Hands Up, We Got It Wrong: The 43% Cyber Breach Headline Is Misleading You
Hands up. Two weeks ago we ran with it. Like every other UK outlet. Like your MSP. Like the vendor newsletter that bounced into your inbox last Friday at five to five.
Forty-three per cent of UK businesses suffered a cyber breach or attack last year. Big number, dramatic, easy to quote. We did exactly what we keep telling you not to do. We swallowed the press release whole.
This weekend, Graham and I sat down with the actual Cyber Security Breaches Survey 2025/2026. Main report, technical annex, the qualitative work, the lot. Highlighters out. And we owe you a correction, because the public story built on that number is misleading, and the misleading version is the one being used to sell you things.
The stricter figure, the one DSIT and the Home Office built themselves in 2022, sits in Chapter 6 of the same document. Same survey. Same day of publication. Sound methodology, reviewed by the Office for Statistics Regulation only weeks before the report dropped. And nobody quotes it.
This is that correction.
What the 43% Headline Actually Counts
The survey asks businesses which types of attack they experienced. Phishing sits at the top of the list. So far, so reasonable.
Here is the bit nobody quotes. The questionnaire wording was clarified by DSIT in the technical annex to include phishing attempts even where the recipient did not engage with the email or website. Six words sitting in a methodology document that British journalists do not read.
So a phishing email lands in your filter, gets quarantined before it reaches a single inbox, and your business is now inside the 43%. A staff member glances at one and deletes it, your business is inside the 43%. Nothing happened. No money lost. No data taken. No harm done. The headline does not care. The email arrived. Tick the box.
By that definition, the real exposure rate is closer to 100% than 43%. Every UK organisation with a working email server receives phishing attempts every week. Microsoft Defender quarantines them by the thousand. The only reason that figure looks like 43% rather than near-universal is awareness, logging, filter quality, and who in the building answered the survey call.
Here is the kicker. Of the 43% of businesses that experienced a so-called breach or attack, 51% experienced phishing only. No malware. No ransomware. No hacking. No denial of service. Just phishing emails landing in inboxes. Up from 45% the year before, partly because, per the qualitative interviews, attackers are using AI tooling to send more phishing at better quality.
So the headline you read in April is being driven, structurally, by the fact that email exists, that bad email volumes are rising, and that the British survey threshold is set to “the email arrived.” Not by harm. Not by loss. Not by successful criminal activity. By inbound attempt volume and recognition.
Measure road safety by counting cars and the streets look terrifying.
Chapter 6: The Number You Were Never Told About
In 2022, DSIT and the Home Office sat down and built a stricter measure. They wanted to know how many of these alleged breaches and attacks actually meet the definition of crime under the Computer Misuse Act 1990 and the Home Office Counting Rules.
The methodology is completely different. It excludes attempts stopped by software. It excludes phishing where nobody engaged. It only counts ransomware where a ransom was demanded. The Office for Statistics Regulation reviewed the wider survey for compliance with the Code of Practice for Statistics and reported in March 2026 that the figures were clear and insightful. The Office for National Statistics was consulted when the cybercrime questions were built. The Home Office co-funds the work.
None of which made it into the press coverage. Not a sentence.
So what does the stricter figure actually say?
In 2025/2026, 19% of UK businesses experienced any cybercrime. About 267,000 organisations across the UK. Not 43%. Nineteen.
Strip phishing cybercrime out entirely, since phishing cybercrime alone accounts for 93% of cybercrime-affected businesses, and you get 3% of UK businesses experiencing non-phishing cybercrime. That figure has held steady at three to four per cent for three consecutive survey waves. Methodologically sound. Independently reviewed. Sitting in the same PDF as the headline.
Three per cent. That is a profoundly different country from the one the 43% describes. Forty-three feels like a siege. Three feels like a road safety statistic. Both are technically true. Only one is being used to sell you bundles.
The Cost Picture Is the Bit That Should Make You Sit Up
The median perceived cost of the most disruptive breach or attack was zero pounds. Zero. The 25th to 75th percentile range was zero to two hundred pounds. The 95th percentile, the bad end of the distribution, was £4,000. For medium and large businesses, the 95th percentile climbs to £10,000.
Painful, yes. Existential, almost never. Yet every vendor presentation you have ever sat through has waved IBM’s Cost of a Data Breach Report at you, with its £4 million enterprise figure, as if it has any bearing on a 20-person letting agency in Coventry. It does not. IBM is measuring a completely different building site: regulated enterprise data, class action plaintiffs, transatlantic disclosure obligations. You work somewhere else. Use the data from your own building site.
