On 30 April 2026, the Department for Science, Innovation and Technology (DSIT) and the Home Office published the Cyber Security Breaches Survey 2025/2026 — the UK government’s most authoritative annual measurement of how businesses and charities are faring against cyber crime. Its headline finding is stark: 43 per cent of UK businesses identified a cyber security breach or attack in the last 12 months. Scaled across the business population, that equates to roughly 612,000 organisations, and an estimated 5.19 million cyber crimes of all types committed against UK businesses over the year. For a country that has spent a decade urging firms to take cyber security seriously, the numbers describe a threat that is still winning the volume war.
Two weeks later, on 14 May 2026, the Information Commissioner’s Office (ICO) sharpened the picture with a five-step advisory on AI-powered cyber threats, warning that AI-enhanced phishing, deepfake social engineering and automated vulnerability scanning are accelerating the pace of attack faster than most small and medium-sized enterprises can react. Read together, the two documents tell a single story. The tools available to attackers are compounding, yet the defensive basics remain thinly adopted: only 5 per cent of UK businesses hold Cyber Essentials certification, just 31 per cent place cyber security responsibility at board level, and fewer than half use two-factor authentication. This article breaks down what the survey found, why the gap between attacker capability and SME readiness has never been wider, and what a proactive, managed IT support posture looks like against the 2026 threat landscape.
What the Cyber Security Breaches Survey 2025/2026 Actually Found
The Cyber Security Breaches Survey — commonly abbreviated to CSBS — is an official National Statistic. It draws on a representative sample of UK businesses and registered charities and, crucially, feeds directly into the National Cyber Strategy. When DSIT and the Home Office jointly report that 43 per cent of businesses were breached, that figure carries the weight of government methodology rather than vendor marketing. The 2025/2026 edition estimates that around 612,000 businesses experienced a breach or attack, and that some 267,000 businesses — roughly 19 per cent — were victims of cyber crime specifically, as distinct from lower-level attacks that were repelled before causing harm.
The composition of the threat has shifted in instructive ways. Phishing remains the dominant vector by a wide margin, identified by 38 per cent of businesses, and among those breached, 51 per cent experienced phishing only — up from 45 per cent the previous year. That concentration matters: it tells us the single most common way a UK business is compromised is still a convincing email, message or call, not an exotic zero-day. Meanwhile, some higher-profile categories have receded. Ransomware fell to 1 per cent prevalence, down from 3 per cent in each of the previous two years, and impersonation attacks dropped to 12 per cent from 17 per cent in 2023. The volume threat is human-directed and social; the tail risk is destructive.
The most uncomfortable readings are the governance numbers. Only 31 per cent of businesses have someone at board or senior-management level with explicit responsibility for cyber security — an improvement on 27 per cent, but still a minority. Only 30 per cent conduct a risk assessment covering cyber security. Only 47 per cent hold any form of cyber insurance. And the adoption of technical fundamentals is sobering: 47 per cent use two-factor authentication and just 36 per cent deploy a VPN for remote staff. These are not advanced controls. They are the entry-level hygiene the government has promoted for years, and the majority of UK businesses still do not have them consistently in place.
The survey measures the last 12 months — a period before AI-powered phishing and deepfake social engineering reached today’s maturity. The ICO’s 14 May 2026 advisory is explicit that AI is lowering the skill barrier for attackers and shrinking the window between vulnerability discovery and exploitation. If 43 per cent of businesses were breached under the old conditions, an SME relying on the same thin controls — no MFA, no board oversight, no managed monitoring — is walking into a materially harder threat environment. The gap between what attackers can automate and what most organisations have deployed is the defining cyber risk of 2026.
The Chronology: How the 2026 Picture Came Together
The survey did not land in isolation. It arrived alongside a run of regulatory and threat-intelligence signals that, taken together, define the UK SME cyber landscape for the second half of 2026.
Breach Rates by Business Size
The headline 43 per cent masks a strong size gradient. The larger the organisation — and the more valuable and interconnected its data — the more likely it is to be attacked. But the picture is not simply “big firms get hit more”: micro and small businesses are breached at rates that would alarm any board, and they typically have the fewest resources to respond.
