UK businesses are facing a growing crisis in cybersecurity, leaving them critically vulnerable to increasingly sophisticated attacks. The confluence of factors, including the rising sophistication of cybercrime, a shortage of skilled cybersecurity professionals, and the rapid adoption of new technologies like AI, has created a perfect storm of challenges for organizations across the country.

Prevalence and Impact of Cyber Attacks

Cyberattacks are a frequent occurrence for UK businesses. Just over four in ten businesses (43%) reported experiencing a cyber security breach or attack in the last 12 months. Medium and large businesses are even more likely to be targeted, with 70% and 74% respectively reporting breaches. While this represents a slight decrease from 2024, the overall scale of the problem remains significant. Small and medium-sized businesses (SMBs/SMEs) are particularly vulnerable, with 81% of UK businesses that suffer a cyber security attack falling into this category. In fact, two-thirds of companies with 10-49 employees have experienced a cyber-attack. The financial impact of these attacks can be devastating. In 2022, cybercrime cost UK businesses an average of £4,200, and the total cost to the UK economy is estimated to be £27 billion per year. The average cost to remedy an attack is around £21,000. SMEs are estimated to lose £3.4 billion annually due to inadequate cybersecurity measures. Beyond the financial costs, cyberattacks can lead to data breaches, system downtime, reputational damage, and even business closure. It's estimated that 60% of small companies go out of business within six months of a cyberattack.

Key Vulnerabilities

Several factors contribute to the cybersecurity shortfalls of UK businesses:

• Phishing: Phishing remains the most prevalent type of cybercrime, accounting for 93% of cybercrimes experienced by businesses. Cybercriminals use increasingly sophisticated techniques, including AI-powered phishing emails and deepfakes, to trick employees into divulging sensitive information.
• Ransomware: Ransomware attacks are on the rise, with the percentage of businesses experiencing such attacks doubling from less than 0.5% in 2024 to 1% in 2025. This equates to an estimated 19,000 businesses affected by ransomware in 2025.
• AI-Related Threats: The increasing use of AI by cybercriminals poses a significant threat. AI can be used to create more convincing phishing emails, automate attacks, and develop new malware.
• Skills Shortage: A shortage of skilled cybersecurity professionals leaves many critical security roles unfilled.
• Supply Chain Vulnerabilities: Cybercriminals are increasingly targeting smaller businesses in order to gain access to larger businesses in their supply chain.
• Hybrid Work: Hybrid and remote work environments introduce new risks, such as unsecured home networks, unmanaged devices, and shadow IT.
• Cloud Misconfigurations: Misconfigured cloud storage, permissions, or encryption settings can expose sensitive data.
• Lack of Preparedness: Many businesses lack formal cybersecurity incident management plans and do not conduct regular risk assessments. Only 22% of UK businesses have a formal cybersecurity incident management plan in place.

Strategies for Improved Readiness

To address these vulnerabilities, UK businesses need to adopt improved readiness strategies:

• Develop a Comprehensive Cyber Strategy: Businesses should establish a comprehensive cyber strategy that aligns cyber risk management with business resilience and growth objectives.
• Promote a Cyber-Secure Culture: Fostering a cyber-secure culture throughout the organization, ensuring employees at all levels are aware of potential threats and their role in mitigating them. Continuous education and training programs are essential to keep the workforce updated on cybersecurity trends and threats.
• Implement Incident Response Plans: Develop and implement incident response plans to enable swift and effective action in the event of a cyberattack.
• Conduct Regular Risk Assessments: Regularly assess cyber security risks and vulnerabilities. Small businesses have seen a significant increase in those carrying out risk assessments covering cyber security (48% in 2025, up from 41% in 2024).
• Strengthen Core Defenses: Implement measures to protect against common threats like phishing and ransomware, such as multi-factor authentication (MFA), endpoint detection and response (EDR) solutions, and regular data backups.
• Embrace AI-Driven Security Solutions: Invest in AI-driven security solutions to enhance threat detection, response, and recovery capabilities.
• Simplify Security Frameworks: Simplify security frameworks and strengthen core defenses to improve overall readiness.
• Address Supply Chain Risks: Vet third-party providers with strict security due diligence and apply zero-trust principles to supplier access.
• Secure Remote Work Environments: Centralize device and patch management and implement secure remote access solutions.
• Harness Government Resources: Businesses can leverage government-backed schemes like Cyber Essentials to improve their cybersecurity posture. The Cyber Essentials scheme helps protect against almost all cyber threats, and businesses with the Cyber Essentials controls in place make 92% fewer insurance claims.
• Increase Cyber Insurance Coverage: Increase uptake of cyber insurance. Small businesses have shown an increase in those having cyber insurance in place (62% up from 49% in 2024).

The UK government is also taking steps to address the cybersecurity challenge. The government has launched a comprehensive package of measures designed to bolster online defenses, including a new Code of Practice for Cyber Governance. The Code outlines specific actions business leaders can take to protect their operations and secure future growth. The government is also pursuing legislative measures to strengthen cybersecurity across critical sectors.