The UK government has just published (30 April) its 2025/26 Cyber Security Breaches Survey, offering a clear snapshot of cyber risk across UK businesses and charities. Commissioned by the Department for Science, Innovation and Technology (DSIT) and supported by the National Cyber Security Centre (NCSC), the survey provides one of the most authoritative views of the UK cyber resilience landscape.
The findings send a consistent message: while awareness of cyber risk is high, many organisations are still failing to translate intent into effective, repeatable security controls.
Cyber hygiene is improving-but resilience remains uneven
The survey shows continued exposure to cyber incidents across UK organisations. There has been progress in baseline hygiene, including the use of risk assessments, security policies, and cyber insurance. However, these improvements are uneven and, in some cases, fragile. Smaller organisations in particular have slipped back to earlier standards, reinforcing the NCSC’s long‑standing warning that cyber security cannot be treated as a one‑off exercise.
Doing more security activity does not necessarily mean achieving better security outcomes. Real resilience depends on consistency, depth, and governance – not just visible controls.
Low adoption of recognised frameworks remains a structural weakness
One of the most striking findings is the continued low uptake of recognised security frameworks. Government‑backed standards such as Cyber Essentials are specifically designed to provide clear, achievable foundations for security, yet adoption remains limited.
This matters. Frameworks create operational discipline, help organisations reduce reliance on fragmented external advice, and provide assurance that controls are applied consistently. Without them, governance is often weak and security maturity becomes highly variable.
DSIT and the NCSC have consistently positioned frameworks as enablers of resilience, not compliance overheads. The survey suggests many organisations are still missing that message.
Supply chain risk is a critical blind spot
Only a small proportion of organisations formally assess the cyber risks posed by their suppliers. This is a significant concern, particularly as regulators place increasing emphasis on third‑party risk and operational resilience through regimes such as DORA and NIS2.
The NCSC has repeatedly highlighted supply chains as a major source of systemic cyber risk. The survey reinforces that many organisations are strengthening internal defences while leaving material exposure through suppliers and partners — effectively reinforcing the front door while leaving the back door open.
Multi‑factor authentication is still not universal
Despite clear NCSC guidance positioning multi‑factor authentication (MFA) as a basic control, adoption remains surprisingly low. Many organisations still rely primarily on passwords to protect access to systems and cloud services, leaving them vulnerable to phishing and credential‑based attacks.
This gap is becoming increasingly hard to justify. Updates to Cyber Essentials will mandate MFA for cloud services, raising the baseline expectation across UK organisations.
Incident reporting readiness is lagging behind regulation
The survey also highlights weaknesses in incident detection and reporting. Only around half of organisations report cyber incidents to regulators, despite upcoming legislation significantly raising expectations.
Under new regulatory frameworks supported by DSIT, organisations deemed critical will be required to report serious incidents within tight timeframes. Meeting these obligations will demand continuous monitoring, rapid detection, and clearly defined response processes — capabilities many organisations have yet to fully implement.
Importantly, regulators can designate suppliers of any size as critical where disruption could affect essential services, widening the scope of accountability well beyond large enterprises.
The real cost of cyber incidents is often underestimated
While average reported breach costs appear modest, the survey shows a sharp increase for more severe incidents. Downtime, operational disruption, and supply chain impact account for much of this escalation.
This is particularly relevant for Critical National Infrastructure, where outages can trigger widespread economic and societal consequences. The NCSC has warned that modern ransomware attacks increasingly focus on prolonged disruption rather than data theft alone – a trend clearly reflected in the survey’s findings.
The takeaway for leadership teams
The message from DSIT and the NCSC is consistent and clear:
Cyber maturity is not defined by the number of tools deployed, but by how effectively organisations govern risk, apply controls consistently, and align to recognised standards.
Organisations that invest in:
will be far better positioned to meet regulatory expectations and reduce both operational and financial risk.
Cyber resilience is no longer just a technical issue – it is a core component of operational resilience and competitive advantage.