The gradient carries a governance lesson. Large businesses are breached at 69 per cent and medium at 65 per cent — but those same organisations are far more likely to have board-level oversight (68 per cent of large businesses versus 29 per cent of micro businesses). Micro and small firms sit at 42 and 46 per cent breach rates with a fraction of the governance maturity. For an SME, the message is not “we’re too small to be a target”; it is “we are targeted at nearly the same rate as everyone else, with far less protection standing behind us”.
The Certification Gap in a Single Number
If one figure captures the UK’s cyber posture in 2026, it is the Cyber Essentials adoption rate. The scheme is a decade old, is government-backed, is often mandatory for public-sector contracts, and costs an SME roughly £300–£500 to certify at the basic level. Yet only 5 per cent of businesses hold it — an improvement from 3 per cent last year, but still a rounding error against the 43 per cent that were breached. The donut below visualises the scale of the missed opportunity: 95 out of every 100 UK businesses have not completed a certification that would force them to implement the exact five controls that block the majority of common attacks.
The controls behind that badge are not abstract. Firewalls and secure configuration close off the easy network doors; user access control and malware protection limit what an intruder can do once inside; patch management — applying security updates within the scheme’s 14-day expectation — removes the vulnerabilities that automated scanners hunt for. The ICO’s May 2026 advisory explicitly names getting Cyber Essentials and layering additional defences as its second of five steps. When a government privacy regulator points businesses at a certification scheme in the same breath as warning about AI malware, the 5 per cent adoption figure stops looking like an oversight and starts looking like the country’s single biggest addressable risk.
Where Most UK SMEs Are Exposed Today
The survey’s control-adoption data lets us build an honest scorecard of where the typical UK SME stands. Each row below reflects a figure from the 2025/2026 survey or the ICO advisory; the badge indicates the severity of the exposure for a business that has not addressed it.
Read down the list and a pattern emerges: the failures cluster in exactly the two areas AI-powered attackers exploit most efficiently. Weak authentication (53 per cent without MFA) and unmanaged remote access (64 per cent without a VPN) are precisely the doors that credential-stuffing tools and automated scanners are built to test at scale. Meanwhile supply-chain oversight — only 15 per cent reviewing immediate suppliers and 6 per cent the wider chain — leaves the majority of SMEs blind to risks that arrive through a trusted third party rather than the front door.
The Cost of Certification Versus the Cost of a Breach
The economic case for closing the gap is not marginal. Cyber Essentials certification costs an SME roughly £300–£500 at the basic level. The survey records that the financial impact of breaches on revenue and share value rose from 2 per cent to 5 per cent year on year, and reputational damage from 1 per cent to 3 per cent — both moving in the wrong direction. The table below frames typical annualised investment bands for UK SMEs against the size of the risk they offset. Figures are indicative planning ranges, not quotes.
| Business band | Breach exposure (CSBS) | Indicative baseline investment / year | What it buys |
|---|---|---|---|
| Micro (1–9 staff) | 42% breached | £300–£500 CE + managed support from £15/user/month | Cyber Essentials, managed anti-virus, patching, monitoring |
| Small (10–49 staff) | 46% breached | CE + support from £30/user/month (Assurance tier) | Above + MFA rollout, remote support, account manager |
| Medium (50–249 staff) | 65% breached | CE Plus + support from £50/user/month (Ultimate tier) | Above + onsite support, hands-on vulnerability testing |
| Any size (board oversight) | Only 31% have it | Virtual CIO engagement (fraction of full-time cost) | Board-level risk ownership, roadmap, insurance readiness |
| Any size (data protection) | Only 30% assess risk | Risk assessment + DPIA under ICO step 5 | Documented exposure, minimisation, encryption of PII |
Reactive Versus Proactive: Two Postures Against the Same Threat
The survey ultimately measures the difference between two operating models. The majority posture — wait for something to break, then react — is the one that produced a 43 per cent breach rate. The alternative is proactive, managed IT support: continuous monitoring, enforced controls and governance that treats cyber risk as a standing business item rather than an emergency.
