The 43% Cyber Lie: How One Government Statistic Became the Engine of UK Vendor Fear-Mongering
Pull up a chair. This one is going to take a while.
Every April for the last decade, the Department for Science, Innovation and Technology, formerly DCMS, publishes the Cyber Security Breaches Survey. Every April, the British press runs the same headline. “Almost half of UK businesses suffered a cyber breach last year.” This year the figure is 43%. Last year it was 50%. The year before that, 32%. Round and round we go, year after year, with the same parade of quotes from the same vendor PR contacts and the same anxious procurement responses from small businesses who got the press release forwarded by their MSP at 9:01am with the subject line “Time to talk about your renewal?”
The headline is misleading. It has been misleading for years. And what makes the situation interesting, rather than just sad, is that the government already knows this. They know it because they fixed it. They built a more rigorous statistic, on the same questionnaire, in the same survey, published in the same report on the same day, that gives an honest answer to the question the press thinks the headline is answering.
Nobody quotes the honest one.
So this Sunday, settle in, because we are going to do something the British cyber press will not. We are going to read the methodology. We are going to find both numbers. We are going to ask why one of them gets every front page and the other one gets buried in chapter six. And we are going to figure out, by the end, what a 20-person company should actually do with this mess.
What the headline figure actually counts
The Cyber Security Breaches Survey 2025/2026, published 30 April 2026, says 43% of UK businesses experienced a cyber security breach or attack in the last 12 months. That is the headline. That is what the BBC ran. That is what every UK trade press outlet from Computer Weekly to TechCrunch reproduced. That is what your MSP put in their renewal email. That is what your auditor cited at the kick-off meeting.
Read what the survey actually counts. Question 53A on the questionnaire asks respondents which types of attack their organisation experienced. Phishing is on the list. So is impersonation. So is malware. So is ransomware, hacking, denial of service, the whole catalogue.
Here is the bit nobody quotes. In 2024, DSIT explicitly clarified the phishing question wording. They added six words to the questionnaire script. “Even if they did not engage with these emails or websites.” Six words, written into the official methodology, in the technical annex, available to anyone who can read a PDF.
Translation: a phishing attack counts as a breach even if nobody clicked, nobody opened, nobody was fooled, and nothing happened. The attack happened because the email arrived. That is the threshold. That is what the methodology says, in DSIT’s own words, in the document published alongside the headline.
By that definition, the true population prevalence is not 43%. It is one hundred bloody per cent. Every UK organisation with a working email server received phishing emails in the last twelve months. Most of them received hundreds. Some of them received thousands. The only reason DSIT does not report 100% is that some respondents do not notice the phishing in their spam folder, some do not bother counting things their filter quietly bins, and some interpret “experienced a phishing attack” the way a normal human would interpret it, which is something successful happened to us, rather than the way the methodology defines it, which is an email server received a message.
So the 43% figure is not a measure of cyber risk. It is not a measure of successful attacks. It is not a measure of harm. It is a measure of whether the person answering the survey is aware that phishing email volume exists. It tells you nothing about defensive posture, threat realisation, or business impact. It tells you whether the respondent has heard of phishing.
The survey itself, in the same chapter as the headline figure, gives you the proof. Of the 43% of businesses that “experienced a breach” in 2025/2026, 51% experienced phishing only and nothing else. Up from 45% the previous year. In other words, in over half of the cases counted in the headline number, the so-called breach was a phishing email arriving and being either filtered or ignored. Nothing was stolen. Nobody clicked. The “breach” was that someone tried.
If a burglar walks past your shop window and looks in, you do not call that being burgled. You call it a Tuesday. But that is what the headline figure of the UK government’s flagship national cyber statistic counts. Every year. Reproduced by every news outlet. Cited by every vendor.
That is the misleading figure. Now let me show you what is sitting twenty pages deeper in the same report, which nobody quotes.
The honest figure DSIT built and nobody uses
Read chapter six of the CSBS 2025/2026 report. It is titled “Cyber crime”. The chapter exists because in 2022/2023, DSIT and the Home Office collaborated to build a stricter measure. They wanted to know how many of these “breaches” are actually crimes under the Computer Misuse Act 1990 and the Home Office Counting Rules.
