UK Cyber Security Breaches Survey 2026: What Every Business Must Know
The UK government has published the Cyber Security Breaches Survey 2025/2026, commissioned by the Department for Science, Innovation and Technology (DSIT) and the Home Office. The numbers paint a stark picture: nearly half of all UK businesses experienced a cyber incident in the past year, and AI-powered attacks are making traditional defences increasingly inadequate.
As a CREST-aligned penetration testing and web development agency, we've seen these trends first-hand across our UK client base. Here's what the data means for your business — and what you should do about it.
The Numbers at a Glance
| 43% of UK businesses | reported a cyber breach or attack in the past 12 months |
| 85% of those breaches | involved phishing as the primary attack vector |
| £3.4 million | average cost of a UK data breach (IBM) |
| 98% of UK universities | reported cyber incidents — near-universal in higher education |
Phishing Still Dominates — But It's Getting Smarter
Phishing remains the most common and most disruptive attack type, with 38% of businesses and 25% of charities reporting phishing attacks in the past 12 months. Among organisations that experienced any breach, phishing was involved in roughly 85% of cases.
The AI factor: The NCSC warns that attackers are now using AI to generate convincing phishing emails at scale, impersonate senior staff, and bypass traditional email filters. Every major breach usually starts the same way: one employee, one clever email, one click.
This is why we consistently recommend that our clients combine technical controls with regular security awareness training. A penetration test that includes a social engineering component is the most realistic way to assess your organisation's exposure to phishing.
The Financial Impact Is Growing
The survey reveals a worrying uptick in financial consequences. Businesses reporting lost revenue or share value following a breach more than doubled from 2% to 5% year-on-year, while those reporting reputational damage tripled from 1% to 3%.
These might sound like small percentages, but when the average UK data breach costs £3.4 million (according to IBM's Cost of a Data Breach Report), even a small increase in affected organisations represents billions in aggregate damage across the UK economy.
Education and Healthcare: The Most Vulnerable Sectors
The education sector numbers are particularly alarming. Almost every UK university (98%) reported a cyber incident, along with 88% of further education colleges and 73% of secondary schools — up significantly from 60% the previous year.
Perhaps most concerning: 49% of universities and 27% of FE colleges hold personal staff and student data that is neither anonymised nor encrypted. For organisations handling sensitive personal data, this represents a significant GDPR liability.
Only 61% of Businesses Take Action After a Breach
One of the most striking findings: 39% of businesses that experience a breach take no corrective action at all. No policy changes, no additional training, no security improvements. They simply carry on as before.
Among those that do act, the most common response is staff training (31% of businesses). Far fewer invest in technical controls, incident response planning, or professional security assessments — the measures most likely to prevent a repeat incident.
What Your Business Should Do Now
Based on the survey findings and our experience testing UK organisations, here are the five most impactful steps you can take today:
Get a Penetration
Test Done
If you haven't had a professional penetration test in the last 12 months, you're flying blind. A CREST-aligned assessment will identify the vulnerabilities attackers are actually exploiting — not theoretical risks, real ones. This is especially critical if you handle customer data, process payments, or operate in a regulated industry.
Implement Email
Security Controls
With phishing driving 85% of breaches, your email security is your front line. Ensure DMARC, SPF, and DKIM are properly configured and enforced. Deploy advanced email filtering that can detect AI-generated phishing content. And test your staff — a simulated phishing campaign reveals who needs additional training.
Build an Incident
Response Plan
The survey shows most businesses lack a formal incident response plan. You need a documented playbook that covers: who to call, how to contain the breach, when to notify the ICO (within 72 hours for personal data breaches), and how to communicate with affected parties. Test it with a tabletop exercise at least annually.
Encrypt Sensitive
Data at Rest
The finding that 49% of universities hold unencrypted personal data is a wake-up call for all sectors. Ensure your databases, backups, and file storage encrypt sensitive data at rest and in transit. This is a fundamental GDPR requirement and dramatically reduces the impact of a breach if one occurs.
Audit Your
Web Applications
Your website and web applications are prime targets. Ensure you're running current framework versions, have automated dependency scanning, use web application firewalls, and regularly test for OWASP Top 10 vulnerabilities. A single unpatched plugin or outdated library can be all an attacker needs.
The Role of AI in Both Attack and Defence
For the first time, the 2025/2026 survey includes questions about AI tool usage and whether organisations have specific cyber security practices to manage AI-related risks. This reflects a growing reality: AI is transforming both sides of the security equation.
On the attack side, AI enables threat actors to generate highly convincing phishing emails, discover vulnerabilities at scale, and automate exploitation. The recent disclosure of Anthropic's Mythos model finding decades-old software vulnerabilities has prompted the White House to consider an FDA-style approval process for frontier AI models.
On the defence side, AI-powered security tools can detect anomalous behaviour, correlate threat intelligence, and respond to incidents faster than human analysts alone. But AI is not a silver bullet — it supplements, rather than replaces, the fundamentals of good security practice.
If your organisation is deploying AI tools — whether chatbots, coding assistants, or AI agents that interact with your infrastructure — they need to be part of your security testing scope. Our AI development and penetration testing teams work together to assess these new attack surfaces.
Don't Be Part of the 43%
The UK Cyber Security Breaches Survey is a reminder that cyber attacks are not a matter of if but when. The question is whether your organisation will be prepared — with tested defences, trained staff, and a clear response plan — or whether you'll be scrambling after the fact.
YUPL helps UK businesses build and test their cyber resilience. Whether you need a CREST-aligned penetration test, a secure web application, or an AI security assessment, our team is ready to help. Get in touch for a free consultation or call us on 0330 229 4580.
Frequently Asked Questions
According to the UK government's Cyber Security Breaches Survey 2025/2026, 43% of businesses and 28% of charities reported a cyber security breach or attack in the past 12 months. Among medium-sized businesses the figure is significantly higher, and for large enterprises it is near-universal.
Phishing remains the most common attack vector by a wide margin. 85% of affected businesses and 86% of affected charities reported that phishing was involved in their breach. AI-powered phishing is making these attacks increasingly difficult for employees to detect.
The average cost of a data breach in the UK is approximately £3.4 million according to IBM's Cost of a Data Breach Report. Indirect costs — including reputational damage, lost revenue, regulatory fines, and customer churn — can push the true cost significantly higher.
At minimum annually, but best practice is after any significant infrastructure change, before major releases, and following any security incident. Regulated industries like financial services and healthcare may require quarterly testing. Both the NCSC and Cyber Essentials Plus scheme recommend regular penetration testing.
Immediately contain the incident and preserve evidence. Assess the scope of the breach, notify your insurer and legal team, and report to the ICO within 72 hours if personal data was compromised. Then conduct a thorough post-incident review and implement changes to prevent recurrence. The survey found that only 61% of businesses take any corrective action after a breach.
