612,000 UK Businesses Breached and the Basics Are Going Backwards: What the 2026 Cyber Security Survey Actually Says
Forty-three percent of UK businesses reported a cyber breach or attack in the last twelve months. That is approximately 612,000 organisations. The number is bad enough on its own. The bit that should make small business owners properly uncomfortable is this: after a year of improvement, the basics have slipped backwards.
The UK government published the Cyber Security Breaches Survey 2025/2026 on 30 April 2026. Commissioned by the Department for Science, Innovation and Technology and the Home Office, with fieldwork conducted by Ipsos between August and December 2025, it surveyed 2,112 businesses and 1,085 charities. This is not vendor marketing. This is not a bloke on LinkedIn yelling that AI has changed everything. It is a structured, representative snapshot of what UK organisations are actually doing about cyber security.
This week on the podcast, I sat down with Mauven MacLeod, Lucy Harper, and Graham Falkner to pull apart the numbers that matter most for small businesses. What started as a conversation about the survey turned into a broader examination of why awareness keeps rising while the practical work keeps stalling.
The Basics Are Sliding
The headline figures for small businesses should alarm anyone running a firm with five to fifty staff.
Risk assessments covering cyber security dropped from 48% to 41% among small businesses. Formal cyber security policies fell from 59% to 52%. Business continuity plans that address cyber security dropped from 53% to 44%. That last number is the one that stings most: nine percentage points gone in a single year. Not on some advanced technical capability. On having a written plan for what happens when your systems go down.
These are not exotic controls. These are the administrative equivalent of checking that the smoke alarm has batteries. And after a year when M&S, Co-op, hospitals, and nurseries were all over the news for cyber incidents, the numbers went the wrong way.
The surveyβs own qualitative interviews reveal something important. Organisations reported that their awareness of cyber risk had been heightened by high-profile attacks in the media. So if awareness went up and the basics went down, then the problem is not ignorance. The problem is conversion. Businesses can now say the right things about cyber. They have not converted that into habits, documents, and tested routines.
Concern Is Not a Control
Seventy-two percent of businesses said cyber security was a high priority for senior management. Board-level responsibility for cyber increased from 27% to 31%. These are governance indicators moving in the right direction. But they sit alongside the declining hygiene numbers, which creates a very specific picture: senior people are talking about cyber while smaller firms are still slipping on the practical work.
As Mauven put it on the podcast: an owner saying βcyber is important to meβ is about as useful as saying hill fitness is important while staying on the sofa with a biscuit. The business does not get safer because the owner feels concerned. Unless a task is assigned, dated, and checked, it does not exist.
The survey points to three overlapping reasons for the gap. Some owners genuinely do not know where to start. Some know perfectly well and keep bumping it to next month. And some are so overwhelmed by the daily demands of running a business that anything not attached to todayβs cash flow gets deferred. The survey includes a quote from a small health and social care business that captures it: they cannot simply find eighteen thousand pounds for new systems when the economy is putting strain on the company. Cyber often arrives wearing a price tag before it arrives wearing a solution.
But cost is not the whole story. Risk assessments are not always expensive. Writing down who you call in the first hour of an incident is free. Turning on multi-factor authentication costs nothing in most Microsoft 365 and Google Workspace setups. Plenty of owners are not blocked by cost. They are blocked by not getting round to it. And βnot getting round to itβ is still overload a lot of the time, because every task competes with revenue in an owner-managed firm.
Phishing Still Runs the Show
Phishing attacks remained the most common breach type, experienced by 38% of businesses. Among organisations that suffered a breach or attack, phishing was identified as the most disruptive type in 69% of cases. And here is the number that should change how you think about email security: 51% of breached businesses experienced phishing only, and no other type of attack. That is up from 45% last year. One mechanism, cleanly executed, and that is enough.
The old advice is dying. For years the industry told people to look for bad spelling, odd grammar, and weird phrasing. That worked when scam emails read like a drunk photocopier. Now AI writes perfectly decent bait. A fake invoice can sound like your actual supplier. A fake Microsoft alert can be cleaner than the real one. Asking staff to be a human spam filter against machine-generated persuasion is a losing game.
User awareness still matters. People should pause and verify unusual requests. But the human is no longer the last reliable barrier. The technical controls have to catch what the person misses. That is why phishing is now an identity chapter, not just an email chapter. If one click means the attacker is in, mailbox rules changed, password reset, session token stolen, then the setup was brittle. The click is the doorknock. Identity protection decides whether it becomes a burglary.
