The UK Government has just published the most authoritative read on the state of British cyber resilience: the Cyber Security Breaches Survey 2025/2026, released this morning, 30 April 2026, by the Department for Science, Innovation and Technology (DSIT) and the Home Office. It is the eleventh annual edition, drawn from random-probability interviews with 2,112 UK businesses and 1,085 UK charities between August and December 2025, and it lands as required reading for any UK SME leader, IT director, finance director or trustee who cares about Cyber Essentials, cyber insurance, or simply staying in business.

The headline number is brutal: 43% of UK businesses experienced a cyber breach or attack in the last 12 months. That extrapolates to approximately 612,000 UK businesses — plus another 57,000 charities. Phishing dominates, ransomware has receded but become more damaging, and revenue impact has more than doubled year-on-year. Below the headlines, the report exposes a set of trends that should reshape every UK SME’s 2026/27 cyber budget.

612k

UK businesses breached in the last 12 months — 43% of the entire UK business population

38%

Of all UK businesses hit by phishing attacks — 69% of breach victims call them their most disruptive incident

Of breached UK businesses lost revenue or share value — up 150% from 2% in 2024/25

5.19m

Cyber crimes committed against UK businesses in the last 12 months — mean of 19 per victim

What is at stake right now

The 2025/2026 survey was fielded between August and December 2025 — before Cyber Essentials v3.3 went live on 27 April 2026, before the spring wave of state-backed attacks documented by NCSC, and before the M&S, Co-op and Harrods Easter ransomware events. The next edition will measure 2026/27 against a far harsher backdrop. Anything you are not doing today will be visible in the next survey, in your insurance renewal, and in your customer due-diligence questionnaires within 12 months.

What the 2025/2026 survey actually says — the 12 numbers that matter

The full report runs to seven chapters and a separate Education Annex. Below are the dozen findings UK SMEs need to internalise, ranked by operational consequence rather than headline-friendliness. We will then translate them into an action plan a 10–249 employee business can actually execute.

1. The breach rate has stopped falling

43% of UK businesses experienced a cyber breach or attack in the 12 months covered by the survey. That is statistically identical to 43% in 2024/25, but it ends the dramatic post-2023 decline that took the figure from 50% (2023/24) down to 43%. Translation: the gains from pandemic-era hygiene improvements have been spent. Without renewed investment, the next data point will rise. Medium (65%) and large (69%) businesses were significantly more likely to be hit than micro (42%) and small (46%) — the more digitally exposed your operation, the higher the certainty of incident.

2. Phishing is now the entire game

Phishing remained the single most prevalent attack type, hitting 38% of all UK businesses and 25% of charities. More importantly, the share of breach victims who experienced phishing only — nothing else — rose from 45% to 51%. The qualitative interviews carried a sharp warning: respondents perceive phishing has become “easier for attackers to commit” thanks to AI tooling. The threat surface is no longer firewalls and ports — it is your inbox, your help desk, and your finance team.

3. Ransomware is rare but the rare cases are catastrophic

Ransomware against businesses fell to 1% (from 3% in both 2024/25 and 2023/24). Headline-friendly — but read it alongside the M&S, Co-op and Harrods Easter 2026 incidents, which together cost an estimated £440 million. The UK distribution is bimodal: most SMEs will not see ransomware, but those that do face an event that can end the business. Median cost in the survey was £0, but the top 5% of cases (95th percentile) cost £10,000 for medium and large businesses, with extreme outliers exceeding £15,000 for cyber-facilitated fraud — and the survey itself notes these high-cost cases are systematically under-counted.

4. Revenue impact has more than doubled

Among breached businesses, the proportion reporting loss of revenue or share value rose from 2% to 5%. Reputational damage rose from 1% to 3%. Both are statistically significant. This is the most important year-on-year change in the entire report — cyber incidents are now hitting the P&L harder, even as raw incident volume holds steady. Boards should expect their next breach to cost more than their last.

