Almost half of UK businesses hit by cyber attacks

An improving picture?

While the headline statistics give Westminster good reason to keep banging the drum for cyber security, digging deeper, the data show evidence of an improving picture in some regards. The percentage of businesses affected by cyber incidents was roughly in line with the 2024-25 survey period, and down from a high of 50% in 2023-24.

Ransomware attacks against businesses also seem to have dropped a little, with 1% of respondents saying they had been affected by ransomware, down from 3% a year ago, while the prevalence of phishing attacks – although not significantly down on 2024-25 – is way down on 2023-24, affecting 38% this year compared to 42% 24 months ago. And impersonation breaches or attacks affected 12% in 2025-26, down from 17% in 2023-24. Charities – which the government accounts for separately in the report – have also seen significant drops in impersonation attacks or breaches.

This said, phishing attack volumes remain high and are still the most prevalent form of cyber incident, experienced by 38% of businesses and 25% of charities, as well as the most disruptive. Those who took part in qualitative interviews for the report tended to agree that phishing attacks had gotten easier to commit, and were becoming more sophisticated, which was contributing to the increase.

The number of businesses reporting that cyber attacks or breaches led to loss of revenues – or impact to share values – has risen from 2% last year to 5% this year, while the number reporting they experienced reputational damage is also up, from 1% last year to 3% now.

The M&S effect

Picking apart its data, the government said that recent high-profile incidents – like the M&S attack – did not seem to be feeding through in terms of causing a wider shift in resilience. It said that while one might have expected such incidents to spur an increase in vigilance, prioritisation and action on cyber issues has not moved substantially, and long-standing issues such as the resilience gap between large firms and SMEs persists.

Indeed, SME cyber hygiene has been declining on a number of measures after improving in the previous report – the number undertaking risk assessments or putting cyber risk policies or business continuity plans in place seems to be dropping.

TrendAI cyber strategy director, Jonathan Lee, said: “This highlights how awareness of cyber risks still hasn’t fully converted into mitigating action, with no overall reduction in the level of successful cyber attacks year on year.

“While boards report taking more responsibility for cyber risk, it’s worrying to see a year-on-year rise in the proportion of organisations that report seeing government advice and initiatives about cyber security but go on to do nothing in response. This isn’t just on UK businesses and charities. Government needs to do a better job with streamlining schemes, brands and channels to make for a single, coherent national voice on cyber literacy that’s accessible – not just geared towards CIOs,” said Lee.

Lee warned that the UK’s fast-digitising society is being built on “fragile foundations”, particularly with so many business leaders seemingly in awe of AI to the exclusion of the risks it poses.

“While that’s good news for the government’s stated aim of making the UK the fastest country in the G7 to roll out AI, it’s a clear risk as long as complacency about cyber risks is commonplace,” he noted.