Back to News

Cyber Security Breaches Survey 2026: 43% of UK Businesses Breached — What the 612,000-Company Figure Means for Your Proactive IT Support Plan

Cyber Security Breaches Survey 2026: 43% of UK Businesses Breached — What the 612,000-Company Figure Means for Your Proactive IT Support Plan

On 30 April 2026, the Department for Science, Innovation and Technology (DSIT) and the Home Office published the Cyber Security Breaches Survey 2025/2026 — the UK government’s most authoritative annual measurement of how businesses and charities are faring against cyber crime. Its headline finding is stark: 43 per cent of UK businesses identified a cyber security breach or attack in the last 12 months. Scaled across the business population, that equates to roughly 612,000 organisations, and an estimated 5.19 million cyber crimes of all types committed against UK businesses over the year. For a country that has spent a decade urging firms to take cyber security seriously, the numbers describe a threat that is still winning the volume war.

Two weeks later, on 14 May 2026, the Information Commissioner’s Office (ICO) sharpened the picture with a five-step advisory on AI-powered cyber threats, warning that AI-enhanced phishing, deepfake social engineering and automated vulnerability scanning are accelerating the pace of attack faster than most small and medium-sized enterprises can react. Read together, the two documents tell a single story. The tools available to attackers are compounding, yet the defensive basics remain thinly adopted: only 5 per cent of UK businesses hold Cyber Essentials certification, just 31 per cent place cyber security responsibility at board level, and fewer than half use two-factor authentication. This article breaks down what the survey found, why the gap between attacker capability and SME readiness has never been wider, and what a proactive, managed IT support posture looks like against the 2026 threat landscape.

612,000
UK businesses breached in 12 months (DSIT, 30 Apr 2026)
5.19m
Estimated cyber crimes against UK businesses per year
43%
Share of UK businesses identifying a breach or attack
5%
UK businesses holding Cyber Essentials (up from 3%)

What the Cyber Security Breaches Survey 2025/2026 Actually Found

The Cyber Security Breaches Survey — commonly abbreviated to CSBS — is an official National Statistic. It draws on a representative sample of UK businesses and registered charities and, crucially, feeds directly into the National Cyber Strategy. When DSIT and the Home Office jointly report that 43 per cent of businesses were breached, that figure carries the weight of government methodology rather than vendor marketing. The 2025/2026 edition estimates that around 612,000 businesses experienced a breach or attack, and that some 267,000 businesses — roughly 19 per cent — were victims of cyber crime specifically, as distinct from lower-level attacks that were repelled before causing harm.

The composition of the threat has shifted in instructive ways. Phishing remains the dominant vector by a wide margin, identified by 38 per cent of businesses, and among those breached, 51 per cent experienced phishing only — up from 45 per cent the previous year. That concentration matters: it tells us the single most common way a UK business is compromised is still a convincing email, message or call, not an exotic zero-day. Meanwhile, some higher-profile categories have receded. Ransomware fell to 1 per cent prevalence, down from 3 per cent in each of the previous two years, and impersonation attacks dropped to 12 per cent from 17 per cent in 2023. The volume threat is human-directed and social; the tail risk is destructive.

The most uncomfortable readings are the governance numbers. Only 31 per cent of businesses have someone at board or senior-management level with explicit responsibility for cyber security — an improvement on 27 per cent, but still a minority. Only 30 per cent conduct a risk assessment covering cyber security. Only 47 per cent hold any form of cyber insurance. And the adoption of technical fundamentals is sobering: 47 per cent use two-factor authentication and just 36 per cent deploy a VPN for remote staff. These are not advanced controls. They are the entry-level hygiene the government has promoted for years, and the majority of UK businesses still do not have them consistently in place.

Why this matters right now

The survey measures the last 12 months — a period before AI-powered phishing and deepfake social engineering reached today’s maturity. The ICO’s 14 May 2026 advisory is explicit that AI is lowering the skill barrier for attackers and shrinking the window between vulnerability discovery and exploitation. If 43 per cent of businesses were breached under the old conditions, an SME relying on the same thin controls — no MFA, no board oversight, no managed monitoring — is walking into a materially harder threat environment. The gap between what attackers can automate and what most organisations have deployed is the defining cyber risk of 2026.

The Chronology: How the 2026 Picture Came Together

The survey did not land in isolation. It arrived alongside a run of regulatory and threat-intelligence signals that, taken together, define the UK SME cyber landscape for the second half of 2026.