5. Small businesses have unwound their 2024 progress

This is the survey’s most worrying finding for the SME segment. Last year, small businesses (10–49 staff) appeared to be closing the cyber-hygiene gap. This year the trend has reversed:

Cyber-security risk assessments: 41%, down from 48% in 2024/25 (back to 2023/24 levels)
Formal cyber-security policy: 52%, down from 59%
Business continuity plan covering cyber: 44%, down from 53%

The narrative is straightforward: economic pressure, headcount turnover, and the loss of in-house technical knowledge have forced small businesses to deprioritise cyber hygiene exactly as the threat environment escalated. This is the gap a managed IT partner is built to fill.

6. Micro businesses are quietly investing — via outsourcing

Micro businesses (1–9 staff) bucked the trend. Two-factor authentication adoption rose from 35% to 43%, company-owned-device-only access rose from 58% to 64%, and most tellingly the proportion using an external cyber-security provider rose from 39% to 44%. Translation: the smallest UK businesses now treat cyber as a buy-not-build problem — and they are right.

7. Cyber Essentials adoption is accelerating

The proportion of UK businesses formally holding a Cyber Essentials certificate rose from 3% to 5%. Inside that average sit two surges: large businesses jumped from 21% to 35%, and small businesses from 5% to 12%. With v3.3 having gone live three days ago (27 April 2026 — see our earlier explainer), expect the 2026/27 number to keep climbing as procurement gates and insurance underwriters tighten.

8. Most businesses still have not implemented advanced controls

Basic controls are widespread — 81% have updated malware protection, 74% take secure cloud backups. But advanced controls remain the SME blind spot:

Two-factor authentication: 47%
VPN for remote staff: 36%
User behaviour monitoring: 30%

Under Cyber Essentials v3.3, MFA on every cloud service is now a hard pass-or-fail requirement. The 53% of UK businesses without comprehensive 2FA are technically failing the new standard from day one.

9. Supply-chain risk is being completely ignored

Just 15% of UK businesses reviewed the cyber-security risks posed by their immediate suppliers. Only 6% looked at their wider supply chain. This is the figure that should worry the boards of UK manufacturers, professional services firms, and any organisation that handles client data on third-party platforms. The Cyber Security and Resilience Bill, currently progressing through Parliament, will make supplier assurance a regulated obligation in 2026/27 for large swathes of the economy.

10. AI is being adopted faster than its risks are being managed

A new question for 2025/26 found that 31% of businesses are using, adopting, or actively considering AI. Of those, just 24% have any cyber-security practices or processes specifically to manage AI risk. That is roughly 7.4% of all UK businesses running AI without an AI-specific cyber framework — the surface area for shadow-AI data leakage, prompt-injection attacks, and deepfake-enabled fraud.

11. Personal-data protection has gaps

One in seven businesses (14%) and one in five charities (22%) admit they hold personal data that is not protected by techniques such as anonymisation or encryption. Under UK GDPR and the ICO’s 2025 enforcement uplift, that is a notifiable-incident risk waiting to happen.

12. Board-level ownership is finally rising

One genuinely good story. Board-level responsibility for cyber security in UK businesses rose from 27% to 31%, reversing five years of decline. In large businesses the figure is 68%. The Cyber Governance Code of Practice (launched May 2025) is starting to bite at the top of the corporate hierarchy. Expect investor due diligence and audit committees to drive this higher in 2026/27.

The 12-month trajectory: how we got here

Aug–Dec 2025 Field-work

CSBS 2025/26 fieldwork conducted by Ipsos

2,112 businesses, 1,085 charities and 577 educational institutions interviewed across the UK. Random-probability telephone and online survey. 44 in-depth qualitative interviews October–November.

Jan 2026 NCSC

NCSC severe-cyber-threat preparedness guidance

National Cyber Security Centre publishes new guidance for UK businesses on preparing for sustained, state-aligned attacks — foreshadowing the Reuters reporting of 22 April.

15 Apr 2026 Government

UK Government open letter on AI cyber threats

Cabinet Office and DSIT publish an open letter to UK boards highlighting the AI cyber-threat acceleration. Sets the political stage for today’s data release.

