Businesses in the UK are taking less responsibility for cybersecurity at the board level, according to the Department for Science, Information and Technology’s (DSIT) Cyber Security Breaches Survey 2025.
Just over four in 10 businesses discovered a cyber breach over the past 12 months. Of those, phishing attempts – when attackers send malicious emails disguised as legitimate communications – were by far the most common, with 18% of all businesses in the UK having suffered such an attack.
Of the businesses that identified a breach, over half of respondents said they had experienced a cyber incident at least once a month. A third said these attacks were weekly.
Although the figures are worryingly high, they’re a broad improvement compared with 2024, when half of all companies surveyed had experienced a breach or attack – roughly 718,000 businesses. DSIT attributes the marginal improvement to fewer small or micro-businesses identifying attacks.
For mid-sized businesses or enterprises, the prevalence of cyber incidents was roughly similar to the previous year. It may be that small- or micro-sized businesses are simply not as practised at identifying the threats when they do occur.
Yet even with these improvements, there’s still a long way to go – and part of the problem seems to be that organisations are instituting basic cyber hygiene, but stopping there.
Phishing the top threat – but ransomware has doubled
Ransomware may be the scariest cyber threat going for technology leaders – but it’s phishing that’s still plaguing UK businesses the most. It’s little surprise that phishing remains the most persistent cyber threat – it’s easy to perform and it’s effective.
“Email has been the number-one threat vector for many years now because it continues to work,” says Matt Cooke, who is a cybersecurity strategist at Proofpoint. “Even as these threats become more commonplace and people are more aware of them, employees still engage in risky practices.”
“That’s got to change if we’re to stop phishing,” Cooke adds. “Cybercriminals won’t stop targeting people until their methods stop working – so it’s vital everyone’s aware of, and trained to identify, the risks.”
The wider availability of generative AI is likely also assisting cyber attackers, Cooke says.
“AI can supercharge phishing by increasing the ease, speed and volume of attacks while making social engineering more believable,” says Cooke. AI can assist cybercriminals in drafting convincing phishing emails, engaging in fraudulent phone calls and creating fake imagery to make their messages more convincing, Cooke adds, making victims susceptible to their attacks.
Cybercriminals won’t stop targeting people until their methods stop working
Phishing may be the most prevalent attack type suffered by businesses in the UK, but ransomware attacks doubled from 0.5% of all businesses in the 2024 report to 1% in the 2025 edition. Large businesses were more likely to suffer, at 14% compared with 6% of businesses overall.
One in 100 doesn’t sound like terrible odds – but the attacks often prove an existential threat for organisations, halting business completely or disrupting operations for months or even years. So it’s little surprise that, according to some estimates, ransomware is the chief security concern among the C-suite.
The underground ransomware economy has become more widely distributed and easier to use, making conducting the attacks simpler than ever. ‘Access brokers’ provide routes in by breaching the perimeter of their targets, while ransomware-as-a-service operators point malware at the victims and conduct the extortion itself. All take their cut and, with the professionalisation of these bespoke ransom services, the barrier to entry for would-be cybercriminals is extremely low.
Worse, other than building in redundancy and back-ups, there’s little that victims can do. And even if they pay, they’re not guaranteed to get their data back.
“Threats such as ransomware aren’t going away,” says David Shepherd, who is a senior executive for the EMEA region at Ivanti, a cybersecurity vendor. “To stay ahead of evolving threats, leaders must champion a proactive, integrated approach that gives their teams visibility and control.”
UK plc is improving its cyber hygiene - but there’s a way to go
Cyber hygiene has improved compared with the previous year. Most larger businesses had a formal cybersecurity strategy in place. And the majority of all businesses, no matter their size, had implemented basic technical controls including introducing network firewalls and updated malware protection, according to the report.
The 2023 reworking of the National Cyber Security Centre’s (NCSC) Cyber Essentials scheme, which aims to boost best practice among UK organisations in cybersecurity, may have helped. Uptake in the scheme since then has increased by a fifth, notes Joe Fielding, the managing director for the EMEA region at encrypted hardware manufacturer, Apricorn.
Yet more than half of those that signed up to the scheme, Fielding says, reported that the five security controls in it are the only cyber assurance they have.
“A deeper dive into how those controls are applied shows there’s still work to be done,” he says. “Overall, the survey reveals a patchwork approach to security controls. Organisations need to be more consistent in the way they follow the security measures.”
Equally, the cyber industry needs to be mindful of events playing out on the world stage. Geopolitical turbulence, Fielding notes, make it more likely that “the veracity and frequency of attacks will increase, aided and abetted by AI and cybercrime-as-a-service”.
To establish a more robust security baseline across all sectors of the economy, organisations will need to stop “cherry-picking controls”.
C-suite cyber responsibility plummets
A coordinated, proactive approach is the only way to stay ahead of cyber threats. But, according to the report, board-level responsibility for cybersecurity is in sharp decline.
Only 27% of organisations had a member of the board who was responsible for cybersecurity in 2025, compared to 38% in 2021.
This, says Cooke at Proofpoint, is a “particularly worrying development”. Although board members and CISOs agree that cybersecurity is a major threat to their businesses, this has not translated into unified executive action.
“Cybersecurity can’t be treated as an after-thought by anyone in an organisation but particularly those at board level, who control the purse strings and business priorities,” says Cooke.
According to Shepherd, IT and security leaders do not always act in tandem with each other. They operate in silos.
“Businesses can’t afford to treat cybersecurity as an IT issue,” Cooke says. “It’s got to be a shared, strategic priority across leadership, starting with closer alignment between the CIO and CISO.”
Instead, CIOs and CISOs should consolidate resources, share personnel, data and technology to identify security gaps.
Only by taking such action can organisations drive towards proactive risk management, rather than “reactive firefighting”.
Businesses in the UK are taking less responsibility for cybersecurity at the board level, according to the Department for Science, Information and Technology’s (DSIT) Cyber Security Breaches Survey 2025.
Just over four in 10 businesses discovered a cyber breach over the past 12 months. Of those, phishing attempts – when attackers send malicious emails disguised as legitimate communications – were by far the most common, with 18% of all businesses in the UK having suffered such an attack.
Of the businesses that identified a breach, over half of respondents said they had experienced a cyber incident at least once a month. A third said these attacks were weekly.