Two-factor authentication adoption among businesses rose from 40% to 47%. Seven points up. Progress. But that still leaves 53% without it. More than half. If attackers are getting cleaner at the front end, you need stronger locks on the account itself.
The Numbers That Expose the Gap
Three statistics from the survey expose the distance between stated concern and operational reality.
Twenty-two percent of the most senior person responsible for cyber security did not know whether the organisation had cyber insurance. Not a minor paperwork slip. The person nominated as responsible does not know if the cover exists. Which means they definitely do not know what conditions could invalidate a claim. If you are not sure about your own cover, that is a problem you need to fix today.
Fifteen percent of businesses formally review the cyber risks posed by their immediate suppliers. Just 6% review the wider supply chain. After a year of supply chain headlines, 94% of businesses are not looking at their wider chain at all. If your booking system provider gets breached and your customer data spills, your customers do not care that the failure happened in somebody elseβs cloud. They know your logo, your invoice, your apology email.
Thirty-one percent of businesses are using, adopting, or considering AI. Of that group, only 24% have any process or practice to manage the cyber security risks from AI. Three quarters are dabbling with AI and doing it with no house rules. No guidance on what staff can paste in. No checks on what data is exposed.
Repeat Victimisation
For organisations that experienced cyber crime, the median number of crimes in a year was three. That matters because many owners treat the first incident like a vaccination. They got hit, they had meetings, someone said βthat was a wake-up call,β and six weeks later the same shared mailbox is running with no MFA and nobody checking sign-in logs.
A miserable Tuesday is not a control. Emotional impact is not implementation. Unless the incident led to specific, measurable changes, it was theatre. And the survey data suggests that repeat victimisation is common enough that the βwe learned from itβ narrative deserves serious scrutiny.
What to Actually Do This Week
We closed the podcast with five actions any small business can take this week without needing an enterprise budget.
Turn on MFA everywhere you can. Start with Microsoft 365, Google Workspace, email admin accounts, payroll, and banking. If you do one thing after reading this, do that.
Confirm cyber insurance in writing. Not βI think the broker mentioned it.β Email the broker or insurer. Ask: do we have cover, what does it include, and what conditions could invalidate a claim? Save the answer where two people can find it.
Write a one-page breach list. Who do you call? Who can reset accounts? Who speaks to the bank? Who speaks to customers? Where are backups? If you do not have a plan, you do not have a plan. One page. No budget required.
Set basic AI rules. Three lines: do not paste customer personal data into public AI tools without approval; do not paste contracts, financials, or confidential documents; if AI produces something important, a human checks it before it goes out.
Review your three most important suppliers. Not all of them. The three with access to your systems, staff identities, or customer data. Ask them if they use MFA, whether they hold Cyber Essentials or equivalent controls, and how they would notify you if they were breached.
How to Turn This Into a Competitive Advantage
Every statistic in this survey is a differentiator waiting to happen. If 59% of small businesses still do not do risk assessments, being one of the 41% that does gives you a verifiable advantage in procurement conversations. Clients are increasingly asking about security practices during tenders and due diligence. Being able to say βwe follow the CSBS recommendations and here is our evidenceβ separates you from the majority.
The supply chain numbers are even more powerful. If only 15% of businesses review their immediate suppliers for cyber risk, you can be the supplier that proactively shares its security posture. That turns a defensive exercise into a sales conversation.
How to Sell This to Your Board
The risk is not theoretical. 43% of UK businesses experienced a breach or attack last year. 612,000 organisations. The median victim experienced three cyber crimes. This is not a distant possibility; it is the operating environment.
The basics are cheap. MFA is free in most Microsoft and Google setups. A breach contact list costs nothing. Risk assessments can be done internally using free NCSC guidance. The argument that cyber security requires massive spending does not survive contact with the actual first steps.
The regulator publishes the evidence. This survey is produced by DSIT and the Home Office. The NCSC provides free, actionable guidance. Following it is a defensible position. Ignoring it when the data is this clear is not.
Inaction has a measurable cost. Revenue impact from breaches more than doubled year on year, from 2% to 5%. Reputational damage rose from 1% to 3%. These are small percentages, but applied across 612,000 breached businesses, they represent real money and real damage.
Listen to the Full Discussion
This article covers the key findings, but the full podcast episode goes deeper into the qualitative picture, the debate between overload and inertia, and why the fixes are often simpler than small business owners expect. The five-step action plan is expanded with practical detail on each item.
Next week on the podcast, we are staying on the practical side and talking about incident response for firms that do not have an internal security team. Because most do not.