Easter 2026 Retail wave

M&S, Co-op and Harrods ransomware

Three of the UK’s largest retailers hit by Scattered Spider DragonForce ransomware over the Easter weekend. Combined estimated impact: £440 million. Drives the qualitative-interview perception of escalating threat captured in this survey.

22 Apr 2026 Reuters

UK security chief warns of state-backed surge

The head of the UK’s cyber-security agency tells Reuters British businesses must brace for a sustained rise in state-aligned cyberattacks. Tone-sets the policy environment in which today’s CSBS is being read.

27 Apr 2026 CE v3.3

Cyber Essentials v3.3 + Danzell question set goes live

The first version of CE with automatic-fail triggers, broader cloud definitions, tougher 14-day patching, and the Cyber Essentials Plus two-stage sampling regime takes effect for every new certification.

30 Apr 2026 Today

CSBS 2025/26 published — the new baseline

DSIT and the Home Office release the official statistics. From today, every UK SME boardroom has the most authoritative read on its peers and a fresh benchmark for its own programme.

2026/27 Outlook

Cyber Security & Resilience Bill expected

Parliament’s pending Bill is expected to bring supply-chain assurance, mandatory ransomware-payment reporting, and stricter incident notification requirements into UK statute. The next CSBS will measure compliance with these.

Where UK businesses are getting hit — attack-type breakdown

The survey breaks down the precise attack types reported by breached UK businesses. Phishing is dominant by an order of magnitude; everything else is supporting cast.

Phishing attacks

38%

Impersonation (vendor / executive fraud)

12%

Hacking or attempted hacking of online accounts

Computer or device viruses / malware

Denial-of-service or website disruption

Ransomware

Takeover of organisational accounts

Source: Cyber Security Breaches Survey 2025/2026, DSIT & Home Office. Percentages refer to the share of all UK businesses experiencing each attack type in the last 12 months. Bars are scaled to phishing as 100% for visual comparison.

The attack mix tells you where to spend. Two-thirds of all UK breach exposure is concentrated in social-engineering vectors — phishing plus impersonation. Endpoint AV, server hardening, and traditional perimeter security still matter, but they protect the smaller half of the surface area. Email security, identity protection, training and verified-callback procedures protect the bigger half.

Cyber crime is concentrated in repeat victims

The headline 19% of UK businesses victimised by cyber crime translates to 5.19 million cyber crimes against UK businesses in 12 months. Crucially, the median victim experienced three crimes, while the mean victim experienced nineteen. That gap means cyber crime is heavily skewed toward repeat-victim organisations — once attackers find a soft target, they hit it again and again.

Repeat victimisation drives the numbers

If the median victim sees three crimes and the mean sees nineteen, the top quartile is absorbing the bulk of the volume. The implication for SMEs: most attacks reach the same handful of vulnerable organisations multiple times. Hardening once is not enough — sustained operational hygiene is what stops the second, third and fourth attempts. This is exactly the cadence that managed-detection-and-response (MDR) and continuous compliance offerings are designed for.

The UK SME exposure scorecard — your real gap analysis

Read this against your own operation. Each row maps an exposure named explicitly in the 2025/2026 survey to the SME risk-band our analysts use when conducting Cyber Essentials gap assessments.

Where UK SMEs are most exposed in the 2025/2026 data

Phishing-only attack pattern (51% of breach victims experience nothing else) High

Comprehensive MFA on every cloud service (only 47% of UK businesses) High

Supply-chain risk review (15% immediate suppliers, 6% wider chain) High

AI cyber-risk processes (only 24% of AI-using businesses have any) High

Small-business cyber risk assessments (down to 41% from 48%) Mid

Personal data without anonymisation or encryption (14% of businesses) Mid

Cyber-incident response plan in place (25% of businesses, 21% of micro) Mid

Cyber insurance coverage (47% of businesses, 35% of charities) Low

The real cost — what the survey median hides

The median cost of the most disruptive breach was reported as £0. That headline is genuinely misleading. The median is dragged down by the very large share of phishing incidents stopped at the email gateway with no measurable cost. It is the upper percentiles — and the costs the survey explicitly says it under-counts — that matter to risk-managing boards. Below is our reconstruction of the real cost picture for an SME experiencing a serious breach, drawing on the 95th-percentile data, the 90th-percentile cyber-crime data, and current 2026 UK incident-response market rates.

