Nearly half of UK businesses are facing cyber attacks every year

Cyber threats to UK organizations remain widespread and serious

The latest UK Government Cyber Security Breaches Survey 2025–26 confirms that cyber threats remain a major, ongoing challenge. Forty-three percent of UK businesses, 28% of charities, and 69% of large firms experienced a cyber attack or data breach in the past year. Even more concerning, 29% of respondents reported attacks happening every week.

This isn’t limited to a specific industry. Major brands like Marks & Spencer, Jaguar Land Rover, and Co-op Group have all been targeted. The reality is that any connected system is a potential entry point. As businesses digitize operations and rely more on cloud and AI-driven tools, attack surfaces expand. This transforms cyber security from a technical issue into a full-scale business risk that executives must directly handle.

Business leaders must think beyond compliance checklists. Cyber security now determines operational reliability, investor confidence, and brand reputation. When systems go down, production halts, and customer trust evaporates. In an age where AI can automate both defence and offence, speed and adaptability matter. Leaders should demand real-time visibility into their systems and continuous threat simulation to identify weaknesses before attackers do.

That mindset shift, from “IT problem” to “business resilience”—isn’t optional anymore. It defines who adapts and who falls behind in a digital-first economy. The goal is not to eliminate every risk but to keep resilience ahead of disruption.

The UK government is actively urging businesses to enhance cyber resilience through a formal pledge

Recognizing the accelerating threat landscape, Cyber Security Minister Liz Lloyd has called for direct executive action. She has written to over 180 CEOs and board chairs, urging them to sign the UK Government’s new Cyber Resilience Pledge. The pledge isn’t symbolic, it carries three requirements: make cyber security a board-level responsibility, subscribe to the National Cyber Security Centre’s free Early Warning service, and secure Cyber Essentials certifications across the supply chain.

These steps exist to create aligned accountability across leadership, operations, and partners. When board-level oversight meets structured defence systems, organizations not only reduce vulnerabilities but also signal to shareholders and regulators that they’re operating with discipline and foresight. As Lloyd stated, “Firms cannot afford not to take these steps.”

For decision-makers, this is an opportunity to build a long-term edge. Integrating cyber strategy within corporate governance doesn’t just protect data, it sustains trust and market stability. In the past, many boards treated security discussions as a technical formality. That approach no longer works. Executives must view cyber resilience as an investment in continuity, not a cost.

The world is going through a transformation in how it connects, automates, and scales through AI. As those systems become more powerful, their misuse potential grows too. The companies that act now, embedding resilience and transparency into leadership priorities, will be the ones defining the next phase of digital trust at a national and global level.

Some indicators suggest gradual improvement in the overall cyber resilience of UK organizations

The Cyber Security Breaches Survey 2025–26 brings cautious optimism. Overall incident rates have stabilized at 43%, down from a high of 50% in 2023–24. Ransomware reports fell significantly, from 3% to 1%, suggesting that awareness and improved controls are beginning to show results. Phishing attacks, which remain the most common form of cyber threat, affected 38% of businesses, lower than 42% two years ago, while impersonation attacks dropped from 17% to 12%.

These numbers indicate that steady investment in security frameworks, employee training, and detection systems is having measurable impact. Large enterprises, in particular, are maturing in their defences, supported by structured security operations and compliance mandates. However, this improvement shouldn’t lead to complacency. Attackers continuously refine their strategies, making even minor oversights potential vulnerabilities. Phishing remains a persistent issue, primarily because threat actors exploit human error through more credible and adaptive tactics.

The real takeaway for executives is that consistent progress is most effective when it’s measurable, proactive, and integrated into day-to-day decision-making. Periodic audits, mandatory awareness programs, and clear accountability for risk management can sustain the downward trend. The organizations that build resilience systematically, not reactively, will continue to see fewer breaches and smaller impacts over time.

