Insights from the UK Cyber Security Breaches Survey 2025
Dean Anderson, Commercial Director.
The UK Government has released the Cyber Security Breaches Survey 2025, which uses data collected from UK businesses and other organisations between August and December 2024.
Although the data and report are UK-focused, the same messages that emerge from the data will also be applicable in Ireland and, indeed, in any other EU country. Using the data and insights in this survey can help your organisation bolster its cybersecurity defences.
The picture that emerges from the data is sobering. It shows that 43% of businesses and 30% of charities reported some kind of cyberattack last year. This equates to 612,000 UK businesses and 61,000 charities.
In this blog, we’ll highlight some headline figures and findings in the report. We won’t try to replicate the data as the original is freely available to read online. We encourage you to do so after reading this summary. Also, Cased Dimensions are here and ready to help your organisation implement cybersecurity defences, so you are not a statistic in a future report looking at attack statistics.
Phishing is still a Problem
Phishing remains a threat to organisations of all types. The survey reports that 85% of businesses and 86% of charities had phishing attempts. The interviews with leaders in these organisations reveal that phishing attacks consume a significant amount of time and resources from IT teams, who should be focusing on delivering business value and digital transformation projects. This is true even when the attacks are unsuccessful.
The report also highlights a concern that phishing attacks are getting more realistic and sophisticated, primarily due to the use of GenAI to craft more convincing emails, fake websites, and other impersonation techniques.
Ransomware Threat Increasing
While the overall number of attacks of all types remained stable year-on-year, the incidents of ransomware targeting all businesses in the UK increased, with an estimated total of approximately 19,000. Of those businesses that reported cyberattacks, 14% of large companies and 6% of businesses overall reported ransomware attacks.
Business Size Impacts Defence
The report shows a clear divide in cybersecurity defence between large and small organisations. The detection rate for attacks varied by business size as follows:
- Large: 74%
- Medium: 67%
- Small: 50%
- Micro: 41%
This difference may be due to the ability of smaller businesses to detect attacks rather than a real difference. Evidence from across the industry indicates that some cybercriminals target smaller businesses because their attacks are less likely to be detected before they can deploy ransomware or steal data. Many small businesses get attacked by criminals using Ransomware-as-a-Service tools.
The data in the report indicates that small businesses are improving their cyber hygiene. Those commissioning cybersecurity risk assessments increased to 48% (up from 41% in the previous year), while those with cyber insurance rose to 62% (up from 49% previously). Additionally, many organisations have adopted formal cybersecurity policies.
Supply Chain Threats Persist
Concerning gaps in supply chain security emerge from the data in the report. Only 14% of respondents reported reviewing the risks posed by other businesses in their immediate supply chain. This figure halved to 7% when it came to wider and deeper supply chains.
The risk checking of supply chain partners varied by size. Around a third of medium-sized businesses (32%) and nearly half of large businesses (45%) reported reviewing the cybersecurity risks posed by their immediate suppliers, compared to 11% of micro businesses and 21% of small businesses.
Given the prevalence of disruptive attacks traced to supply chain breaches in recent years, these statistics are worrying, even for large businesses at 45%.
Board Level Buy-In
While cybersecurity remains a priority for 72% of businesses, a figure that has remained constant for several years (it’s a priority for 92% of medium-sized businesses and 96% of large businesses), a decline has been reported in the number of organisations that have someone at board level who is responsible for cybersecurity. Over the last five years, the number of businesses with a board member responsible for cybersecurity has decreased from 38% in 2021 to 27% in 2025.
This lack of official board-level oversight for cybersecurity defences is both surprising and worrying. We all know that a cyber incident can be devastating for an organisation, and even existential in some cases, so we’d expect the board-level governance of this aspect of the business to be increasing.
The Costs of Cyberattacks
While the numbers included in the report are self-reported by the organisations impacted, the costs of an incident (after excluding any that reported the cost as zero) were:
Incident cost for a business: £3,550 (€4,100)
Incident cost for a charity: £8,690 (€10,100)
The costs associated with cyber fraud incidents rose to £10,000 (€11,700) for businesses (again, excluding any respondents who reported a zero figure in their return).
As all these costs are self-estimates by the organisations impacted, it is possible that they are underestimates and that the actual costs of dealing with an incident or case of cyber fraud are higher (even after excluding those that were zero).
Government Guidance Not Landing
The report highlights a disturbing knowledge gap between organisations in the UK and the official cybersecurity advice created and made available for free by the NCSC (National Cyber Security Centre). In the survey, only 1% of businesses and 2% of charities mentioned the NCSC by name. When the survey team followed up with targeted questions about specific NCSC campaigns, awareness levels were higher. Still, they remained below a quarter of respondents, depending on the campaign.
This failure to be aware of and use official national cybersecurity defence resources is unlikely to be unique to the UK. Both Ireland (through the Irish National Cyber Security Centre) and the EU (via the European Cybersecurity Competence Centre and Network) provide official cybersecurity guidance.
The use of external cybersecurity consultants was higher than the use of official resources. A quarter of businesses and just under a fifth of charities reported engaging external cybersecurity experts to assist with their cyber defences.
These figures suggest that there is significant room for improvement in the cyber awareness information campaigns conducted at the national and broader levels.
Building Resilience
Overall, the UK Cyber Security Breaches Survey 2025 shows that progress in cybersecurity is occurring in some areas, but there is still a high risk from threats like phishing and ransomware for organisations of all sizes. The improved cyber hygiene seen in small businesses is welcome, but the report shows that improvement is needed across the board. Areas where improvement is necessary emerge from the data. They include:
- Implementing anti-phishing measures and user education.
- Establishing formal supply chain risk assessment processes.
- Ensuring board-level cybersecurity governance.
- Leveraging official guidance and resources from trusted sources.
- Developing comprehensive incident response capabilities.
Conclusion
Cased Dimensions can help your organisation deal with the cybersecurity threats and challenges outlined in the Cyber Security Breaches Survey 2025 report. We have experienced cybersecurity professionals who can help your team deliver the cyber defence actions needed in 2025 and beyond. For example:
- Conduct comprehensive risk assessments to identify vulnerabilities in your IT systems.
- Implement robust phishing defence strategies tailored to your organisation’s needs.
- Develop supply chain security protocols to protect against third-party risks.
- Establish board-level cybersecurity governance frameworks.
- Create incident response plans that minimise disruption and costs.
- Provide ongoing security awareness training for your team.
Don’t wait for an incident to occur before taking action. Experience shows that organisations with proactive cybersecurity measures and response plans fare significantly better when attacks happen. Contact Cased Dimensions for a consultation on how we can help protect your organisation against the threats outlined in this comprehensive government report.