Business size	Median breach cost	95th-percentile breach cost	Realistic serious-incident cost (IR + downtime + recovery)
Micro (1–9 staff)	£0	£4,000	£15,000 – £45,000
Small (10–49 staff)	£0	£4,000	£35,000 – £120,000
Medium (50–249 staff)	£30	£10,000	£120,000 – £480,000
Large (250+ staff)	£30	£10,000+	£500,000 – £5m+ (M&S, Co-op, Harrods range)

Median and 95th-percentile figures from CSBS 2025/2026. Realistic serious-incident cost based on observed UK SME incident-response engagements 2024–2026 including third-party forensics, downtime, regulatory legal costs, customer notification, and business-interruption losses.

The 5% revenue-loss number is the one to put in front of your board

If 5% of breached UK businesses now lose revenue or share value as a direct consequence (up from 2%), and 43% of businesses get breached, then on a population basis 2.15% of UK businesses lost revenue to a cyber incident in the last 12 months — roughly 30,500 businesses. That is a far better board-level frame than median-cost, because it answers the only question a finance director cares about: what is the probability we lose money this year?

Reactive compliance vs. continuous resilience

The reactive posture (where most UK SMEs sit)

What the 2025/2026 data shows is the typical UK SME cyber programme

Annual Cyber Essentials renewal as a checkbox — not a continuously-maintained baseline

Risk assessment last refreshed when the cyber insurance was renewed

Anti-virus and Microsoft 365 default settings — no email security stack uplift, no Defender for Business hardening

Phishing training as an onboarding e-learning module — no simulated phishing, no quarterly cadence

Backups in place but never restore-tested in a tabletop scenario

Incident response plan absent or unread — 75% of UK businesses have no formal plan

Supplier due diligence limited to invoice payment — no cyber attestation, no 32 questions, no SOC2/ISO mapping

AI tools (ChatGPT, Copilot, Gemini) used by staff with no enterprise tenancy and no DLP rules

The resilient posture (where the data says you need to be)

A managed programme aligned to CE v3.3, NCSC severe-threat guidance, and ISO 27001 fundamentals

Cyber Essentials v3.3 baseline maintained continuously — not just at audit time

Quarterly risk assessment updated against live threat intelligence and CISA KEV additions

Microsoft 365 Business Premium or E5 with Defender for Business, Purview DLP, Conditional Access, and SafeLinks/SafeAttachments

Monthly simulated-phishing campaign with measurable per-team click rates and remedial micro-training

Quarterly restore tests of immutable backups and an annual full tabletop exercise with the leadership team

Documented incident response plan, BCP-aligned, with named roles, NCSC reporting paths, ICO 72-hour clock, insurer hotline, and PR template

Supplier cyber attestations collected at onboarding and renewal — minimum CE, preferred CE Plus or ISO 27001

Enterprise-tenancy AI with DLP, audit logging, sensitivity labels and a written acceptable-use policy

The 10-step 2026/27 SME action plan

Translate the survey data into operational priorities. This is the programme we run with Cloudswitched clients in the eight to twelve weeks following a CSBS data release. Each step references the survey finding it addresses. None of them is exotic or expensive in isolation — the value is in running them as a sequence rather than a checklist.

Step 1 · Week 1 10%

Refresh your cyber risk assessment using the 2025/2026 data as the new baseline

Update the risk register against the 12 findings above. Document the residual risk where 51% of breach victims now experience phishing-only attacks. Re-rank treatment priorities. This addresses the small-business decline from 48% to 41% conducting risk assessments.