The methodology for cyber crime is a different beast entirely. From the technical annex, in DSIT’s own words: “It systematically aims to exclude cyber attacks that were stopped by software and breaches where the organisation was not deliberately targeted… It only includes phishing attacks in cases where organisations confirmed that either employees engaged in some way (e.g. by opening an attachment) or that it was specifically targeted at the organisation (the attackers referred to the organisation or its staff by name, or included any personal or contact details in any messages) and no other crimes succeeded this. From the 2024/2025 survey onwards it only includes ransomware attacks where a ransom was demanded.”
Read that twice. The cyber crime measure excludes attacks stopped by software. It excludes phishing where nobody engaged. It excludes ransomware that was blocked. It applies the Home Office Counting Rules and uses a “principle crime” hierarchy to avoid double-counting. This is what an honest statistic looks like. This is the work of analysts and statisticians who understood that the headline figure was being misread, and who built a rigorous alternative on top of it.
So what does the honest figure say?
In 2025/2026, 19% of UK businesses experienced any cyber crime. Not 43%. Nineteen. Equivalent to about 267,000 organisations. Down from 22% in 2023/2024 and 20% in 2024/2025. So total cyber crime against UK businesses has been declining for three consecutive waves while the headline figure has bounced around.
Strip phishing out, because phishing-as-cyber-crime is largely the bit where someone clicked, and you get the cleaner number. 3% of UK businesses experienced any non-phishing cyber crime in 2025/2026. This figure has held at 3 to 4% for three consecutive waves. That is your real underlying rate of meaningful cyber crime. Not 43%. Three per cent.
The cost picture, when read with the same precision, looks utterly different from the press hysteria. The median perceived cost of the most disruptive breach in 2025/2026 was £0 for businesses overall. The 25th to 75th percentile range was £0 to £200. The 95th percentile was £4,000. For medium and large businesses, the median rises to £30 and the 95th percentile to £10,000. For non-phishing cyber crime, the median is £250 and the 90th percentile is £5,000 to £7,500.
Cyber-facilitated fraud — which is the one category that consistently reaches material harm — was experienced by 3% of businesses in 2025/2026. The 90th percentile cost reached £15,000.
Now, before the inevitable outrage from cyber Twitter, I need to be very precise about what I am and am not claiming. None of this means cyber risk is not real. A minority of businesses face genuine, expensive, business-ending incidents every year. The 95th percentile cost of cyber-facilitated fraud reaches £15,000. Ransomware still happens, still wrecks small businesses, still puts charities under. Three per cent of UK businesses experiencing non-phishing cyber crime is roughly forty thousand organisations, and the harm they suffer is real and sometimes catastrophic.
The point is not that cyber risk does not exist. The point is that the 43% headline figure does not measure it. And the 19% cyber crime figure, which does measure something closer to what the press thinks the headline is measuring, is sitting twenty pages later in the same document, and nobody quotes it.
So why do we have two numbers, and why does only one make the news?
This is the part that genuinely fascinates me. DSIT and the Home Office have already done the work. They have already built the honest statistic. They publish it every year, on the same day, in the same release, with full methodological transparency. The OSR even reviewed it in March 2026 and made three constructive recommendations about presentation, none of which addressed the conflation issue, but the cyber crime measure itself is unimpeachable. The work is done.
Yet every April, the headline that lands in every newspaper, every vendor briefing, every MSP renewal email, every Cyber Essentials assessor’s pitch deck, is the broken 43% figure. The honest 19% figure is silent. The 3% non-phishing figure does not exist as far as the British cyber press is concerned. It is published, it is sourced, it is methodologically superior, and it is invisible.
Why?
Because three groups benefit from the inflated headline, and one group does the amplification, and you, the small business owner, are nowhere on the list of beneficiaries.
Group one: DSIT itself, sometimes accidentally
This is where I have to be careful, because the DSIT statisticians who built the cyber crime methodology are, on the evidence, doing serious work. They engaged with the Home Office. They built a Counting Rules-compliant measure. They published it transparently. They are not the villains in this story.
