Breach rates stuck at 43%: what the 2025 cyber survey says for your business

The government’s Cyber Security Breaches Survey 2025/2026 landed on 30 April, and the headline number hasn’t budged: 43% of UK businesses experienced a breach or attack in the past twelve months. That’s roughly 612,000 businesses. Three years in a row, same ballpark. The rate isn’t falling.

The number that should concern you more, though, is the cost. Revenue losses from breaches jumped from 2% to 5% year-on-year. Reputational damage doubled. The average quantified breach cost sat around £10,000. For a small firm in Conwy, Flint, or Rhyl, that’s not an abstract statistic — that’s payroll, or a quarter’s rent.

Where the attacks are actually coming from

Phishing dominates entirely. 38% of UK businesses reported phishing attempts in the past year, and among those that suffered a breach, phishing was involved in around 85% of incidents. The most common way into a UK business in 2025 isn’t sophisticated hacking. It’s an email that looks like it came from a supplier, a bank, or a colleague — but didn’t.

If phishing is doing 85% of the damage, the priorities follow logically: email filtering, multi-factor authentication (requiring a second check beyond just a password), and staff who can spot a dodgy message. These aren’t optional extras. They’re the main event. If you want to understand why the threat keeps climbing, we’ve written about the broader picture of rising UK cyber risk in more detail.

The AI blind spot

New this year: only about 25% of organisations already using or exploring AI tools have any security rules in place around them. Staff are signing up for ChatGPT, content generators, and summarisation tools without any central oversight. A marketing person pastes client data into a content tool. An operations manager uses a chatbot to work through financial figures. Nobody has checked what the vendor does with that data or where it ends up.

The NCSC Small Business Guide covers the fundamentals well — backups, access controls, patching, MFA, phishing awareness — but AI tool sprawl is a new gap that most small businesses haven’t thought through yet.

The board conversation that still isn’t happening

Board-level engagement with cyber security rose from 27% to 31%. Which sounds like movement, until you realise it means 69% of UK business boards still aren’t meaningfully involved in cyber decisions. The assumption that “IT will sort it” remains the default, and that leaves real risk unmanaged at owner level.

The survey also flags an undercount problem: breaches you can’t detect never appear in the data. If there’s no monitoring and no logging in place, an incident could already be running and you’d have no idea.

What to actually do with this

The breach rate isn’t going to drop on its own. The evidence points clearly at where to spend: email security, MFA, offline backups, and basic staff training on spotting phishing. If your team is using AI tools, write down what data they’re allowed to share and what they’re not. And if cyber risk isn’t being discussed at owner or director level, that gap is worth closing before the costs make the decision for you.

For a sense of what this kind of protection actually costs — and what gets left out of cheaper setups — our piece on why cheap IT support can backfire is worth a read. If you’d like Dragon Digital to look at where your business sits right now, we run straightforward cyber reviews for businesses across North Wales — start with a conversation about what’s actually in place.