Step 2 · Weeks 1–2 20%

Verify Cyber Essentials v3.3 readiness against the 27 April changes

Run the v3.3 self-assessment against the new auto-fail triggers: comprehensive MFA on every cloud service, 14-day patching, no end-of-life software, current Defender or equivalent. Close the gaps before your next renewal. Addresses the 17% awareness gap and the 35%/12% large/small adoption surge.

Step 3 · Weeks 2–3 30%

Roll out comprehensive MFA across every cloud service — not just Microsoft 365

Audit every SaaS application your staff log into. Enable MFA universally. Move administrative accounts to phishing-resistant MFA (FIDO2/WebAuthn). Addresses the 47% baseline figure that under v3.3 is no longer enough.

Step 4 · Weeks 3–4 40%

Uplift the email-security stack and start a real simulated-phishing programme

Microsoft Defender for Office 365 Plan 1 or 2, Mimecast or Egress sitting in front of M365, plus a monthly simulated-phishing cadence with per-team metrics and remedial micro-training. Addresses the 38% phishing rate and the 51% phishing-only pattern — the single biggest UK SME exposure.

Step 5 · Weeks 4–5 50%

Implement a verified-callback procedure for every payment instruction change

Document a finance-team policy: any change to bank details, urgent payment, or invoice routing must be verified via a callback to a phone number on file from before the request. Train finance and PA staff. Mock-test it. Addresses the 12% impersonation rate — the second-largest UK SME exposure.

Step 6 · Weeks 5–6 60%

Rebuild backups as immutable, tested, and documented

3-2-1-1-0: three copies, two media, one off-site, one immutable, zero errors after recovery test. Run a quarterly restore drill. Document the recovery-time-objective (RTO) and recovery-point-objective (RPO) for each business-critical system. Addresses the 1% ransomware threat where the 95th-percentile cost is catastrophic.

Step 7 · Weeks 6–7 70%

Write an incident-response plan that is one page and rehearsed

First-hour playbook: containment, evidence preservation, executive notification, NCSC reporting (Suspicious Email Reporting Service / Action Fraud), ICO 72-hour clock, insurer hotline, customer-comms template, supplier-comms template. One side of A4. Tabletop-exercise it once a quarter. Addresses the 75% of UK businesses without a formal plan.

Step 8 · Weeks 7–8 80%

Stand up a supplier cyber-attestation register

Identify your top 20 critical suppliers (anyone with system access, data access, or a payment relationship). Require Cyber Essentials at minimum. Preferred: CE Plus or ISO 27001. Refresh annually. Addresses the 15% / 6% supply-chain blind spot and prepares for the Cyber Security and Resilience Bill.

Step 9 · Weeks 8–10 90%

Bring shadow AI into a managed enterprise tenancy

Audit which staff are using which AI tools today. Pick one enterprise tenancy (Microsoft 365 Copilot, ChatGPT Enterprise, or Gemini Workspace). Set DLP, sensitivity labels, audit logging. Publish an Acceptable AI Use policy. Train staff. Addresses the 7.4% of UK businesses running AI without AI-specific cyber controls.

Step 10 · Weeks 10–12 100%

Take the programme to the board and make cyber a quarterly agenda item

Use the CSBS 2025/2026 data as your baseline narrative. Present residual-risk heat map. Get cyber added as a standing quarterly board agenda item with a named board sponsor. Addresses the 31% board-responsibility figure and the rising Cyber Governance Code of Practice expectations.

How does your business score against the 2025/2026 baseline?

We have built a five-question readiness score that maps directly to the CSBS findings. Run it for your own organisation in under five minutes:

Have you completed a Cyber Essentials v3.3 self-assessment in the last 90 days? (yes = 20)
Is MFA enforced on every business-critical cloud service, including Microsoft 365, finance, HR, CRM, and admin consoles? (yes = 20)
Have you run a simulated-phishing exercise in the last quarter, with measurable click rates? (yes = 20)
Have you tested a full data restore from immutable backup in the last six months? (yes = 20)
Do you collect Cyber Essentials or ISO 27001 attestations from your top 20 suppliers? (yes = 20)

Most UK SMEs we benchmark score between 20 and 60. The 2025/2026 data implies the average UK business is scoring around 50. Cyber Essentials v3.3 effectively requires 80+. Below is a visualisation of the typical UK SME readiness based on the survey’s underlying control-adoption percentages.