But the way DSIT presents the survey to the press, and the way the press release is written, leads with the headline figure. The 43% is in the first paragraph of every announcement. The 19% is somewhere in chapter six. The 3% non-phishing figure is buried even further. A press officer at DSIT who wanted the National Cyber Strategy to look like it was working would understandably reach for the bigger number. A press officer who wanted ministerial profile would reach for the bigger number. A press officer who had eight minutes before a TV slot would reach for the bigger number.
This is not a conspiracy. It is communications gravity. Big numbers travel further than small numbers, and the small number is the honest one. The institutional incentive to lead with 43% is real, and even good-faith statisticians cannot fully counter it when their findings are translated into a press release.
The fix here is editorial. DSIT should lead the next press release with the cyber crime figure, not the breach figure, with a clear explanation that the breach figure includes attempted phishing that was filtered. They should make the broken figure work for them by pairing it explicitly with the honest one. They will not, because nobody at any government department in the UK has ever voluntarily made their press release less impressive, but they should.
Group two: the vendor fear economy
Every cyber security vendor in the UK uses the CSBS headline figure in their marketing. Every. Single. One.
I am not going to name companies in this piece because the pattern is industry-wide and naming three or four would create the false impression that the others are clean. They are not. Go and look for yourself. Search the phrase “43% of UK businesses” right now. You will find every major endpoint protection vendor, every Email Security as a Service player, every Managed Detection and Response brand, every UK-based Managed Service Provider from John o’Groats to Land’s End, every cyber consultancy from the boutiques to the Big Four, every Cyber Essentials reseller, every penetration testing outfit, every threat intelligence subscription service, every cyber insurance broker, every awareness training platform, all using the same inflated number to drive the same inflated urgency to sell you the same overpriced product.
It is the foundational data point for the entire UK cyber sales pipeline.
The vendor pitch always works the same way. Step one: cite the CSBS headline figure to establish that the threat is enormous and you, the small business owner, are statistically very likely to be next. Step two: present a product or service that promises to reduce the risk. Step three: extract a multi-year contract at a price calibrated to the level of fear successfully induced in step one.
If the headline collapsed to a more honest 5% or 8%, the urgency collapses with it. The vendor pitch becomes harder. The contract values drop. The procurement cycles lengthen. The discount ladder gets steeper. Every vendor in the UK has a financial interest in the broken statistic remaining the dominant one. It is not in their commercial interest to point out that the same report contains a more honest figure. That is not a conspiracy theory, it is just commerce. It is what every industry does when a government statistic is favourable to its sales narrative.
This is enemy one. The vendor fear economy. The marketing departments that use a misleading number to sell against an inflated risk to a small business that does not have the time or expertise to read the technical annex. The product brochures that quote “43% of UK businesses” without ever mentioning the methodology. The webinars that open with the headline figure and never mention chapter six. Every one of these communications is technically accurate and substantively dishonest. They cite the figure DSIT publishes. They omit the figure DSIT also publishes. The omission is the lie.
Group three: compliance theatre merchants
Then we have the audit and certification industry. The Big Four cyber consultancies, the IASME assessors, the boutique compliance shops, every chancer with a Cyber Essentials reseller agreement and a LinkedIn presence. They feed off the same headline figure, but their pitch is slightly different.
Where the vendor sells a product, the auditor sells a certificate. “43% of UK businesses suffered a breach last year. Can you afford to be one of them? Get certified now and demonstrate due diligence.” The certificate goes on the wall. The invoice gets paid. The procurement form has a box ticked. The business security posture is unchanged. The actual technical controls may or may not be in place. The statistic that justified the entire engagement was misleading to begin with.
Cyber Essentials is a perfectly reasonable scheme. Five technical control areas, basic hygiene, sensible defaults. The problem is not the scheme. The problem is that the scheme is being sold on the back of an inflated risk number, by consultants who would rather their client never read the methodology, to clients who do not have the bandwidth to challenge the framing.
The 2025/2026 survey itself shows this clearly. Awareness of Cyber Essentials among UK businesses is 17%. Certification is 5%. But the proportion of businesses that already meet the Cyber Essentials technical requirements is 24%. More businesses comply with Cyber Essentials than have heard of it. The behaviours are widespread. The branding is invisible. The certification market exists because of marketing, not because the underlying controls require external accreditation to be implemented.