There is one thing to flag, though. The survey also tells us that once you are a target, you tend to be a repeat target. The median victim of cybercrime experiences three cybercrimes in twelve months, and the mean is nineteen. The mean is dragged up by a long tail of heavily victimised organisations, but the point holds. Heavy victimisation is concentrated. Hardening once is not the play. Sustained hygiene matters more than panic spending, which is the precise opposite of what your renewal email is selling you.
Who Benefits From the Broken Number
If DSIT has already built the stricter measure, if it sits in Chapter 6 of the same report, why does 43% keep landing on every front page while 19% stays invisible?
Three groups benefit. The press amplifies. Nobody anywhere has an incentive to slow down.
DSIT itself, sometimes accidentally. The statisticians who built the cybercrime measure are doing serious work. They want you to read Chapter 6. The press release leads with 43% because big numbers travel further than small numbers. Comms team wins. Stats team loses. The methodology caveats sit in material nobody scrolls to.
The vendor fear economy. Every UK cyber security vendor, endpoint protection seller, MSP, Cyber Essentials reseller, and managed security provider is using the 43% on their landing page right now. Search for it. You will find dozens. If the headline collapsed to 3% or 5%, the urgency collapses with it. Contract values drop. Procurement cycles lengthen. Christmas bonuses get smaller. Every vendor has a financial interest in the broken statistic being the dominant one.
The audit and certification industry. “43% suffered a breach or attack. Can you afford to be one of them? Get certified now.” Certificate goes on the wall. Invoice gets paid. Security posture unchanged. We have been clear about this before in our coverage of compliance theatre as government standards: the controls inside Cyber Essentials are genuinely useful, but the industry that has built up around scaring people into the certification, and then doing nothing else, is a separate animal.
Then the press becomes a stenographer. Newsroom resources have collapsed. The trade press reproduces the headline because they do not have time to read the full report, or they do not have anyone left who can. By Tuesday lunchtime, every Cyber Essentials assessor has updated their pitch deck, every vendor has a fresh LinkedIn post, and every MSP has another fear-based renewal email queued for Friday at five to five.
Here is the worst part. The owner of the 20-person business reads the headline, takes the call from the MSP, buys the bundle, and ends up paying for protections they may not need against threats they may not face. Meanwhile, the actual issues, the ones sitting quietly in Chapter 6, the ones that drove every breach we have ever covered, get underfunded. Phishing that bypassed filters. Reused passwords. Missing multi-factor authentication. Compromised suppliers. Karen from accounts clicking the wrong link on a Thursday afternoon. These are not Hollywood threat actors. They are the gritty, boring, fixable everyday. And we have written about why the authentication piece in particular is broken until our keyboards complained.
The broken statistic does not just mislead. It actively misallocates capital. Money goes to the wrong place. The right place sits underfunded. The gap between the two is filled by vendor margin.
Five Things You Can Actually Do This Week
None of this needs a £30,000 retainer. None of it needs a certificate. Most of it is free.
Monday: skip the headline, read Chapter 6. Print the cybercrime chapter. Highlight the bits that match your business. Nineteen per cent any cybercrime. Three per cent non-phishing. Median cost £0. Ninety-fifth percentile £4,000. Forty minutes with a coffee. It will change the conversations you have with your insurer and your IT provider for the rest of the year.
Tuesday: audit your own phishing volume. Log in to Microsoft Defender, Mimecast, Google Workspace, whatever email security you have. Pull the last twelve months. Tens of thousands of attempts is normal. Now look at what got through to inboxes. Then what got clicked. Then what caused harm. For most healthy businesses, that funnel collapses to single digits or zero. That is your real exposure, not the inbound count. If you cannot pull that report yourself, ask your IT provider to pull it. A reasonable request. If they cannot, will not, or pretend not to understand the question, you have a bigger problem to solve.
Wednesday: start an incident log. Not phishing emails nobody engaged with. Real events. Lost devices. Account compromises. Malware that bypassed detection. For most 20-person businesses, that list runs to zero or a handful, usually resolved without harm. Compare it to the inflated headline. You will see the gap immediately. A spreadsheet is fine. Date, what happened, what you did, what it cost. That spreadsheet, two years from now, will be worth more than any certificate on your wall.
