“Phishing leads ‘by far,’” the UK government’s latest Cyber Security Breaches Survey says — and the numbers make the point bluntly: 43 percent of UK businesses and 28 percent of charities reported a cyber incident in the past year, a tally the survey equates to roughly 612,000 businesses and 57,000 charities.
Phishing as the primary vector: impersonation, fake logins, and the human click
The survey identifies phishing as the dominant route into organisations. It describes a familiar pattern: impersonation emails that send staff to fake login pages, links that are clicked, attachments that are opened, or sensitive information that is handed over. Around 85 percent of businesses reporting a breach said the incident involved phishing. The report captures the human element plainly — attackers still succeed when an employee clicks “sure, why not” on a fraudulent login page.
Incidence and persistence: weekly and daily penetrations
Among businesses that report break-ins, about a quarter say they occur at least once a week, with a smaller share reporting daily incidents. Charities are being hit more often: the share reporting weekly incidents rose from 18 percent to 26 percent over the past 12 months. Despite those shifts, the overall breach rates have “barely budged” since the previous survey.
Controls in place — basics adopted, advanced measures lagging
There are signs organisations are trying to respond. Around six in ten medium and large businesses report having a formal cybersecurity policy, and both incident response planning and cyber insurance have ticked up year on year. Most organisations report having basic protections: at least two-thirds say they use updated malware protection, cloud backups, password rules, firewalls, and restricted administrative access.
But adoption thins after the basics. Fewer organisations report implementing two‑factor authentication, formal data backup rules, policies on personal data storage, VPNs, or user monitoring. Among small businesses specifically, some basic practices have slipped: the proportion conducting cyber security risk assessments has dropped to around four in ten, reversing earlier gains.
Ransomware stance and unprotected personal data
Policies on paying ransom remain mixed. Around 49 percent of businesses and 34 percent of charities say they have a rule not to pay, roughly unchanged from the previous year. A sizable minority are uncertain: roughly a quarter of businesses and a fifth of charities say they do not know what their policy is.
Data protection gaps persist. About 14 percent of businesses and 22 percent of charities report they hold personal data that is not protected by measures such as encryption or anonymization — meaning a successful breach is more likely to yield usable information.
Supply chain risk, and what this means for technologists, policymakers, and affected enterprises
The survey flags supply chains as a weak point: only 15 percent of businesses check the risks posed by direct suppliers and just 6 percent extend that review further into the chain; charities report even lower rates, at 9 percent and 4 percent respectively.
- Technologists and security teams: the report underscores where effort must go — phishing defences, user-facing controls, and wider deployment of measures such as two‑factor authentication and formal backup rules. The high share (85 percent) of breaches involving phishing means attacker success still hinges on exploiting human trust.
- Policymakers and regulators: steady, high breach rates and rising weekly incidents among charities point to a sectoral unevenness in resilience. The mixed picture on ransom policies and the proportion of organisations holding unencrypted personal data are concrete vulnerabilities that oversight and guidance could address.
- Affected enterprises and procurement leaders: larger organisations are more likely to have formal policies and insurance, but small businesses are showing slippage in basic risk assessments. The limited attention being paid to supplier and wider-chain risk should be a procurement priority where it is not already.
The picture is clear and uncompromising: the tools for defence — basic protections, policies, insurance, incident planning — exist in many places, but they are not universally applied. Phishing remains the simplest, most effective lever for attackers, and significant shares of organisations either lack policies on ransom or hold personal data without encryption. With nearly half of businesses and more than a quarter of charities reporting incidents, the survey leaves a practical question: which of these gaps will organisations choose to close first?
