UK Cyber Security Breaches Survey 2025/2026: 43% of Businesses Hit as Phishing Dominates

The UK’s latest Cyber Security Breaches Survey for 2025/2026 reports a stark headline: 43% of businesses and 28% of charities experienced a cyber incident in the past year. That is nearly one in two companies, and more than one in four charities, directly affected. Phishing remains the primary entry point — a reminder that social engineering continues to outpace our collective defenses.

Why this matters now is simple: the cost, complexity, and frequency of cyber incidents are rising as attackers blend social engineering with automation, credential theft, and lateral movement tools. Many organizations have invested in controls and awareness campaigns, yet breach rates remain persistently high. The takeaway is not that security investments don’t work; it’s that they must be better targeted, continuously measured, and integrated into how people actually work.

This article dissects the survey’s implications and turns them into a plan: how to benchmark your posture against peers, which controls reduce phishing risk fastest, how to detect and respond decisively, and where to invest for meaningful year-over-year improvements.

What the UK Cyber Security Breaches Survey 2025/2026 Tells Us

The reported figures — 43% of UK businesses and 28% of charities suffering a cyber incident in the past 12 months — confirm a stubborn reality: UK organizations still face a broad and persistent threat environment. Phishing is the most common attack vector, frequently used to harvest credentials, drop malware, or catalyze business email compromise (BEC).

The survey series, commissioned annually by the UK government, is intended to illuminate exposure and preparedness trends across the economy. For methodology, historical results, and definitions, see the UK government’s official Cyber Security Breaches Survey collection, which provides long-term context across sectors and organization sizes (UK Government Cyber Security Breaches Survey collection).

Three implications stand out: – Social engineering continues to bypass traditional controls. Attackers adapt quickly to security training and tooling gaps, shifting to lookalike domains, MFA fatigue, QR-code phishing, and voice or video deepfakes. – Detection and reporting maturity strongly influence measured incident rates. Organizations with better logging, triage processes, and SOC coverage often report more incidents simply because they find more. – Many organizations lack phishing-resistant identity controls and layered email defenses, leaving staff as the last, fragile line of defense.

Why Phishing Still Works: People, Process, and Controls

Phishing works because it targets the intersection of human attention, organizational process, and technical trust chains. ATT&CK-aligned adversaries use email, messaging apps, collaboration platforms, and even SMS to initiate compromise. The technique is codified in MITRE ATT&CK T1566 (Phishing), which outlines variants from link-based lures to attachment delivery and service impersonation.

Consider the modern playbook: – Reconnaissance identifies payable contacts, executive assistants, or vendor managers. – An initial lure piggybacks a legitimate-looking workflow — a late invoice, parcel delivery, legal notice, or DocuSign request. – MFA fatigue or session hijacking bypasses weak or “push-based” multi-factor prompts. – Once inside, attackers live off the land, abusing built-in tools and legitimate access until they can exfiltrate data, reroute payments, or stage ransomware.

Despite widespread training, phishing succeeds when controls are not layered, identity is not hardened, and processes for exception handling (urgent payments, new supplier bank details) are weak. The use of generative tools to craft fluent, context-rich lures narrows the gap between “obvious scam” and “convincing request.” European threat reporting from ENISA has tracked social engineering and BEC as consistent high-impact techniques, providing a reference point for defensive priorities (ENISA Threat Landscape).

On the defense side, email and collaboration platforms now embed advanced anti-phishing protections, but these require careful configuration, ongoing tuning, and monitoring of false positive/negative trade-offs. Microsoft’s enterprise documentation outlines how to configure and validate modern anti-phishing and impersonation protections across M365 workloads (Microsoft 365 anti-phishing protection).

Businesses vs. Charities: Interpreting the 43% vs. 28% Gap

At face value, charities appear less targeted than businesses. In practice, several factors may drive the gap: – Targeting: Cybercriminals often follow the money. Companies involved in supply chains, finance, or professional services may see more deliberate BEC attempts and invoice fraud. – Security maturity: Some charities run leaner IT estates with simpler networks and fewer systems, which can reduce attack surface but may also reduce detection depth. – Detection and reporting: Organizations with centralized logging, SIEM/XDR, and structured incident response will inevitably identify and report more incidents. Under-detection can read as under-attack. – Data value and compliance: Regulated businesses and those handling sensitive customer data typically invest more in monitoring; they also face stricter reporting obligations.