50/100

Estimated typical UK SME readiness against the CSBS 2025/2026 baseline. The CE v3.3 threshold is 80.

Industry context: where the survey lands among the 2026 trends

Today’s release does not exist in isolation. It joins a remarkable run of UK-specific cyber data points all pointing in the same direction:

ESET (April 2026): 78% of UK manufacturers experienced at least one cyber incident in the last 12 months.
NCSC (January 2026): New severe-cyber-threat preparedness guidance for UK organisations of all sizes.
Reuters (22 April 2026): UK cyber chief warns British businesses to brace for rising state-backed attacks — covered in our 22 April analysis.
AI Pulse (22 April 2026): 58% of UK business leaders now express concern about AI-related cyber risks — covered in our 23 April analysis.
UK Government (15 April 2026): Open letter on AI cyber threats from DSIT and Cabinet Office.
Microsoft Digital Defense Report 2025/2026: 4× year-on-year increase in AI-augmented phishing volumes targeting UK organisations.
Cyber Essentials v3.3 + Danzell update (live since 27 April 2026): First-ever automatic-fail triggers in the scheme — covered in our 19 April analysis.

Six months ago, a UK SME could plausibly argue that cyber spending was a “next-quarter” problem. After today’s release that argument is gone. The official statistics, the regulator’s guidance, the certification scheme, the insurance market and the threat intelligence are all pulling in the same direction.

The supply-chain dimension — why your customers will start asking harder questions

Bury in the survey is a finding that should keep mid-market boards awake. Just 15% of UK businesses formally review their immediate suppliers’ cyber posture, and 6% look at the wider supply chain. But among large UK businesses, almost half (48%) review immediate suppliers, and that group is expanding fast.

What that means for an SME selling B2B: the questionnaires are getting harder. The 2026/27 wave of supplier due-diligence packs will demand evidence of MFA enforcement, patching SLAs, incident-response plans, sub-processor lists, BCP test logs, and at minimum a Cyber Essentials certificate. SMEs that can produce these artefacts in 24 hours will close deals faster than those that take three weeks. The CSBS makes this an addressable market opportunity, not just a compliance burden.

Turn the questionnaire into a sales asset

Build a single PDF — we call it the Cyber Trust Pack — containing your CE certificate, ICO registration, BCP one-pager, sub-processor list, MFA attestation, encryption attestation, and incident-response summary. When a procurement team requests due diligence, you respond in minutes. We have seen UK SMEs win £100k+ contracts on the strength of having one ready when a competitor did not.

Quick-reference: the 2025/2026 CSBS at a glance

Metric	UK businesses	UK charities	Year-on-year
Experienced any breach or attack	43% (612k)	28% (57k)	Flat
Phishing prevalence	38%	25%	Flat (down vs 2023/24)
Ransomware prevalence	1%	1%	Down from 3%
Loss of revenue / share value among breached	5%	n/a	Up from 2% — significant
Reputational damage among breached	3%	n/a	Up from 1%
Hold formal Cyber Essentials certificate	5%	3%	Up from 3% / 2%
MFA fully implemented	47%	38%	Flat
Comprehensive cyber insurance	47%	35%	Flat
Risk assessment completed	30%	27%	Flat
Formal incident response plan	25%	19%	Flat
Board-level cyber responsibility	31%	30%	Up from 27% — significant
Using or considering AI	31%	25%	New question
AI users with AI cyber controls	24% of 31%	27% of 25%	New question
Reviews immediate supplier cyber risk	15%	9%	Flat
Reviews wider supply-chain cyber risk	6%	4%	Flat

What Cloudswitched is doing for clients this week

For every Cloudswitched managed-services client we run a 30-minute “CSBS reset” in the week following each annual release. The output is a one-page action plan benchmarked against the new statistics, the v3.3 control set, and the client’s own incident history. We are running these slots through the first half of May 2026.