This is enemy two. Compliance theatre. The certification industry that sells paperwork on the back of a misleading statistic, to small businesses that have already done most of the work but do not know it.
Group four, the amplifiers: the British press
The press is not a beneficiary so much as a mechanism. Every April, some poor reporter at the Guardian, the Times, the BBC or one of the trade outlets gets handed the press release at 8am, has until lunchtime to file copy, and reproduces the headline figure verbatim because they do not have time to read the 200-page report and the 80-page technical annex underneath it. Their editor wants 800 words by noon. Their cyber contact at every vendor in the UK has already pre-briefed them with a quote that uses the headline figure. The statistic that lands on the page is the one that fits the news cycle, not the one that survives a methodology review.
I am not blaming the individual journalists. They are professionals doing a difficult job in a deteriorating industry under enormous time pressure. Most of them, in private, would acknowledge the methodology problem. Some of them have written about it. The structural reality is that newsroom resources have collapsed across the UK trade press over the last fifteen years, and statistical scrutiny is the first thing to go when the headcount drops.
But the result is that the UK cyber press becomes a stenographer. The press release lands. The headline figure is reproduced. The vendor quotes are dropped in. The MSP responses are added. The piece goes live. The next morning, every small business owner in the country has the inflated number in their inbox via their MSP’s email blast. By Tuesday, every Cyber Essentials assessor has updated their pitch deck. By Friday, every cyber insurance broker has added the figure to their renewal pack.
The press is not the villain. The press is the megaphone. But the megaphone is amplifying the wrong number, and the journalists who would otherwise hold the methodology to account no longer have the time, the budget, or in some cases the editorial backing to do so.
What the honest statistic would change
Imagine, briefly, an alternative timeline. DSIT leads the next release with the cyber crime figure. The headline reads, “19% of UK businesses experienced cyber crime in the last year, with 3% experiencing non-phishing cyber crime.” The 43% figure is presented further down with the explicit clarification, “this includes phishing emails received but not engaged with, which apply to a much larger proportion of organisations and reflect attacker volume rather than defensive failure.”
What changes?
The vendor pitch changes. “19%” is harder to weaponise than “43%”. The compliance pitch changes. “3% non-phishing” is harder to use as a fear lever than “43% of businesses had a breach”. The press release lands differently. The trade press picks up the more honest figure. The MSP renewal email reads differently. The procurement conversations shift. The cyber insurance pricing recalibrates over the next renewal cycle. Boards reading the statistic in their next risk register update get a more proportionate picture of the threat. Investment decisions follow the actual risk distribution, not the inflated one.
Small businesses make better decisions because they have better information.
That is what the honest statistic would do, if anyone in the UK cyber industry actually wanted to use it. They do not. The misleading one sells better.
What you should actually do with the CSBS data
Right. Enough complaining. The Friday test. Here is what a 20-person business should do this week with this information, because the survey, used properly, is the single most useful publicly available source on UK cyber risk. The data is excellent. The presentation is misleading. You can fix the second problem yourself by reading past the headline.
Monday: Read chapter six, not chapter four
If you only ever read one part of any future CSBS release, make it the cyber crime chapter. Skip the headline. Skip the breach prevalence figures. Skip the chart that everyone in the press will be reproducing. Go straight to the cyber crime data. It will tell you the real rate of meaningful cyber crime victimisation, broken down by sector and size. It will tell you which crimes are concentrated in your size band. It will tell you the median and percentile costs, not the misleading mean.
The figures you want to internalise from the latest wave are: 19% of businesses experienced any cyber crime, 3% experienced non-phishing cyber crime, 3% experienced cyber-facilitated fraud, the median cost of the most disruptive breach was £0, and the 95th percentile reached £4,000 (£10,000 for medium and large). That is your actual risk landscape. Not 43%.
Tuesday: Audit your own phishing volume
Go into your email security platform — Microsoft Defender for Office 365, Mimecast, Proofpoint, Google Workspace, whatever you have — and pull the inbound phishing volume for the last twelve months. Most modern platforms will give you the data in a couple of clicks. The number will be enormous. Tens of thousands of phishing attempts per organisation per year is normal. That is what the CSBS headline is counting.