For both sectors, phishing remains the low-friction attack path. Charities should not interpret 28% as a safety margin; rather, it emphasizes the need for cost-effective, high-ROI controls and partnerships.

From Awareness to Outcomes: Building a Phishing-Resilient Stack

Security awareness is necessary, but not sufficient. A resilient program deliberately combines controls to limit blast radius, reduce successful lures, and speed containment.

Email authentication you can verify: SPF, DKIM, DMARC

Implement SPF, DKIM, and DMARC with p=reject on your primary sending domain to curb spoofing and brand abuse.
Monitor DMARC aggregate and forensic reports to find legitimate senders not yet authenticated.
Use subdomains for third-party senders and enforce DMARC to reduce risk from supplier compromise. For UK-focused, practical guidance, see the NCSC’s advice on protecting your organisation from email spoofing and phishing.

Advanced email and collaboration security

Enable impersonation protection for executives and finance roles; tune for suppliers and commonly-abused brands.
Use time-of-click protection and URL rewriting to catch delayed weaponization.
Enable attachment detonation/sandboxing and restrict dangerous file types by policy.
Integrate signals from collaboration tools (Teams, Slack, Zoom) into detection pipelines.

Identity that resists phishing

Move to phishing-resistant MFA (FIDO2/WebAuthn security keys or platform passkeys) for admins and high-risk roles first.
Enforce conditional access based on device health, location, and risk scores.
Implement just-in-time and least-privilege access; disable legacy authentication protocols.

Endpoint, browser, and network controls

Deploy EDR with behavioral analytics; ensure coverage for macOS/Linux where relevant.
Use browser isolation or enterprise browsers to mitigate web-delivered malware.
Segment networks to protect crown jewels; apply egress controls to limit C2 and data exfiltration.

Framework alignment, not checkbox compliance

Set your control objectives against a tiered framework to avoid gaps and duplications. The updated NIST Cybersecurity Framework 2.0 provides outcome-based functions (Identify, Protect, Detect, Respond, Recover) and profiles you can tailor by risk and sector.

Detect Faster, Respond Smarter: Closing the Dwell-Time Gap

Assume some phishing attempts will pierce your first line of defense. Your advantage comes from speed: how quickly you detect, triage, contain, and recover.

Detection engineering for phish-to-ransom chains

Normalize email security alerts into SIEM/XDR with correlation rules for suspicious logins, MFA anomalies, inbox rule creation, and unusual OAuth/DLP events.
Track initial access techniques (T1566), then lateral movement (e.g., remote service creation, RDP anomalies), and data staging/exfiltration. MITRE ATT&CK mapping keeps playbooks consistent.

Incident response playbooks and drills

Pre-approve playbooks for BEC, credential theft, and malware-laced attachments.
Rehearse incidents quarterly, including after-hours paging and decision-making under uncertainty.
Use tabletop exercises to validate legal, comms, and executive coordination. The UK’s NCSC provides a free, practical way to run scenarios via Exercise in a Box.

For a structured response lifecycle, the NIST SP 800-61 (Computer Security Incident Handling Guide) remains a gold standard reference that teams can adapt.

Metrics that matter

Measure what drives behavior and outcomes: – Time to detect (TTD) and time to contain (TTC) for email-borne incidents – Phish click-through rate vs. report rate, by business unit – Percentage of staff on phishing-resistant MFA – Mean time to fully evict a compromised identity – DMARC enforcement coverage across domains and third-party senders

A 90-Day Plan to Reduce Phishing Risk

This action plan prioritizes controls with strong impact and reasonable deployment effort. Tailor for your size and sector.

Days 1–30: Stabilize the basics

Inventory email domains and senders
Identify all sending services (marketing platforms, CRMs, ticketing tools).
Start SPF/DKIM cleanup and plan DMARC rollout (monitoring mode).
Harden identity for high-risk personas
Enforce phishing-resistant MFA for administrators, finance, and executive assistants.
Block legacy auth, require device health for elevated access.
Tune the email gateway and collaboration tools
Turn on impersonation and BEC detection; add executive and vendor watchlists.
Enable time-of-click URL protection and attachment sandboxing.
Launch a “report-first” culture
Deploy one-click “Report Phish” in email clients.
Set SLAs for triage and feedback to reporters to reinforce good behavior.

Days 31–60: Build detection muscle and run drills

Integrate telemetry
Stream email security logs into SIEM/XDR; create correlation rules for credential misuse and inbox anomalies.
Ensure endpoint alerts link back to likely email sources for rapid scoping.
Run a targeted phishing simulation and training
Focus on realistic lures (invoice changes, HR policy updates).
Provide immediate, friendly micro-training upon clicks; highlight how to report.
Tabletop a BEC incident
Involve finance and legal. Validate the “pause-and-verify” process for bank detail changes.
Pre-approve out-of-band comms channels when email is suspect.

Days 61–90: Enforce and expand

Move key domains to DMARC p=quarantine, then p=reject
Remediate any legitimate senders that fail alignment; expand to subdomains and third-party vendors.
Broaden phishing-resistant MFA
Roll out passkeys or FIDO2 keys to all staff, prioritizing externally-exposed roles.
Automate response where safe
Auto-isolate endpoints on high-confidence malware hits.
Automatically block or remove malicious URLs and revoke tokens with predefined conditions.
Brief the board on outcomes
Show reductions in click rates, improvements in report rates, DMARC enforcement status, MFA coverage, and TTD/TTC trends.
Request budget for next-phase controls based on measurable risk reduction.

Governance, Regulation, and Board Oversight

Cyber risk is enterprise risk. Boards and trustees need clear, business-aligned reporting that connects controls to outcomes and obligations.

UK GDPR and breach reporting: If a personal data breach risks people’s rights and freedoms, you may need to notify the ICO within 72 hours and potentially affected individuals. The ICO offers practical guidance on personal data breaches and reporting.
Baseline hygiene: The NCSC’s 10 Steps to Cyber Security remains the UK’s pragmatic baseline for governance, identity, data security, and incident management.
Assurance pathways for SMEs and charities: The Cyber Essentials scheme provides a cost-effective route to validate foundational controls, often required by partners and insurers. See the NCSC’s overview of Cyber Essentials.

Board reporting should track: – Exposure-reducing changes (DMARC enforcement, MFA coverage, legacy auth elimination) – Detection and response improvements (TTD/TTC, percent of auto-contained incidents) – Human risk trends (phish report rate, repeat clickers, high-risk teams) – Material incidents and lessons learned, tied to policy or control adjustments

Budgeting for Impact: Investment Priorities for 2025/2026

To maximize risk reduction per pound spent, prioritize controls that specifically counter phishing and accelerate response.

Phishing-resistant identity – FIDO2/WebAuthn keys or passkeys for admins and high-risk staff first; expand to all staff. – Conditional access with device health, risk-based policies, and session controls.
Email and collaboration security tuning – Advanced anti-phishing, brand impersonation, and BEC detection. – Attachment sandboxing, time-of-click URL rewriting, and domain impersonation detection.
DMARC enforcement and brand protection – Move to p=reject and monitor domain abuse; integrate brand monitoring to detect lookalikes.
Endpoint and browser controls – EDR across all endpoints, with response automation for known-bad behaviors. – Enterprise browser features or isolation for risky workflows and third-party access.
Detection engineering and managed support – SIEM/XDR correlation rules for phish-to-ransom paths. – Consider a reputable MDR/MXDR partner to cover off-hours and accelerate containment.
Continuous training with positive reinforcement – Targeted simulations and instant coaching; reward high-quality reporting. – Embed “pause-and-verify” for payment changes and unusual requests in finance SOPs.

Map each spend to measurable KPIs and tie them to executive risk narratives. Use the NIST CSF 2.0 functions as a common language for planning and tracking.

Looking Ahead: AI-Augmented Threats and Defensive Automation

Generative tools make phishing more convincing, more localized, and more scalable. Expect: – Hyper-personalized lures using public and leaked data – Deepfake voice and video in high-value BEC scenarios – QRishing (QR-based phishing), MFA-prompt bombing, and adversary-in-the-middle kits that intercept MFA tokens – Increased use of OAuth consent fraud to gain persistent access without passwords

Defenders can respond in kind: – LLM-assisted triage to summarize alerts and user reports, reducing analyst fatigue – Automated enrichment and response for known-bad indicators – Policy-as-code for rapid, consistent security configuration at scale – Content authenticity signals, DMARC alignment, and strict supplier validation to counter spoofing and BEC

The future belongs to organizations that integrate security into business workflows, empower people to signal risk early, and automate away toil so analysts can focus on judgment calls.

Practical Benchmarks to Compare Against Peers

Use the survey headlines as a starting point, then benchmark operationally: – Incident rate: Are you reporting more or fewer incidents than the 43% (business) or 28% (charity) average? If fewer, does that reflect better prevention or under-detection? – Phishing metrics: What’s your click-through and report rate? How fast do you isolate compromised accounts? – Identity posture: What percent of staff use phishing-resistant MFA? How much legacy auth remains? – Email authentication: Are all domains at DMARC p=reject? What’s your coverage for DKIM-aligned third-party senders? – Response performance: Are TTD/TTC improving quarter over quarter? What’s your auto-containment rate?

These operational metrics move the needle more reliably than point-in-time audits.

FAQ

What is the UK Cyber Security Breaches Survey and why should I care?

It is the UK government’s annual study of organizational exposure and response to cyber incidents across businesses and charities. It provides directional indicators you can use to benchmark your posture and prioritize investments relative to national peers and sectors. See the government’s Cyber Security Breaches Survey collection for background and prior reports.

Why is phishing still the top attack vector?

Because it targets human trust and everyday workflows. Attackers mix convincing pretexts, lookalike domains, and timing pressure to drive clicks or approvals. Even mature environments will see some failures, which is why layered email controls, phishing-resistant MFA, and fast detection/response are essential. The technique is formally tracked in MITRE ATT&CK T1566 (Phishing).

What is the fastest way to reduce phishing risk?

Enforce phishing-resistant MFA for high-risk roles, move your domains to DMARC p=reject, enable and tune advanced anti-phishing/BEC protections, and make reporting easy with one-click buttons. Back this with clear finance “pause-and-verify” procedures for bank detail changes.

How should SMEs and charities act with limited budgets?

Target high-ROI controls first: DMARC enforcement, phishing-resistant MFA for admins and finance, tuned anti-phishing, and a simple report-first culture. Use free resources like the NCSC’s 10 Steps to Cyber Security and run low-cost exercises with Exercise in a Box.

Which frameworks should we align to?

Use the NIST Cybersecurity Framework 2.0 for outcome-based planning and reporting. Map controls and processes to Identify, Protect, Detect, Respond, and Recover. For response specifics, adapt playbooks from NIST SP 800-61. In the UK, pair this with NCSC guidance and Cyber Essentials for baseline assurance.

What if a phishing incident involves personal data?

Assess quickly whether rights and freedoms are at risk. You may need to notify the Information Commissioner’s Office (ICO) within 72 hours and potentially inform affected individuals. The ICO’s guidance on personal data breaches explains when and how to report.

Conclusion: Turn the Survey Into a Security Action Plan

The UK Cyber Security Breaches Survey 2025/2026 confirms what many security teams feel daily: phishing-led attacks are still hammering organizations, with 43% of businesses and 28% of charities reporting incidents. The response is not more of the same training and tools; it is sharper prioritization, tighter integration, and measurable outcomes.

Focus on what drops risk fastest: phishing-resistant MFA, DMARC enforcement, tuned anti-phishing/BEC controls, and fast, automated detection-to-containment. Align to NIST CSF 2.0 for planning and to NIST 800-61 for response, lean on NCSC guidance, and brief leadership in business terms with real KPIs. If you act with discipline over the next 90 days, you can materially lower your exposure — and next year’s survey can be a benchmark not of worry, but of progress.

Discover more at InnoVirtuoso.com

I would love some feedback on my writing so if you have any, please don’t hesitate to leave a comment around here or in any platforms that is convenient for you.

For more on tech and other topics, explore InnoVirtuoso.com anytime. Subscribe to my newsletter and join our growing community—we’ll create something magical together. I promise, it’ll never be boring!

Stay updated with the latest news—subscribe to our newsletter today!

Thank you all—wishing you an amazing day ahead!