Get a free CSBS 2025/2026 benchmark for your business

30 minutes. No commitment. We map your current controls against the new survey baseline, the Cyber Essentials v3.3 auto-fail triggers, and the cyber insurance underwriting questions you will see at your next renewal. You walk away with a one-page priority list ranked by 2026/27 risk.

Book your CSBS reset call

What to watch next

Three signals will tell us whether the 2026/27 CSBS will look better or worse than today’s release.

Cyber Security and Resilience Bill. The pending Bill is expected to mandate supplier assurance, ransomware-payment reporting, and stricter incident notifications. If passed in 2026, it changes the survey’s 15% supplier-review figure overnight.
UK SME cyber insurance market. Underwriters are already responding to the 5% revenue-loss statistic. Expect tighter MFA and patching warranties on 2026/27 renewals, with premium loadings for organisations without CE v3.3.
Q3 2026 NCSC threat assessment. NCSC’s next quarterly assessment will set the tone for the August–December 2026 fieldwork window. If state-backed attack volumes track the trajectory the cyber chief warned of on 22 April, the next CSBS will likely show the breach rate ticking back up from 43%.

The pattern across all three is the same. The threat is widening, the regulatory perimeter is tightening, and the market is repricing risk. UK SMEs that act on today’s data have nine months to be ready before next year’s survey crystallises the next benchmark.

Talk to Cloudswitched about your 2026/27 cyber programme

We are a UK-based cloud and IT services provider helping SMEs run Cyber Essentials, Microsoft 365 hardening, managed detection and response, supplier assurance, AI risk frameworks and incident response programmes — all under one managed roof. Today’s CSBS release is exactly the moment to align your security spend with where the data is heading.

Speak to our cyber team

Frequently asked questions

Is the Cyber Security Breaches Survey 2025/2026 official UK government data?

Yes. CSBS is an Official Statistics publication produced by the Department for Science, Innovation and Technology (DSIT) in partnership with the Home Office, with fieldwork carried out by Ipsos. It has been published annually since 2015/16 and was reviewed by the Office for Statistics Regulation in 2026 ahead of this latest edition. It is the most authoritative independent measure of UK cyber resilience available.

My business has not been breached. Should I still take action based on this report?

Yes — for two reasons. First, breach victimisation is heavily concentrated: the median victim experiences three cyber crimes per year and the mean victim experiences nineteen, which means once you become a target, you become a repeat target. The data strongly suggests prevention is far cheaper than dealing with the second, third and fourth attempt. Second, your customers, insurers and certification body will increasingly use this data to set the bar. Acting now keeps you in the upper half of UK SMEs against a benchmark that is rising every year.

The median breach cost was £0. Is the cyber-spending case really that weak?

No. The £0 median reflects the dominance of phishing attempts that are blocked at the email gateway with no measurable cost — not serious breaches. The 95th-percentile cost is £10,000 for medium and large businesses, the report explicitly states it under-counts extreme cases, and 5% of breached UK businesses now lose actual revenue or share value (up from 2% last year). When you frame the question as “what is the chance we lose money this year to a cyber incident?”, the answer is roughly 2.15% of all UK businesses, or one in 47 — a P&L risk no board should ignore.

We hold Cyber Essentials — does this report change anything for us?

It does. Cyber Essentials v3.3 went live on 27 April 2026 with the first-ever automatic-fail triggers (comprehensive MFA on every cloud service, 14-day patching, no end-of-life software, no auto-fail risk in the new Danzell question set). Today’s data shows only 47% of UK businesses currently have comprehensive MFA, which means many existing CE holders will struggle at their next renewal. Use the next 30 days to audit your tenancy against the v3.3 control set rather than waiting for renewal day.

We are a small business and our budget is tight. What is the single highest-value action?