Now look at the subset that actually got through to user inboxes. Then the subset that resulted in a click. Then the subset that resulted in credentials being entered, or a download executing, or a wire transfer being attempted. For most healthy 20-person businesses, the funnel collapses from tens of thousands of attempts to single-digit successful events per year, often zero. That is your real exposure.
You now have your own dataset to compare against the CSBS headline. You will find your actual incident rate is much closer to the 3% non-phishing figure than to the 43% headline. Use this when challenging vendor and MSP pitches.
Wednesday: Audit your incident log
If you keep an incident log, and if you do not you should start one this week, look at the last twelve months of real incidents. Not phishing emails. Real events. Lost devices, account compromises, malware infections that bypassed detection, ransomware attempts, fraud attempts, supplier breaches that exposed you, password resets driven by suspicious activity, anything that required a human to act and a record to be kept.
For most healthy 20-person businesses, this list runs to between zero and a handful of items, most of them resolved without harm. That is your reality. Compare it to the inflated CSBS headline. Compare it to the 19% cyber crime figure. Compare it to your own phishing volume. You now have three data points, all from the same twelve-month window, and they will tell a consistent story that has very little to do with what your MSP just emailed you.
Thursday: Reallocate your budget
Take the budget you might have spent on the next vendor pitch driven by “43% of UK businesses had a breach”, and instead spend it on the things that actually move your real risk profile. The list is short and the priorities are clear.
Multi-factor authentication on every account that supports it. Email, identity provider, financial systems, customer relationship management, the lot. The CSBS data shows two-factor authentication adoption at 47% in UK businesses. Half of UK businesses have not done it. Be in the half that has. This is the single highest-impact control available to a 20-person business. It will defeat the overwhelming majority of phishing-derived credential compromises.
A password manager for every staff member. Not optional. Not “we will do it next quarter”. This week. The cost is trivial relative to the benefit. The behavioural friction is real but solvable with one hour of training.
One hour of phishing simulation and training, not punitive. The point is not to humiliate the staff member who clicked. The point is to teach the team what real phishing looks like when AI tools have made it more sophisticated. Make the training mandatory, paid time, no consequence for failing the simulation, full transparency about what the test was looking for. Punitive phishing training breeds resentment and does not improve outcomes.
Review your supplier list and ask the top three suppliers what their cyber controls look like. Just the top three. Not a full third-party risk programme. Three emails. The CSBS data shows only 15% of UK businesses formally review supplier cyber risk. You can be in the smaller, better-prepared minority by sending three emails this week.
Those four things, executed by Friday, will move your real risk profile more than any product priced on a fear narrative ever will.
Friday: Email your insurance broker
Ask them what your real claim history looks like. Ask them what the average cyber-related claim in your sector and size band actually costs. Ask them what their underwriters are seeing as the dominant cause of paid claims in your industry. They will not give you the 43% figure. They will give you something far more useful: the actual loss data their pricing is built on. Insurance underwriters are not selling you fear. They are pricing actual risk, because their P&L depends on getting the answer right, not on inflating it for marketing purposes. Their numbers are usually more honest than the government’s.
You will probably find that the dominant claim categories are cyber-facilitated fraud, business email compromise, and ransomware affecting small businesses without backups. You will probably find that the claim distribution is heavily skewed, with a long tail of large losses and a high frequency of zero-loss notifications. You will find, in short, exactly what the CSBS cyber crime data already told you in chapter six, but priced in pounds.
Use that conversation to recalibrate your cyber budget for the year ahead. Spend the money where the actual risk lives, not where the headline figure says it lives. That is how informed customers behave. That is how an industry that respects its buyers operates. And that is how you stop being a passive recipient of fear-based marketing and become an active commissioner of cyber security that actually fits your business.
The bigger pattern
There is a wider point here, and it is not just about one statistic. The UK cyber industry has built itself on a foundation of inflated risk. The CSBS headline is the most visible example, but it is not the only one. Vendor threat reports inflate threat actor sophistication. Consultancy white papers inflate compliance urgency. Government strategies inflate the scale of the cyber skills gap. Everyone is selling a slightly bigger version of the truth, because everyone benefits from a slightly bigger version of the truth.