Thursday: reallocate budget to what works. Multi-factor authentication on every account, phishing-resistant where you can manage it: hardware key or passkey, not SMS. A paid password manager licence for every staff member, not the free tier nobody uses, and definitely not a spreadsheet called Passwords Final V3. One hour of phishing training run by someone who is not trying to sell you something afterwards. Then review your top three suppliers and ask what their cyber controls look like. The total cost of this list for a 20-person business is well under £2,000 a year. Less than one mid-tier retainer payment to a vendor who is selling you the 43% headline.
Friday: email your insurance broker. Ask what real claims in your sector actually cost. They will tell you, because their pricing depends on getting it right. You will find the claim distribution looks far more like Chapter 6 than like the headline. The insurance market is one of the few places in this industry where lying about numbers costs you money rather than making you money. Listen to the people whose paycheque depends on the truth, not the people whose paycheque depends on you being frightened.
How to Turn This Into a Competitive Advantage
While your competitors are still spending on fear, you are spending on outcomes. That is a position worth occupying in front of clients, suppliers, and investors.
Pitch differentiation. When a prospective customer asks about your cyber security in a tender, you can quote the government’s stricter cybercrime measure, your own incident log, and your phishing funnel analysis. Specific, measurable, defensible. Your competitors will quote whatever IBM said this quarter. Procurement teams are getting better at telling the difference.
Insurance premiums. Brokers reward measurable evidence. Showing your incident log, your MFA deployment, and your phishing funnel does more for your premium than waving a certificate.
Supplier confidence. Your larger customers are increasingly asking about your security posture before they renew. A clean, evidence-based answer wins those conversations. A pile of vendor brochures does not.
How to Sell This to Your Board
The conversation directors and trustees actually want is not “the world is on fire,” it is “are we spending well.” Frame it that way.
Quote the government’s own stricter figure. The board will not dismiss DSIT and the Home Office. Nineteen per cent any cybercrime. Three per cent non-phishing. Median cost £0. Ninety-fifth percentile £4,000. These are official statistics, reviewed by the Office for Statistics Regulation. Hard to argue with.
Show the misallocation. Map your current cyber spend against the actual risk profile in Chapter 6. If you are spending five-figure sums on things that protect against threats your sector almost never sees, that is a board-level conversation about capital efficiency.
Sustain hygiene, do not panic. The survey shows repeat victimisation is concentrated. Hardening once is not the play. A modest recurring budget for the boring fundamentals beats a one-off panic purchase every time. That is a story directors and trustees recognise from every other risk discipline they have ever managed.
Cite the OSR review. “The government’s own statistics regulator reviewed this work in March 2026 and found it clear and insightful. We are using the methodologically sound figure, not the headline.” That sentence alone closes most board-level objections.
What This Means for Your Business
Bad numbers make small businesses spend money in the wrong place. That is the real damage. Not the headline, the behaviour the headline creates: frightened owners, tick-box certifications, bloated retainers, underfunded basics, and the same circus rolling into town next spring with a fresh set of inflated numbers.
You can fix that yourself, this week, by reading past the headline and ignoring most of your inbox.
- Read Chapter 6 of the Cyber Security Breaches Survey 2025/2026 before the next renewal call.
- Audit your phishing funnel and your real incident history. Compare them to the inflated headline.
- Reallocate spend to MFA, password management, training, and supplier review. Under £2,000 a year for most 20-person businesses.
- Brief your board with the OSR-reviewed figures, not the press release.
- If your MSP led their April renewal email with 43%, forward them this article and see what they say back.
Informed buyers fix this market. Frightened buyers feed it. That is the choice in front of you. We have written this article because we briefly fed the wrong market two weeks ago, and we are not doing it again.
Sources
| Source | Article |
|---|---|
| DSIT and Home Office | Cyber Security Breaches Survey 2025/2026: Main Statistical Release |
| DSIT and Home Office | Cyber Security Breaches Survey 2025/2026: Technical Annex |
| Office for Statistics Regulation | Compliance Review of Statistics From the Cyber Security Breaches Survey |
| UK Legislation | Computer Misuse Act 1990 |
| Home Office | Home Office Counting Rules for Recorded Crime |
| Office for National Statistics | Crime in England and Wales: Latest Bulletin |
| NCSC | Small Business Guide |
| NCSC | 10 Steps to Cyber Security |
| Code of Practice for Statistics | Code of Practice for Statistics |