Comprehensive MFA on every cloud service combined with a credible simulated-phishing programme. Two-thirds of UK breach exposure is concentrated in social-engineering vectors (38% phishing plus 12% impersonation). MFA neutralises the consequence of a stolen credential; phishing simulation reduces the rate at which credentials get stolen in the first place. Together they cost a small business roughly £10–£20 per user per month on standard managed-service plans and address more than half of the survey’s named threats.

We use ChatGPT and Microsoft Copilot. Are we exposed?

Almost certainly yes if you have not put a framework around it. The survey introduced a new question this year and found that of the 31% of UK businesses using or considering AI, only 24% have any AI-specific cyber risk processes. That puts roughly 7.4% of all UK businesses in the unmanaged-AI bucket. The fix is straightforward: pick one enterprise-grade tenancy (M365 Copilot, ChatGPT Enterprise, Gemini Workspace), enforce DLP and sensitivity labels, audit-log everything, and publish a one-page acceptable-use policy. Cloudswitched runs this programme as a fixed-price 30-day engagement.

Do we need to start asking our suppliers for Cyber Essentials certificates?

Yes — and the longer you delay, the more friction you will encounter. Today only 15% of UK businesses formally review their immediate suppliers’ cyber posture, but 48% of large businesses do, and the pending Cyber Security and Resilience Bill is expected to make some level of supplier assurance a legal obligation. Start with your top 20 critical suppliers (anyone with system or data access). Require Cyber Essentials at minimum, with CE Plus or ISO 27001 preferred. Refresh annually. Build the register inside your finance system so it is visible at renewal time.

How does the M&S, Co-op and Harrods retail wave fit into this report?

The fieldwork closed in December 2025 — before the Easter 2026 retail wave. So those incidents are not in this dataset, but they are vivid evidence of the kind of high-cost outlier the survey explicitly under-counts. Together they are estimated to have cost £440 million across three retailers and demonstrate the gap between the £0 headline median and the catastrophic upper tail. They are also a textbook example of social-engineering exploitation — Scattered Spider used pretexting against IT help desks — which is exactly the surface this survey says UK SMEs are most exposed on.

When will the next survey come out and what should we expect to see?

The 2026/27 edition is expected in spring 2027 with fieldwork running August–December 2026. Based on the trajectory of state-backed attacks, the AI threat-tooling acceleration, and the post-CE v3.3 adjustment, our expectation is that the headline breach rate ticks back up from 43%, ransomware re-asserts itself, and the revenue-impact figure rises from 5% to somewhere closer to 8%. The bright spot will likely be Cyber Essentials adoption: we expect that figure to roughly double again, from 5% to around 10% of all UK businesses.

What is the single most important thing for a board to take away from this report?

The 5% revenue-loss number. For the first time in the survey’s history, a meaningful fraction of UK businesses are reporting that a cyber incident actually moved their P&L. That fundamentally changes how cyber should be discussed in the boardroom — from a low-probability technology issue to a measurable financial-risk line. Add it to your enterprise risk register at its actual probability (43% chance of any breach × 5% chance of revenue impact = roughly 2.15% annualised) and treat the mitigation spend with the same discipline you would apply to any other 2% loss-of-revenue exposure.

Today’s Cyber Security Breaches Survey 2025/2026 is the most useful single document a UK SME leader will read this year. The data is unflattering — 612,000 breached businesses, 5.19 million cyber crimes, a doubling of revenue impact, a stalled small-business hygiene curve and a supply-chain blind spot — but it is also actionable. Every figure in it maps to a control, a process, or a piece of governance you can put in place over the next twelve weeks. Treat it as a baseline, not a verdict, and the 2026/27 release will read very differently for your business.

Tags:Cyber SecurityCybersecurityIT Support

CloudSwitched

London-based managed IT services provider offering support, cloud solutions and cybersecurity for SMEs.

UK Government Drops the 2026 Cyber Reality Check: 612,000 Businesses Breached, Revenue Impact Doubles — The CSBS 2025/2026 Decoded for SMEs