2014 – Cyber Essentials launches
The NCSC-backed scheme sets out five technical controls — firewalls, secure configuration, user access control, malware protection and patch management. A decade on, adoption still sits at only 5 per cent of businesses.
2023 – Impersonation attacks peak
Impersonation attacks affect 17 per cent of businesses. By 2025/2026 that figure falls to 12 per cent, as attackers consolidate around scalable phishing rather than bespoke impersonation.
Prior 2 years – Ransomware at 3%
Ransomware prevalence holds at 3 per cent for two consecutive years before declining to 1 per cent in the latest survey — still the most financially destructive category despite lower frequency.
Last 12 months – 612,000 businesses breached
Across the survey period, 43 per cent of businesses identify a breach or attack; an estimated 5.19 million cyber crimes are committed against the UK business population; 267,000 businesses fall victim to cyber crime specifically.
30 April 2026 – CSBS 2025/2026 published
DSIT and the Home Office release the Cyber Security Breaches Survey. Cyber Essentials adoption rises to 5 per cent (from 3 per cent); board-level responsibility improves to 31 per cent (from 27 per cent); financial impact of breaches on revenue and share value rises from 2 per cent to 5 per cent year on year.
14 May 2026 – ICO AI threat advisory
The Information Commissioner’s Office publishes five steps to protect organisations from AI-powered cyber threats, covering AI-enhanced phishing, deepfakes, automated scanning, AI malware and credential stuffing.
Mid-2026 – External provider adoption climbs
27 per cent of businesses now use an external IT provider or consultant, rising to 51 per cent of medium businesses; 44 per cent of micro businesses now have an external cyber security provider, up from 39 per cent.
H2 2026 – The reaction window
With AI-accelerated attacks and a low baseline of controls, the second half of 2026 becomes the practical deadline for UK SMEs to close the readiness gap the survey exposes.

Breach Rates by Business Size

The headline 43 per cent masks a strong size gradient. The larger the organisation — and the more valuable and interconnected its data — the more likely it is to be attacked. But the picture is not simply “big firms get hit more”: micro and small businesses are breached at rates that would alarm any board, and they typically have the fewest resources to respond.

Large businesses breached
69%
Medium businesses breached
65%
Small businesses breached
46%
All businesses (average)
43%
Micro businesses breached
42%
Phishing prevalence
38%
Businesses victim of cyber crime
19%

The gradient carries a governance lesson. Large businesses are breached at 69 per cent and medium at 65 per cent — but those same organisations are far more likely to have board-level oversight (68 per cent of large businesses versus 29 per cent of micro businesses). Micro and small firms sit at 42 and 46 per cent breach rates with a fraction of the governance maturity. For an SME, the message is not “we’re too small to be a target”; it is “we are targeted at nearly the same rate as everyone else, with far less protection standing behind us”.

The Certification Gap in a Single Number

If one figure captures the UK’s cyber posture in 2026, it is the Cyber Essentials adoption rate. The scheme is a decade old, is government-backed, is often mandatory for public-sector contracts, and costs an SME roughly £300–£500 to certify at the basic level. Yet only 5 per cent of businesses hold it — an improvement from 3 per cent last year, but still a rounding error against the 43 per cent that were breached. The donut below visualises the scale of the missed opportunity: 95 out of every 100 UK businesses have not completed a certification that would force them to implement the exact five controls that block the majority of common attacks.

5%
Share of UK businesses holding Cyber Essentials certification — leaving 95% without the government’s baseline five controls formally verified

The controls behind that badge are not abstract. Firewalls and secure configuration close off the easy network doors; user access control and malware protection limit what an intruder can do once inside; patch management — applying security updates within the scheme’s 14-day expectation — removes the vulnerabilities that automated scanners hunt for. The ICO’s May 2026 advisory explicitly names getting Cyber Essentials and layering additional defences as its second of five steps. When a government privacy regulator points businesses at a certification scheme in the same breath as warning about AI malware, the 5 per cent adoption figure stops looking like an oversight and starts looking like the country’s single biggest addressable risk.

Where Most UK SMEs Are Exposed Today

The survey’s control-adoption data lets us build an honest scorecard of where the typical UK SME stands. Each row below reflects a figure from the 2025/2026 survey or the ICO advisory; the badge indicates the severity of the exposure for a business that has not addressed it.