Reactive posture
What most UK SMEs do today
- No Cyber Essentials — controls unverified and inconsistent
- MFA and VPN left to individual staff choice, if used at all
- Patching happens when someone remembers, not on a schedule
- No board owner; cyber surfaces only after an incident
- Phishing lands because nothing filters, trains or monitors
- Supplier and supply-chain risk unreviewed and invisible
- Response improvised; no tested incident plan
Proactive posture
Where managed IT support takes you
- Cyber Essentials achieved and maintained on annual renewal
- MFA enforced org-wide; VPN standard for all remote access
- Patch management to the 14-day expectation, monitored
- Virtual CIO gives cyber a named board-level owner
- 24/7 monitoring and managed anti-virus catch threats early
- Supplier risk reviewed as part of ongoing IT governance
- Documented incident response, rehearsed and ready
The distance between these columns is the distance between the 5 per cent and the 95 per cent. It is not a question of exotic technology — every item in the proactive column is achievable for an SME through a managed support arrangement priced from £15 per user per month. The barrier is organisational, not financial.
An SME that does nothing else this quarter should do four things: enforce two-factor authentication on every account (closes the 53 per cent gap), deploy a VPN for all remote staff (closes the 64 per cent gap), put patch management on a 14-day schedule, and book a Cyber Essentials assessment. These four map directly to the survey’s biggest exposure lines and to the ICO’s step 3 (“restrict access, use MFA, manage supply chain”). A managed IT support provider can implement all four within a single onboarding cycle — no capital outlay, no in-house expertise required.
At a Glance: The 2025/2026 Survey in Numbers
| Metric | Figure | Movement |
|---|---|---|
| UK businesses identifying a breach or attack | 43% (~612,000) | Persistently high |
| Estimated cyber crimes against UK businesses | 5.19 million | Whole-population estimate |
| Businesses victim of cyber crime specifically | 19% (~267,000) | — |
| Phishing prevalence | 38% | Dominant vector |
| Breached victims experiencing phishing only | 51% | Up from 45% |
| Ransomware prevalence | 1% | Down from 3% |
| Impersonation attacks | 12% | Down from 17% (2023) |
| Cyber Essentials adoption | 5% | Up from 3% |
| Board-level cyber responsibility | 31% | Up from 27% |
| Two-factor authentication use | 47% | Minority |
| VPN for remote staff | 36% | Minority |
| Cyber security risk assessment conducted | 30% | Minority |
| Any form of cyber insurance | 47% | Minority |
| Immediate supplier risk reviewed | 15% | Low |
| Businesses using an external IT provider | 27% (51% of medium) | Rising |
How This Fits the Wider 2026 Threat Picture
The survey does not stand alone — it is the statistical backbone under a run of specific 2026 threats we have tracked. The dominance of phishing and social engineering it records is exactly what played out in the £2.5bn Jaguar Land Rover cyberattack, where supply-chain disruption cascaded far beyond the initial target. The certification gap it exposes is why the incoming Cyber Security and Resilience Bill is pushing baseline duties onto more organisations. And the “shrinking window between vulnerability and exploitation” the ICO warns about is visible in this summer’s vulnerability wave — from the SharePoint CVE-2026-45659 remote-code-execution exploit to Oracle E-Business Suite CVE-2026-46817 and the record 206-CVE Microsoft Patch Tuesday in June 2026. Each is a live example of the automated, fast-moving exploitation the survey’s aggregate numbers describe — and each reinforces why patch management and monitoring cannot be left to chance. The same VoIP and telephony estates are equally in scope, as the Cisco Unified CM CVE-2026-20230 exploit demonstrated.
Close the gap before the next survey measures you
Cloudswitched Managed IT Support gives UK SMEs the proactive posture the survey shows most businesses lack — 24/7 monitoring, managed anti-virus, patch management to the 14-day expectation, MFA rollout and a dedicated account manager, from £15 per user per month.
Talk to us about Managed IT SupportFrequently Asked Questions
Be in the 5 per cent, not the 43 per cent
The Cyber Security Breaches Survey is clear: the businesses that stay ahead are the ones that make cyber security a managed, proactive discipline. Cloudswitched Managed IT Support brings monitoring, patching, MFA, Cyber Essentials readiness and board-level oversight together in one predictable monthly service for UK SMEs.
Talk to us about Managed IT Support