Despite heightened awareness, many UK organizations are not adequately advancing their cyber defences

While large firms have improved their response mechanisms, the survey data points to persistent weaknesses among small and medium-sized enterprises (SMEs). Cyber hygiene, basic protective practices such as maintaining risk assessments, documenting cyber policies, and creating continuity plans, has been declining after previous improvements. This gap between large and small organizations continues to be one of the weakest links in the UK’s overall cyber resilience chain.

Despite the growing number of high-profile attacks, including the one affecting Marks & Spencer, many organizations still view security investment as a cost rather than a business necessity. The result is that incidents are becoming more damaging: 5% of surveyed organizations reported financial or share value losses due to cyber attacks, up from 2% the year before, and 3% reported reputational harm, up from 1%. This shows that while awareness has increased, execution has stalled.

For business leaders, the challenge lies in converting awareness into structured action. Cyber resilience must extend beyond IT departments and into operational planning, procurement, and corporate governance. Continuous improvement in defence, transparency in reporting, and swift incident response protocols are essential in maintaining trust and performance stability.

Executives must also recognize that inaction has measurable consequences. In the current threat environment, maintaining outdated systems or ignoring cyber risk policies isn’t neutral, it’s a direct operational vulnerability. A leadership-driven approach that integrates resilience as a core business goal, not just a compliance task, will determine which organizations remain secure and credible as digital threats evolve.

Fragmented government guidance and a complacent attitude toward the risks of AI compound national cyber vulnerability

The UK’s approach to cyber strategy remains fragmented, and that is slowing real progress against growing threats. According to Jonathan Lee, Strategy Director at TrendAI Cyber, awareness among boards has increased, but meaningful action has not followed. He points out that the constant stream of initiatives, frameworks, and communication channels from different government bodies has made it difficult for businesses to know which guidance to follow or prioritize. His call for “a single, coherent national voice on cyber literacy” underlines a critical leadership gap in how digital security is coordinated across sectors.

As organizations accelerate their adoption of artificial intelligence, the risks are evolving faster than most defences. Attackers are using AI to automate and personalize threats, from deepfake-based impersonation to adaptive phishing campaigns that learn from failed attempts. These capabilities make old methods of detection far less effective. Without a unified strategy and clear guidance, businesses can easily fall behind as threats become more complex and faster to execute.

Executives must see this period as an inflection point for national and corporate resilience. Relying on fragmented advice or short-term compliance will not protect operations or reputation. Boards should demand clarity, from both internal teams and national leadership, and commit to aligning business strategies with a unified, long-term cyber posture that incorporates emerging AI risks.

For organizations, complacency is now one of the biggest risk factors. The competitiveness of the UK economy depends on reliable digital infrastructure and trust in data systems. AI will accelerate innovation, but it must be matched with an equally advanced commitment to cyber defence. Preparing for that alignment is not about regulation alone, it’s about long-term survival in a digitally driven economy.

Key takeaways for leaders

• Cyber risk is a constant business threat: Nearly half of UK businesses suffered a cyber attack in the past year, showing that digital threats remain a persistent operational risk. Leaders should treat cyber security as a core business function, not a technical issue.
• Government action targets stronger corporate defences: The UK’s Cyber Resilience Pledge urges executives to make cyber security a board-level priority and integrate it across supply chains. Senior leaders should commit early to these measures to strengthen long-term resilience and investor confidence.
• Modest gains show progress but not stability: Cyber incidents have fallen slightly, with ransomware and phishing declining year over year. Executives should maintain these improvements by funding ongoing awareness training and modernizing detection systems.
• Awareness without action is increasing business exposure: Many SMEs are falling behind in cyber readiness, while financial and reputational damages are rising. Business leaders must convert awareness into practical action through risk assessments, continuity plans, and accountability frameworks.
• AI and fragmented guidance heighten national risk: Rapid AI integration and scattered government messaging have created a vulnerable environment. Executives should push for unified guidance and ensure AI adoption is paired with advanced security measures.