The 2026 SME exposure scorecard (source: CSBS 2025/2026)
Only 5% hold Cyber Essentials — baseline controls unverified High
Only 47% use two-factor authentication High
Only 36% use a VPN for remote staff High
Only 30% conduct a cyber security risk assessment High
Only 31% have board-level cyber responsibility Mid
Only 47% hold any form of cyber insurance Mid
Only 15% review immediate supplier cyber risk Mid
Only 6% review wider supply-chain cyber risk Low base

Read down the list and a pattern emerges: the failures cluster in exactly the two areas AI-powered attackers exploit most efficiently. Weak authentication (53 per cent without MFA) and unmanaged remote access (64 per cent without a VPN) are precisely the doors that credential-stuffing tools and automated scanners are built to test at scale. Meanwhile supply-chain oversight — only 15 per cent reviewing immediate suppliers and 6 per cent the wider chain — leaves the majority of SMEs blind to risks that arrive through a trusted third party rather than the front door.

The Cost of Certification Versus the Cost of a Breach

The economic case for closing the gap is not marginal. Cyber Essentials certification costs an SME roughly £300–£500 at the basic level. The survey records that the financial impact of breaches on revenue and share value rose from 2 per cent to 5 per cent year on year, and reputational damage from 1 per cent to 3 per cent — both moving in the wrong direction. The table below frames typical annualised investment bands for UK SMEs against the size of the risk they offset. Figures are indicative planning ranges, not quotes.

Business band Breach exposure (CSBS) Indicative baseline investment / year What it buys
Micro (1–9 staff) 42% breached £300–£500 CE + managed support from £15/user/month Cyber Essentials, managed anti-virus, patching, monitoring
Small (10–49 staff) 46% breached CE + support from £30/user/month (Assurance tier) Above + MFA rollout, remote support, account manager
Medium (50–249 staff) 65% breached CE Plus + support from £50/user/month (Ultimate tier) Above + onsite support, hands-on vulnerability testing
Any size (board oversight) Only 31% have it Virtual CIO engagement (fraction of full-time cost) Board-level risk ownership, roadmap, insurance readiness
Any size (data protection) Only 30% assess risk Risk assessment + DPIA under ICO step 5 Documented exposure, minimisation, encryption of PII

Reactive Versus Proactive: Two Postures Against the Same Threat

The survey ultimately measures the difference between two operating models. The majority posture — wait for something to break, then react — is the one that produced a 43 per cent breach rate. The alternative is proactive, managed IT support: continuous monitoring, enforced controls and governance that treats cyber risk as a standing business item rather than an emergency.

Reactive posture

What most UK SMEs do today

  • No Cyber Essentials — controls unverified and inconsistent
  • MFA and VPN left to individual staff choice, if used at all
  • Patching happens when someone remembers, not on a schedule
  • No board owner; cyber surfaces only after an incident
  • Phishing lands because nothing filters, trains or monitors
  • Supplier and supply-chain risk unreviewed and invisible
  • Response improvised; no tested incident plan

Proactive posture

Where managed IT support takes you

  • Cyber Essentials achieved and maintained on annual renewal
  • MFA enforced org-wide; VPN standard for all remote access
  • Patch management to the 14-day expectation, monitored
  • Virtual CIO gives cyber a named board-level owner
  • 24/7 monitoring and managed anti-virus catch threats early
  • Supplier risk reviewed as part of ongoing IT governance
  • Documented incident response, rehearsed and ready

The distance between these columns is the distance between the 5 per cent and the 95 per cent. It is not a question of exotic technology — every item in the proactive column is achievable for an SME through a managed support arrangement priced from £15 per user per month. The barrier is organisational, not financial.

47%
Share of UK businesses using two-factor authentication — meaning 53% still rely on passwords alone against AI-driven credential-stuffing attacks
Practical tip: start with the four controls attackers exploit most

An SME that does nothing else this quarter should do four things: enforce two-factor authentication on every account (closes the 53 per cent gap), deploy a VPN for all remote staff (closes the 64 per cent gap), put patch management on a 14-day schedule, and book a Cyber Essentials assessment. These four map directly to the survey’s biggest exposure lines and to the ICO’s step 3 (“restrict access, use MFA, manage supply chain”). A managed IT support provider can implement all four within a single onboarding cycle — no capital outlay, no in-house expertise required.

