Four in ten (43 per cent) of UK businesses and 30 per cent of charities experienced a cyber attack or data breach in the last 12 months, according to the latest Cyber Security Breaches Survey. While this marks a slight decrease from last year’s 50%, the threat level for medium and large businesses remains alarmingly high.
The average cost of the most disruptive breach was estimated at £1,600 for businesses and £3,240 for charities.
The drop in incidents is attributed mainly to fewer small businesses reporting breaches – but government officials warn against complacency. With cyber threats increasingly targeting critical infrastructure, the UK Government is introducing the Cyber Security and Resilience Bill, compelling organisations to strengthen their digital defences.
The survey found that 70% of large businesses now have a formal cyber strategy in place, compared to just 57% of medium-sized firms – exposing a potential gap in preparedness among mid-sized enterprises.
There has been a notable improvement in cyber hygiene practices among smaller businesses, with rising adoption of risk assessments, cyber insurance, formal cybersecurity policies, and continuity planning.
These steps are seen as essential in building digital resilience across the UK economy.
However, the number of high-income charities implementing best practices such as risk assessments has declined. Insights suggest this may be linked to budgetary pressures, limiting their ability to invest in adequate cybersecurity measures.
Achi Lewis, Area VP EMEA for Absolute Security commented: “While it’s encouraging to see the Government taking action on this issue, cyber attacks remain a persistent and costly problem for UK businesses. Four in ten companies were still hit in the last year, and for many, the cost of downtime, data loss, and recovery far outweighs the cost of prevention.
Having the right cyber resilience posture—before a breach occurs—is what makes the biggest difference. With the right systems, technology, and protocols in place, businesses can contain attacks quickly, minimise operational disruption, and protect both their bottom line and their reputation.
The government’s proposed Cyber Security and Resilience Bill is a step in the right direction, but legislation alone won’t stop attacks. Cyber resilience needs to be treated as a board-level priority across the economy. Businesses that invest now will be better prepared for future threats.”
The Government has also confirmed that UK data centres are now officially designated as critical national infrastructure. This means they will receive the same priority in the event of a major incident—such as a cyber attack—as essential services like water and energy.
