Small and medium-sized enterprises (SMEs) in the UK are making notable strides in cyber resilience, even as larger businesses continue to grapple with persistent threats, according to the UK government’s latest

Cyber Security Breaches Survey.

Commissioned by the Department for Science, Innovation and Technology (DSIT) and the Home Office, the annual report reveals a mixed landscape: while cyber breaches among smaller firms have declined, incidents remain stubbornly high among medium and large businesses. The report also flags a troubling rise in ransomware attacks.

According to the findings, 43% of businesses and 30% of charities reported experiencing a cyber security breach or attack in the past 12 months—figures that translate to approximately 612,000 businesses and 61,000 charities affected.

SME Improvements Contrast With Large Enterprise Vulnerabilities

The overall proportion of businesses reporting breaches fell from 50% in 2024 to 43% this year, largely due to a drop among micro (down from 47% to 41%) and small businesses (down from 58% to 50%).

However, the breach rate among medium (67%) and large firms (74%) remained virtually unchanged, underscoring a significant gap in cyber resilience between smaller and larger organisations.

Phishing continues to dominate the threat landscape, with 85% of affected businesses and 86% of impacted charities identifying phishing as the attack vector—amounting to 37% of all UK businesses and 26% of charities. Interviewed organisations reported the growing complexity and volume of phishing attempts, including tactics enhanced by AI impersonation, as a major concern.

“While it’s encouraging to see more organisations adopting risk assessments, formal policies, and cyber insurance, the threat itself is becoming more sophisticated,” said Nathaniel Jones, VP of Security & AI Strategy at Darktrace. “AI and cybercrime-as-a-service ecosystems are accelerating both the speed and scale of attacks.”

Ransomware Incidents on the Rise

One of the most significant findings of the survey is the rise in ransomware targeting businesses. While overall cybercrime prevalence remained stable at 20% for businesses and 14% for charities, the proportion of businesses hit by ransomware attacks doubled—from under 0.5% in 2024 to 1% in 2025. That increase means nearly 19,000 UK businesses faced ransomware demands in the past year.

“To combat ransomware, organisations must adopt multi-layered security strategies that incorporate threat intelligence, heuristic analysis, and machine learning,” said Etay Maor, Chief Security Strategist at Cato Networks. “Stopping these attacks requires blocking both initial phishing vectors and lateral movement within networks.”

Although the majority of breaches (84%) didn’t result in direct losses, the impact of attacks appears to be shifting. Temporary loss of access to files or networks rose to 7% among businesses (up from 4% in 2024), while charities increasingly reported loss of access to third-party services (up from 1% to 5%).

The average cost of the most disruptive breach stood at £1,600 for businesses and £3,240 for charities when including zero-cost incidents. Excluding those, the figures rose to £3,550 and £8,690, respectively. The average cost of cyber-facilitated fraud was even higher—£5,900 per affected business.

Gains in Cyber Hygiene, But Governance Gaps Persist

Smaller businesses appear to be leading the charge in cyber hygiene. Adoption of key practices has increased over the past year: risk assessments (48%, up from 41%), cyber insurance (62%, up from 49%), formal security policies (59%, up from 51%), and business continuity plans with cyber coverage (53%, up from 44%).

In contrast, high-income charities saw a decline in cyber preparedness. The proportion undertaking risk identification dropped from 86% to 75%, and those with formal strategies fell from 47% to 39%.

Basic technical measures—like malware protection and firewalls—remain widespread, but more advanced tools are less common. Just 40% of businesses and 35% of charities have adopted two-factor authentication.

“While companies can’t control what apps employees install on personal devices, they can and must secure their enterprise applications,” said Jack Kerr, Director at Appdome. “Embedding AI-powered security directly into mobile apps is vital to stop advanced threats at the application level.”

One worrying trend is a decline in board-level engagement. Since 2021, the share of businesses assigning cyber resilience responsibility at the board level has fallen from 38% to just 27%.

Supply chain vulnerabilities also remain a blind spot. Only 14% of businesses and 9% of charities formally assess cyber risks from their immediate suppliers. Awareness of government-backed initiatives like the National Cyber Security Centre’s (NCSC) Cyber Essentials remains limited, especially among micro firms.

Etay Maor warned that addressing these weaknesses will be crucial as policymakers develop the upcoming Cyber Security and Resilience Bill.

“Organisations must take a proactive approach,” he said. “This includes regular threat reviews, strong leadership, XDR tools, and a focus on securing the supply chain—particularly against increasingly sophisticated AI-driven attacks.”