Cyber Security Survey Report 2025

Cyber Security Breaches Survey 2025: Insights into the UK’s Digital Resilience

The Department for Science, Innovation and Technology (DSIT) and the Home Office published the Cyber Security Breaches Survey 2025, providing a comprehensive picture of how UK organisations are managing cyber threats. The findings reveal both progress and persistent challenges in safeguarding businesses and charities against increasingly sophisticated attacks.

A Snapshot of Cyber Breaches in 2025

The survey found that 43% of businesses and 30% of charities reported experiencing a cyber breach or attack in the past year. While this represents a decline from 2024 (when half of businesses were affected), the drop was largely attributed to fewer micro and small businesses identifying phishing incidents. However, the prevalence of breaches among medium (67%) and large (74%) businesses remains strikingly high.

Phishing continues to dominate as the most common attack type, affecting 85% of businesses and 86% of charities that faced breaches. Beyond phishing, ransomware has seen an alarming rise. In 2024, fewer than 0.5% of businesses reported ransomware crimes, but this figure doubled to 1% in 2025, equating to about 19,000 businesses.

The financial impact remains significant. On average, the most disruptive breach cost businesses £1,600 and charities £3,240. When excluding those who reported zero costs, the figures rise to £3,550 for businesses and £8,690 for charities. These self-reported costs may underestimate the true financial burden.

Cyber Hygiene and Preparedness

Encouragingly, small businesses improved in several areas of cyber hygiene. Uptake of risk assessments rose to 48% (from 41% in 2024), cyber insurance to 62% (from 49%), and continuity plans addressing cyber risks to 53% (from 44%).

However, charities – particularly high-income ones – regressed. Their adoption of risk assessments, supplier risk reviews, and formal strategies all declined compared to 2024. Budget constraints were cited as a key reason, highlighting the resource gap charities face in tackling cyber threats.

Most organisations maintain basic protections like malware updates, password policies, firewalls, and secure data backups. But advanced controls remain underused: only 40% of businesses and 35% of charities implement two-factor authentication, while VPN and user monitoring adoption also lag.

Governance and Board Engagement

While 72% of businesses and 68% of charities regard cyber security as a high priority, board-level responsibility has weakened over time. In 2021, 38% of businesses had a board member overseeing cyber security; by 2025, this had dropped to 27%. Larger firms still show stronger governance, but many smaller organisations rely on external IT providers rather than internal expertise.

Notably, few organisations seek official guidance. Just 1% of businesses and 2% of charities named the National Cyber Security Centre (NCSC) as a resource. Awareness of NCSC initiatives such as Cyber Aware, 10 Steps to Cyber Security, and Cyber Essentials has steadily declined since 2021, particularly among micro businesses.

Incident Response and Recovery

When breaches occur, internal reporting dominates, with 76% of businesses and 80% of charities informing senior leaders. However, only about one-third have policies for external reporting, raising concerns about under-reporting to regulators and law enforcement.

Larger organisations in finance, health, and communications sectors show stronger adoption of incident response plans, but many small firms lack such frameworks. Encouragingly, post-breach training and awareness programmes are increasingly used, reflecting recognition that employees are often the first line of defence.

Cyber Crime: A Growing Threat

The survey highlights a worrying scale of cyber crime: 20% of businesses and 14% of charities were direct victims in the past year, translating to 8.58 million cyber crimes against businesses and 453,000 against charities.

Phishing was again the leading form of cyber crime (over 90% of cases), but ransomware stood out as a fast-growing threat. Repeat victimisation is also common, with businesses reporting an average of 30 incidents annually.

Financially, the average cost of cyber crime (excluding phishing) was £990 per business, while cyber-facilitated fraud – affecting about 40,000 businesses – carried far higher costs, averaging £5,900 per incident.

Implications for UK Cyber Resilience

The 2025 survey underscores a mixed picture. On one hand, cyber awareness is mainstream, and small businesses are closing some of the gaps in basic preparedness. On the other hand, advanced security practices, supply chain risk management, and board-level engagement remain limited, particularly in smaller organisations and charities.

The findings suggest a pressing need for:

Greater investment in advanced protections like multi-factor authentication and VPNs.

Targeted support for charities and smaller firms with budgetary constraints.

Stronger board-level accountability to ensure cyber security is embedded in governance.

Increased promotion of official guidance from the NCSC to counter declining awareness.

As cyber criminals adopt more sophisticated tactics, including AI-driven impersonation and persistent ransomware, UK organisations must continue evolving their defences. The survey provides critical evidence to inform both organisational strategy and government policy, ensuring that the UK remains resilient in an increasingly hostile digital landscape.