At a Glance: The 2025/2026 Survey in Numbers

Metric Figure Movement
UK businesses identifying a breach or attack 43% (~612,000) Persistently high
Estimated cyber crimes against UK businesses 5.19 million Whole-population estimate
Businesses victim of cyber crime specifically 19% (~267,000)
Phishing prevalence 38% Dominant vector
Breached victims experiencing phishing only 51% Up from 45%
Ransomware prevalence 1% Down from 3%
Impersonation attacks 12% Down from 17% (2023)
Cyber Essentials adoption 5% Up from 3%
Board-level cyber responsibility 31% Up from 27%
Two-factor authentication use 47% Minority
VPN for remote staff 36% Minority
Cyber security risk assessment conducted 30% Minority
Any form of cyber insurance 47% Minority
Immediate supplier risk reviewed 15% Low
Businesses using an external IT provider 27% (51% of medium) Rising

How This Fits the Wider 2026 Threat Picture

The survey does not stand alone — it is the statistical backbone under a run of specific 2026 threats we have tracked. The dominance of phishing and social engineering it records is exactly what played out in the £2.5bn Jaguar Land Rover cyberattack, where supply-chain disruption cascaded far beyond the initial target. The certification gap it exposes is why the incoming Cyber Security and Resilience Bill is pushing baseline duties onto more organisations. And the “shrinking window between vulnerability and exploitation” the ICO warns about is visible in this summer’s vulnerability wave — from the SharePoint CVE-2026-45659 remote-code-execution exploit to Oracle E-Business Suite CVE-2026-46817 and the record 206-CVE Microsoft Patch Tuesday in June 2026. Each is a live example of the automated, fast-moving exploitation the survey’s aggregate numbers describe — and each reinforces why patch management and monitoring cannot be left to chance. The same VoIP and telephony estates are equally in scope, as the Cisco Unified CM CVE-2026-20230 exploit demonstrated.

Close the gap before the next survey measures you

Cloudswitched Managed IT Support gives UK SMEs the proactive posture the survey shows most businesses lack — 24/7 monitoring, managed anti-virus, patch management to the 14-day expectation, MFA rollout and a dedicated account manager, from £15 per user per month.