Small businesses pay for this. They pay in security budgets that should have been spent on actual protection. They pay in stress and decision paralysis. They pay in trust, because once a business owner figures out they have been mis-sold, they tend to disengage from cyber security altogether. Which is the worst possible outcome, because that is when the 3% non-phishing cyber crime rate finds them, in the small minority of cases where it does, and they have no defences in place because they stopped listening.
What we should have, in 2026, is a flagship national cyber statistic that distinguishes between threat exposure and actual harm. That separates “phishing volume” from “successful phishing attacks”. That leads with the disaggregated, honest figures and treats the inflated aggregate as a footnote, not a headline.
Here is the thing. We already have that statistic. DSIT and the Home Office built it. It exists. It is published every April. The methodology is documented. The data is freely available. The questionnaire is in the appendix. The Counting Rules are in the methodology. The cyber crime figures are precise, methodologically sound, and politically and commercially inconvenient to almost every player in the UK cyber industry. So nobody quotes them.
The OSR reviewed all this in March 2026 and concluded that the statistics are “clear and insightful”. They made three useful recommendations about presentation: improve communication of margins of error, display population sizes alongside sample sizes, and engage users on streamlining the bulletin. None of the three addresses the conflation issue. None of them tells DSIT to lead with the cyber crime figure rather than the breach figure. The regulator has looked at the structure and concluded it is fine. The statistics are honest. The presentation is misleading. The OSR has, in essence, validated the technical work without addressing the communication failure that follows.
That is where we are. A government department that has built an honest statistic and presents it badly. A vendor industry that has built a sales pipeline on the misleading version and has no incentive to switch. A press that lacks the resources to scrutinise the methodology. An audit and certification industry that profits from the inflated figure. And small businesses caught in the middle, paying for the consequences in budgets, time, and the slow erosion of trust in any cyber communication that crosses their desk.
What changes from here
I do not think the headline figure will be fixed by DSIT. The institutional gravity is too strong. The press release will keep leading with 43% next April, and 41% the year after that, and 39% the year after that, because every department in Whitehall leads with their biggest number and DSIT will not break the pattern.
I do not think the vendors will start citing the cyber crime figure voluntarily. Their commercial incentive runs the other way. The 43% figure is too useful to give up.
I do not think the press will start scrutinising the methodology. The newsroom resources are not there. The cyber trade press does its best with the time and budget it has, and the time and budget are shrinking, not growing.
So the change has to come from the buyer side. From the small businesses, the charities, the medium-sized firms, and the procurement leads who are tired of being marketed to with statistics that do not survive five minutes of methodology review. From the readers who, this week, will go and read chapter six of the CSBS 2025/2026 report instead of the press release. From the IT managers who will pull their own phishing volume data this week and challenge the next vendor pitch with the gap between the headline figure and their actual incident rate.
The change comes from informed buyers refusing to accept the misleading figure, demanding the honest one, and pricing their cyber decisions accordingly. It is the only mechanism that works in this market. Regulation will not work because OSR has already reviewed it. Government will not fix it because the press release is too useful. Vendors will not fix it because their pipeline depends on it. Press will not fix it because their resources will not stretch.
You fix it. By reading the methodology. By citing the cyber crime figure. By challenging your MSP. By demanding the honest number from your auditor. By pricing your cyber budget against the real risk distribution rather than the inflated one. By being the customer who is harder to bullshit.
That is what informed buyers do. That is what an industry that respects its buyers eventually starts to look like. And that is what we are going to keep building, one Sunday rant at a time, until the headlines start matching the methodology and the cyber crime figure gets the front page it has always deserved.
Pull up a chair next week. There is more.
Sources
Author note: All figures cited in this article are taken directly from the published Cyber Security Breaches Survey 2025/2026 main report and technical annex, both published 30 April 2026 by DSIT and the Home Office. Where this article cites specific percentages, percentile costs, or extrapolated business counts, those figures appear verbatim in the source documents listed above. The interpretation, framing and editorial position are the author’s own. Verification of the article’s central claim — that the headline breach figure includes phishing emails received but not engaged with — rests on the CSBS 2024 Technical Report’s documented amendment to question Q53A_TYPE, which added the phrase “even if they did not engage with these emails or websites” to the phishing code.