- Key findings from the 2025 Cyber Security Breaches Survey on ransomware and phishing.
- 43% of UK businesses experienced a cyber breach in 2024—phishing and ransomware remain dominant threats
- Cyber hygiene is improving, but supply chain risks and board engagement remain weak spots
The UK's Department for Science, Innovation, and Technology last month released its Cyber Security Breaches Survey 2025, an annual piece of research designed to inform national policy and bolster the country's cyber resilience.
This study, which looks back at incidents taking place in 2024, aligned with the National Cyber Strategy, provides deep insights into how businesses, charities, and educational institutions are managing cyber threats—and what more needs to be done to make UK cyberspace a safe environment for business and innovation.
The latest data, which dovetails with the FBI's just-released 2024 Internet Crime Complaint Center report.
Cyber Breaches Were Fewer but Still Widespread
About 43% of UK businesses and 30% of charities reported experiencing a cyber breach or attack in the past year, down from 50% and 32%, respectively, in 2024. This drop is largely driven by fewer micro and small businesses reporting phishing attacks.
However, the picture isn't necessarily rosy. Medium and large businesses remain highly targeted, with 67% and 74%, respectively, reporting incidents or about the same as in 2024.
In terms of raw numbers, UK businesses experienced an estimated 8.58 million cybercrimes over the past year, while charities logged 453,000. Alarmingly, each affected business experienced an average of 30 attacks.
Cybercrime
The report does not equate every breach or cyberattack as necessarily a crime. For example, some attempted attacks will not have penetrated an organization's cyber defences, and some, such as online impersonation, would be beyond the scope of the Computer Misuse Act. Therefore, the statistics on the prevalence and financial cost of cybercrimes differ from the equivalent estimates for all cybersecurity breaches or attacks.
With that noted:
- An estimated 20% of businesses (283,000) and 14% of charities (29,000) were victims of cybercrime in the past year. Nearly half of those breached experienced a crime.
- Larger organizations are more likely to be victims.
- While overall cybercrime prevalence is stable, ransomware attacks against businesses significantly increased from <0.5% in 2024 to 1% in 2025, or about 19,000 businesses.
- Phishing remained the primary attack method, impacting 85% of businesses and 86% of charities.
- On average, the cost of non-phishing-based crime per business was £990 (or £1,970 excluding £0 reports).
- Cyber-facilitated fraud is categorized as a distinct issue affecting 3% of businesses and 1% of charities, with higher average costs (£5,900 or £10,000, excluding £0 reports).
Cyber Hygiene: Small Steps, Big Protection
Small businesses have made noticeable improvements in cyber hygiene:
- Risk assessments: up to 48% (from 41% in 2024)
- Cyber insurance: 62% (up from 49%)
- Formal cyber policies: 59% (up from 51%)
- Business continuity plans: 53% (up from 44%)
The report found most organizations have adopted basic controls like malware protection (77% of businesses), password policies (73%), and network firewalls (72%). However, more advanced measures like two-factor authentication (40%), VPNs (31%), and user monitoring (30%) remain underused.
High-income charities are slipping backward. The report found that fewer performed risk assessments (75%, down from 86%) or reviewed supplier risks (21%, down from 36%). Budget constraints may be playing a role here.
Supply Chain & Risk Management: A Blind Spot
The study found very few (14%) businesses and 9% of charities review the potential cyber risks from immediate suppliers, and even fewer look at their wider supply chain.
Larger organizations, which typically have more complex supply chains, are more proactive, but micro and small organizations lag significantly.
Board engagement is also a concern. While cybersecurity is cited as a high priority for 72% of businesses and 68% of charities, there's a trend of declining board-level responsibility for cybersecurity within businesses since 2021, dipping from 38% to 27% in 2025.
Digital Forensics and Incident Response: Room for Improvement
Internal reporting of cyber incidents is high, with businesses and charities informing senior management after an incident, which is 76% for businesses and 80% for charities, respectively.
External reporting was significantly lower, with each category only doing so around 30% to 32% of the time.
Digital Forensics and Incident Response (DFIR) plans are much more common among larger organizations, and the report found certain sectors (health, finance, communication) are more likely to have formal incident response plans.
Small businesses showed significant improvement in adopting various DFIR measures compared to 2024, but no figures were made available.
Awareness & Guidance: Official Sources Still Underused
Reliance on external consultants is common, but awareness of official guidance remains low:
It was reported that only 1% of businesses named the National Cyber Security Centre (NCSC) as a go-to source, and awareness of the Cyber Aware campaign has fallen to 24%, down from 34% in 2021.
Finally, awareness of the "10 Steps to Cyber Security" guidance sits at just 12%. The report's writers feel this signals a pressing need for more effective government outreach and education.
Staying One Step Ahead
Continuous vigilance, investment in robust defenses (basic and advanced) such as a secure email gateway, improved incident response planning, and strong staff awareness remain critical for all UK organizations navigating the digital realm.
Additional resources and mitigations can be found within Trustwave SpiderLabs' ongoing series of Industry Threat Reports, each contains a great deal of real-world, easily implemented information that can help protect your organization.
These include:
Please visit the Trustwave Resource Library for additional reports.
