The Cyber Security Breaches Survey 2025: What can we learn? 

Executive summary 

  • The Cyber Security Breaches Survey is a government initiative to carry out an annual survey of cyber breaches, attacks, and crimes in the UK’s businesses, charities, and educational organisations. 
  • The 2025 survey is encouraging – showing that just 43% of UK businesses reported a cyber security breach or attack in the past year, down from 50% in 2024.  
  • But it’s not all good news – the survey also shows that only 40% of businesses have rolled out two-factor authentication, and under one-third are actively monitoring user behaviour.   

Introduction 

The 2025 UK Cyber Security Breaches Survey is in, and the results are a game of two halves.  

What this year’s survey tells us will be a reassuring hug for some, and a veritable glass of cold water to the face for others. Which group you fall into will all depend on your IT security posture.  

The headline figure – that just 43% of British businesses were hit with a cyberattack in 2024 – is certainly encouraging. It shows that, as a nation, we’re taking cybercrime seriously, and that the measures we’re putting in place are working.  

But what else does the survey tell us? And how can you use the data to fine-tune your defences? 

What is the UK Cyber Security Breaches Survey? 

The UK Cyber Security Breaches Survey is an annual, government-run snapshot of how cyberthreats affect UK organisations – businesses, charities and educational institutions.  

It looks at who’s been hit, how those attacks happened, what security measures organisations are putting in place, and how incidents were handled. Think of it as a country-wide MOT for the UK’s digital defences: it helps policymakers, suppliers, and business leaders see what’s working, what’s not, and identify potential cybersecurity blind spots.  

The data in this article comes from the Cyber Security Breaches Survey 2025, with interviews taking place between August and December 2024. 

What are the headlines from the 2025 survey? 

The big takeaway is the headline: 43% of UK businesses reported a cyber security breach or attack in the past year. That represents a not insignificant drop from 50% in 2024. That’s progress, no doubt, but the finer detail reveal more of a mixed picture.  

Here are the other stats that caught our team’s eye: 

  • Phishing is still dominant, with 85% of breaches involving this type of attack. This will be no surprise to those familiar with cybersecurity, especially now that attacks are becoming increasingly convincing thanks to new technology like AI.  
  • Businesses are lagging on multi-factor authentication. With only 40% of businesses having rolled out two-factor authentication (2FA), the upshot is that more than half are still relying on single-factor logins that are much too easy to bypass. 
  • Under one-third of businesses actively monitor user behaviour. We understand this can be a tricky one since there’s a privacy angle, but we believe there’s a balance to be struck that doesn’t leave 70% of businesses at risk.  
  • 49% of small businesses have done something to identify cyber risks. Whether that’s using a specific security tool, testing staff with mock exercises, or carrying out full vulnerability audits, about half of organisations are heading in the right direction here.  

Now let’s look at a few more snack-sized stats which show the broad adoption of basic cybersecurity controls in the UK among businesses: 

  • 77% have up-to-date anti-malware in place 
  • 73% have a password policy with a requirement for strong passwords 
  • 71% back up their data securely via a cloud service 

But some of the more advanced controls are still in need of growth: 

  • Only 31% use a virtual private network (VPN) for staff connecting to their systems remotely 
  • Just 32% enforce a policy of applying software security updates within 14 days, which can expose the company to various threats 

What lessons can UK organisations learn? 

The first big lesson is that prevention is still better than cure. 

The drop in overall breaches suggests that basic cybersecurity hygiene, like up-to-date anti-malware, sensible backups, password policies, and clear incident contingencies, is making a difference for many organisations. And those basics should be non-negotiable: they stop the majority of blunt-force attacks and reduce recovery time when incidents do happen. 

The second big lesson is that companies should move from ‘box-ticking’ security to layered, measurable controls. Phishing remains the principal threat, and more sophisticated phishing (such as voice and AI impersonation) means you need both human and technical defences: regular, realistic phishing simulations and phishing-resistant authentication (phishing-resistant MFA, not just SMS codes). 

Here are a few more quick takeaways we gleaned from the survey: 

  1. Prioritise MFA rollout. Make strong multi-factor authentication standard for all accounts, especially admin and cloud services. 
  2. Treat phishing as an active programme. Run simulations, teach staff how to verify requests, and test response processes. 
  3. Make backups and recovery routine. Regular, tested recovery beats expensive downtime every time. 
  4. Assign board-level ownership. Cybersecurity generally needs a named senior owner accountable for strategy and spend within your business. 
  5. Improve detection, not just prevention. Invest in basic (and non-invasive) user behaviour monitoring and logging so incidents are spotted early. 

          Get Support when you need it 

          If there’s one constant in the world of cybersecurity, it’s change. This year’s report shows that we’ve made progress in some areas, but also that there’s room for improvement in others. 

          If these numbers have caught your eye and you’re interested in optimising your cybersecurity posture, just ask your Get Support Customer Success Manager or call our expert team on 01865 594 000.