.
The AI Governance Gap
A new section of this year’s survey covers artificial intelligence, and the findings are predictable to anyone who has watched previous waves of technology adoption.
Only around a quarter of organisations already using, adopting or considering AI say they have security practices in place to manage the associated risks. Adoption is outpacing governance. We saw this with cloud migration, we saw it with remote working during the pandemic, and we are seeing it again with AI.
The specific risk for small businesses is that AI tools are being adopted by individual staff members without central oversight. A marketing coordinator signs up for a content generation tool and feeds it client data. An operations manager uses a chatbot to summarise financial reports. Nobody has assessed what data is being shared, where it is processed, or what the vendor’s data retention policy says.
This is not a theoretical risk. It is happening now, and the survey confirms that most organisations have no governance framework to manage it.
Board Engagement: Rising, But From a Very Low Base
Board-level responsibility for cyber security in UK businesses rose from 27% to 31%. In large businesses, the figure reached 68%.
That is movement in the right direction, and the Cyber Governance Code of Practice published in May 2025 deserves some credit for driving the conversation at senior levels. But 31% means that 69% of UK business boards are still not meaningfully involved in cyber security decisions. For small businesses, where the “board” is often the owner-director, the gap is even larger.
The survey introduced a new question this year about the content of cyber security updates shared with directors. Among those who do receive updates: 79% of businesses and 84% of charities said the updates covered management of cyber security risk. That is encouraging for the organisations doing it. The problem is the 69% who are not having the conversation at all.
What the Survey Does Not Say
Every survey is shaped by what it asks and what it does not ask. A few notable gaps.
The survey does not measure detection capability. It counts organisations that identified a breach, but it does not ask how they identified it, how long the breach persisted before detection, or whether they had any monitoring in place. An organisation with active logging and a 24-hour detection time and an organisation that discovered a breach six months later through a customer complaint are counted the same way.
The survey does not segment by whether organisations follow NCSC guidance. We know the NCSC’s Small Business Guide exists. We know Cyber Essentials has been available for a decade. But the survey does not directly correlate breach rates with adoption of specific NCSC recommendations. That makes it difficult to measure whether the guidance is working for those who follow it.
The survey relies on self-reporting by organisations that were willing to participate. The technical annex notes that the running of three other DSIT surveys in parallel may have affected participation rates, and that the UK business population is predominantly micro and small businesses (81% and 16% respectively) which typically have less mature security profiles. The insights into sophisticated attacks on larger organisations are inherently limited by the sample structure.
The Compliance Theatre Problem
This survey arrives in the same year as the forthcoming Cyber Security and Resilience Bill, which is expected to mandate supplier assurance, ransomware-payment reporting, and stricter incident notifications. New regulation is coming.
My concern, and it is one I have raised before on this platform, is that regulation without enforcement creates compliance theatre. Cyber Essentials is a useful framework. But when businesses treat it as a certificate on the wall rather than an ongoing security practice, it becomes paperwork instead of protection. The same risk applies to any new requirements under the forthcoming Bill.
The survey shows that awareness of government guidance is slowly increasing: 30% of charities now know about the Cyber Aware campaign, up from 26%. But awareness is not adoption. The gap between knowing that guidance exists and actually implementing it remains the central problem of UK cyber security policy.
What This Means for Your Business
If you run a small business or charity, here is what the survey is telling you.
The breach rate is not going down. Whatever the industry is collectively doing, it is not reducing the overall incidence of attacks. You should plan on the assumption that your business will face an incident, not that it might.
Phishing is still the primary threat. Invest in email security, deploy MFA on every account, and run regular phishing awareness for your team. This is not glamorous. It is what works.
The cost of incidents is rising. Even if the probability of being hit has not changed, the severity when it happens is increasing. Revenue loss and reputational damage are both up. This strengthens the business case for preventive investment.
AI governance needs attention now. If your team is using AI tools, you need a policy covering what data can be shared with external AI services, who is authorised to use them, and how vendor data practices are assessed. This does not need to be complicated. It does need to exist.
Board engagement is no longer optional. The Cyber Governance Code of Practice, the incoming Cyber Security and Resilience Bill, and the direction of travel on director liability all point the same way. Cyber security is a board-level responsibility. If your board is in the 69% that does not engage with it, that position is becoming untenable.
How to Turn This Into a Competitive Advantage
The survey data gives you a benchmarking opportunity. If 43% of businesses were breached and most lack basic logging, then having a documented security posture puts you in a demonstrable minority. Use the survey statistics in client conversations, tender responses, and supply chain assessments to show that your business takes the threat seriously and can prove it.
How to Sell This to Your Board
The survey is a government publication. It carries weight with directors, investors, and auditors who might dismiss vendor threat reports as self-interested marketing. Present the key statistics at your next board meeting: 43% breach rate, revenue impact doubling, phishing at 85% of incidents, and only 31% board engagement. Then present your organisation’s current position against those benchmarks. That conversation is worth having.
Sources
| Source | Article |
|---|---|
| DSIT / Home Office | Cyber Security Breaches Survey 2025/2026 |
| DSIT / Home Office | Cyber Security Breaches Survey 2025/2026: Technical Report |
| NCC Group | CSBS 2025/2026 Reaction |
| Channel Life | UK Cyber Survey Shows Stagnant Breach Preparedness |
| NCSC | 10 Steps: Logging and Monitoring |
| Cloudswitched | CSBS 2025/2026 Decoded for SMEs |
| Cyber News Centre | UK Survey: Phishing Still Owns the Breach Economy |
Related Posts: