The latest UK Government Cyber Security Breaches Survey gives business leaders a useful, if mixed, view of cyber risk. The key takeaway is encouraging in one respect: The proportion of UK businesses reporting a cyber breach or attack remained at 43% in 2025/2026, following a significant decline from 50% to 43% in the previous year.
However, that does not mean the risk has gone away. The report is clear that these figures only include breaches and attacks that organisations were able to identify and were willing to report. Hidden attacks and undetected incidents may indicate a higher level of activity.
What the data does show is that cyber hygiene is now a business resilience issue. Basic controls are improving in several areas, but the gaps around risk assessments, formal policies, tested incident response plans, and business continuity planning remain too wide.
Key statistics from the 2025/2026 survey
Cyber hygiene is improving, but unevenly
The government report defines cyber hygiene as the cyber security practices of organisations, including risk management, technical controls and cyber governance. In practical terms, this includes the basics that reduce the chance of an incident becoming a serious operational problem.
There are positive signs. Most businesses now have several basic controls in place. Up-to-date malware protection is used by 81% of businesses, cloud-based data backups by 74%, password policies by 74%, network firewalls by 74%, and restricted admin rights by 73%.
The lower adoption of two-factor authentication, VPN use, rapid software update policies and user monitoring should be a concern. These are not exotic measures. They are part of the control set that helps prevent account compromise, unmanaged remote access and avoidable exposure.
There is also a sharp difference by business size. Large businesses report much higher adoption across key controls, including 90% using two-factor authentication and 94% having an agreed process for fraudulent emails. Smaller organisations are less likely to have the same level of protection, yet they still face disruption when systems, files or communications are affected.
Business continuity planning remains underdeveloped
The survey’s most relevant finding for business continuity is not just the number of attacks. It is the lack of preparation for what happens next.
Only 33% of businesses and 20% of charities reported having a business continuity plan that covered cyber security. Among small businesses, the figure fell from 53% in 2024/2025 to 44% in 2025/2026. Formal cyber security policies also dropped among small businesses, from 59% to 52%.
This is where cyber hygiene and continuity planning meet. Malware protection, firewalls and passwords can reduce exposure, but they do not answer the operational questions that follow an incident.
Who declares an incident? Which systems are restored first? How quickly can data be recovered? Who contacts customers, suppliers, regulators or insurers? What happens if email, files or a key application are unavailable?
Those questions need answers before an incident takes place.
Phishing remains the main route in
Phishing continues to dominate the threat picture. The survey found that 38% of businesses and 25% of charities experienced phishing attacks in the last 12 months. Impersonation attacks were reported by 12% of businesses and 7% of charities, while malware affected 7% of businesses and 3% of charities.
Phishing remains difficult to tackle through technology alone. It depends on human behaviour, supplier relationships, rushed decisions and everyday business communication. Stronger cyber hygiene should include staff awareness, clear reporting routes, and a defined process for handling suspicious emails or links.
The survey also found that among organisations experiencing breaches or attacks, phishing-only incidents increased among both businesses and charities. That makes preparation more important, not less.
Incident response is still underdeveloped
The report shows a gap between what organisations say they would do after a breach and what they already have in place. While 81% of businesses said they would inform directors or senior leaders, only 25% had a formal incident response plan. A further 45% of businesses said they had none of the listed incident response measures in place.
This is the part of cyber resilience that often receives less attention than prevention. Yet the recovery phase is where operational damage is either contained or allowed to spread.
The survey found that, among affected organisations, 30% of businesses and 26% of charities experienced some form of wider impact from a breach or attack. These impacts included additional staff time, disruption to work, repair or recovery costs, loss of revenue, customer complaints and reputational damage.
What businesses should take from the report
The lesson is not that cyber attacks are disappearing. It is that better cyber hygiene can reduce exposure, but resilience depends on preparation.
For organisations that have not yet taken practical steps, the starting point does not need to be complicated. Review access controls. Check backup arrangements. Apply two-factor authentication where possible. Make sure software updates are handled promptly. Train staff to recognise and report phishing attempts. Then connect those controls to a business continuity plan that sets out how the organisation will respond, recover and communicate if an incident occurs.
CiContinuity’s business continuity specialists can help organisations assess where they are exposed, strengthen recovery planning, and align cyber incident response with wider operational resilience.
If your organisation has not yet reviewed its cyber security and continuity arrangements, now is a sensible time to start.