Sponsored by PublicSectorExperts.com

Hey there👋

612,000 UK businesses experienced cyber attacks last year. And yet, behind this headline from the new Cyber Security Breaches Survey 2025, lies a story far more nuanced than most realize.

The latest government research reveals a rapidly evolving cybersecurity landscape, with a widening security gap between organizations of different sizes and increasingly sophisticated threats emerging.

The Reality Behind the Numbers

While overall attack rates have actually decreased since 2024 (from 50% to 43% for businesses), a troubling reality emerges when you look closer:

The cybersecurity divide is growing.

Large businesses experience cyber attacks at nearly double the rate of their micro counterparts (74% vs 41%). Medium-sized businesses aren't far behind at 67%. This likely doesn't mean small businesses are safer – they're just less equipped to detect these intrusions.

Attack Patterns Evolving

Remember that suspicious email your colleague dismissed last month? Phishing remains the most prevalent attack vector (85% of all breaches) and organizations report it's surprisingly disruptive due to the sheer volume of incidents that require investigation.

But the threat landscape is diversifying:

• Impersonation attacks (34% of businesses)

• Malware excluding ransomware (18%)

• Account takeovers (7%)

• Ransomware attacks have significantly increased since last year

The True Cost

The financial stakes are rising dramatically:

• Average cost of a disruptive breach: £1,600 for businesses, £3,240 for charities

• For organizations experiencing significant outcomes: costs balloon to £8,260+ for businesses

• Cyber-facilitated fraud costs: £5,900 per incident (nearly 4x higher than typical breaches)

Perhaps most concerning: approximately 8.58 million cyber crimes hit UK businesses in the past year, with affected organizations experiencing an average of 30 incidents each.

The Protection Gap

Despite these threats, our defenses remain inconsistent:

• 72% of businesses say cyber security is a high priority, yet board-level responsibility has steadily declined since 2021

• Only 23% of businesses have formal incident response plans

• Small businesses are improving (cyber insurance up from 49% to 62%), while high-income charities show concerning declines in key security measures

• Most common controls: malware protection (77%), password policies (73%) and network firewalls (72%)

• Two-factor authentication remains underutilized (40% of businesses)

Response Reality

When breaches occur, the response is often inadequate:

• Internal reporting to management is common (76% of businesses)

• External reporting remains rare – only about one-third have guidance on when to report externally

• Additional staff training is the most common response (32% of businesses)

• Approximately 20% of businesses didn't know their organization's policy on ransomware payments

Most revealing: companies continue to rely overwhelmingly on external IT consultants rather than established government resources for security guidance, despite available frameworks like Cyber Essentials.

The message is clear: cybersecurity isn't just an IT problem – it's a business survival issue.

Defend or Default: 7 Critical Cyber Security Lessons

1. The threat landscape is shifting — While overall attacks have decreased, ransomware incidents are climbing. The enemy is evolving, not retreating.

2. Phishing remains your biggest vulnerability — 85% of all breaches start here, consuming valuable staff time and resources even when unsuccessful.

3. Size matters in cyber defense — The 33% gap between large and small business attack rates likely reflects detection capabilities, not actual targeting differences.

4. We're aware but unprepared — Despite 72% of businesses prioritizing cybersecurity, only 23% have formal incident response plans. Knowledge without action creates vulnerability.

5. Progress is uneven across sectors — Small businesses are strengthening defenses while high-income charities show concerning security declines.

6. We're asking the wrong people for help — Organizations overwhelmingly turn to IT vendors rather than established government frameworks and resources designed specifically for this purpose.

7. The stakes vary dramatically — From £1,600 for average breaches to £8,260+ for significant incidents, with cyber-facilitated fraud causing the most severe financial damage.

The message is clear: cybersecurity isn't just an IT problem – it's a business survival issue.

3 immediate actions every organization should consider:

1. Establish formal incident response protocols

2. Implement regular staff training on phishing awareness

3. Review your technical controls against the government-endorsed Cyber Essentials framework

Until Next Time!

Navigate Public Sector with Ease

Doing business with the UK public sector just got easier. PublicSectorExperts cuts through the complexity, providing the insights and guidance your business needs. From procurement strategies to policy advice, their network of professionals ensures you stay ahead. Plus, you’ll enjoy connecting with experts who make it simple and actionable for your success.

Quick Question!

Before you go, we’d love to know how today’s Focus resonated with you. Your feedback helps us improve each issue. 😊

New here? Welcome aboard! Join the Focus community to get insights straight in your inbox.

Need help standing out? Let us spotlight your business or service and partner with us.

Got a tip, question, or big win? We’re listening! Share it with us, and we’ll see it featured.

Looking for expert advice? Our team of public sector pros has your back, get in touch here.