Talk to us about Managed IT Support

Frequently Asked Questions

How many UK businesses were breached according to the 2026 survey?
The Cyber Security Breaches Survey 2025/2026, published by DSIT and the Home Office on 30 April 2026, found that 43 per cent of UK businesses identified a cyber security breach or attack in the last 12 months — roughly 612,000 organisations. An estimated 5.19 million cyber crimes of all types were committed against the UK business population, and around 267,000 businesses (19 per cent) were victims of cyber crime specifically. The figure has stayed persistently high across recent editions of the survey, underlining that the volume of attacks against UK firms is not falling.
Why do only 5 per cent of businesses hold Cyber Essentials?
Cyber Essentials adoption rose from 3 to 5 per cent in the latest survey, but remains low despite the scheme being government-backed, a decade old, and inexpensive at roughly £300–£500 for SMEs. The main barriers are awareness and organisational inertia rather than cost: many small firms either do not know the scheme exists, assume they are too small to be a target, or lack an internal owner to drive certification. Because the five controls behind the badge — firewalls, secure configuration, access control, malware protection and patch management — block the majority of common attacks, the low adoption rate represents the UK’s single biggest addressable cyber risk.
What is the most common type of cyber attack on UK businesses?
Phishing, by a wide margin. The survey found phishing affected 38 per cent of businesses, and among those breached, 51 per cent experienced phishing only — up from 45 per cent the previous year. This means the single most common route to compromising a UK business is still a convincing email, message or call rather than a technical zero-day exploit. It also explains why staff awareness, email filtering and multi-factor authentication matter so much: they target the exact vector attackers use most. The ICO’s May 2026 advisory warns that AI is now making phishing more convincing and harder to spot.
What did the ICO’s May 2026 AI threat advisory say?
On 14 May 2026 the Information Commissioner’s Office published five steps to protect organisations from AI-powered cyber threats. Step 1 is to understand the AI threats — AI-enhanced phishing, deepfake social engineering, automated vulnerability scanning, AI-generated malware and credential stuffing. Step 2 is to get Cyber Essentials and layer additional defences. Step 3 is to restrict access, use MFA and manage supply-chain risk. Step 4 is to monitor systems and maintain an incident-response plan. Step 5 is to protect personal data through DPIAs, data minimisation and encryption. The advisory’s core message is that AI is lowering the barrier for attackers and shrinking the time between vulnerability discovery and exploitation.
Are larger businesses more likely to be breached than SMEs?
Yes, but the gap is smaller than many assume. The survey recorded breach rates of 69 per cent for large businesses, 65 per cent for medium, 46 per cent for small and 42 per cent for micro businesses. So while size increases exposure, micro and small firms are still breached at rates close to the overall average of 43 per cent. The critical difference is defensive maturity: 68 per cent of large businesses have board-level cyber responsibility versus just 29 per cent of micro businesses. Smaller firms are attacked at nearly the same rate but with far less protection and governance behind them, which makes proactive managed support especially valuable at the SME end.
How much does two-factor authentication adoption matter?
A great deal. Only 47 per cent of UK businesses use two-factor authentication, meaning 53 per cent still rely on passwords alone. Against AI-driven credential-stuffing attacks — where automated tools test stolen or guessed passwords across accounts at scale — a password-only account is one of the easiest targets available. MFA blocks the overwhelming majority of these automated attempts because a stolen password alone is no longer enough to gain access. Enforcing MFA organisation-wide is one of the highest-impact, lowest-cost controls an SME can implement, and it maps directly to the ICO’s step 3 and to the user access control pillar of Cyber Essentials.
Why has ransomware fallen while overall breaches stay high?
Ransomware prevalence fell to 1 per cent, down from 3 per cent in each of the previous two years, and impersonation attacks dropped to 12 per cent from 17 per cent in 2023. This does not mean the threat is receding overall — it reflects a shift in attacker economics towards high-volume, low-effort phishing rather than bespoke, resource-intensive campaigns. Ransomware remains the most financially destructive category despite its lower frequency, so it must not be dismissed. The practical takeaway is that defences should be weighted towards the dominant volume threat (phishing and credential attacks) while retaining resilience — tested backups and incident response — against the rarer but catastrophic ransomware event.
What does board-level cyber responsibility actually involve?
The survey found only 31 per cent of businesses have someone at board or senior-management level with explicit responsibility for cyber security, rising from 27 per cent. Board-level responsibility means a named owner who treats cyber risk as a standing business item: reviewing the organisation’s risk assessment, signing off security investment, ensuring insurance and compliance obligations are met, and being accountable when an incident occurs. For SMEs that cannot justify a full-time Chief Information Security Officer, a Virtual CIO engagement provides this oversight at a fraction of the cost — giving cyber security a genuine seat at the leadership table rather than leaving it to whoever happens to manage IT.
How does managed IT support reduce breach risk in practice?
Managed IT support converts the ad-hoc, reactive posture that produced the 43 per cent breach rate into a proactive one. In practice that means 24/7 monitoring so threats are caught early, managed anti-virus and patch management applied on schedule rather than when someone remembers, enforced MFA and VPN for remote access, and a dedicated account manager who keeps controls current. It also brings the governance the survey shows most SMEs lack — documented risk assessment, incident response planning and supplier oversight. Cloudswitched delivers this from £15 per user per month at the Essentials tier, with MFA rollout, remote support and account management at the Assurance tier from £30 per user per month.
Should a small business review its suppliers’ cyber security?
Yes — and the survey shows this is one of the most neglected areas. Only 15 per cent of businesses review the cyber risks posed by their immediate suppliers, and just 6 per cent review the wider supply chain. Yet attacks increasingly arrive through a trusted third party rather than the front door, and incidents such as the Jaguar Land Rover disruption showed how supply-chain compromise cascades across connected organisations. Reviewing supplier risk need not be onerous: confirming key suppliers hold Cyber Essentials, checking how they handle your data, and including cyber requirements in contracts covers most of the exposure. A managed IT provider or Virtual CIO can fold this into ongoing governance rather than treating it as a one-off exercise.

Be in the 5 per cent, not the 43 per cent

The Cyber Security Breaches Survey is clear: the businesses that stay ahead are the ones that make cyber security a managed, proactive discipline. Cloudswitched Managed IT Support brings monitoring, patching, MFA, Cyber Essentials readiness and board-level oversight together in one predictable monthly service for UK SMEs.

Talk to us about Managed IT Support
Tags:Cyber SecurityIT SupportCyber Essentials
CloudSwitched

London-based managed IT services provider offering support, cloud solutions and cybersecurity for SMEs.

CloudSwitched Service

Cyber Essentials Certification

End-to-end Cyber Essentials Plus certification and ongoing security services

Learn More

Technology Stack

Powered by industry-leading technologies including SolarWinds, Cloudflare, BitDefender, AWS, Microsoft Azure, and Cisco Meraki to deliver secure, scalable, and reliable IT solutions.

SolarWinds
Cloudflare
BitDefender
AWS
Hono
Opus
Office 365
Microsoft
Cisco Meraki
Microsoft Azure

Latest Articles

18
  • Internet & Connectivity

How to Set Up SD-WAN for Multi-Site Connectivity

18 Mar, 2026

Read more
11
  • Cloud Email

The Complete Guide to Microsoft 365 Backup

11 Mar, 2026

Read more
23
  • IT Office Moves

Lessons Learned from 100 Office IT Moves

23 Mar, 2026

Read more

Enquiry Received!

Thank you for getting in touch. A member of our team will review your enquiry and get back to you within 24 hours.