Despite increasing media coverage and countless high-profile incidents, the UK’s cyber readiness remains patchy at best. The 2025 Cyber Security Breaches Survey, released in April by the Department for Science, Innovation and Technology (DSIT) alongside the Home Office, lays bare the scale of the challenge and the level of inaction. It shows that while awareness is growing, tangible change remains slow. The disconnect between knowing the risks and actively addressing them is leaving many organisations dangerously exposed.
The numbers behind the narrative
This year’s survey found that 43% of UK businesses and 30% of charities experienced a cyber incident in the past 12 months. Among medium and large organisations, the numbers were significantly worse: 67% and 74% respectively reported breaches or attacks. These are not trivial figures. They represent thousands of compromised systems, disrupted operations, and sensitive data at risk.
What’s more striking is that phishing remains the most reported attack type, involved in 85% of breaches. This highlights a fundamental weakness: the human factor. Even as security software improves, attackers are exploiting gaps in awareness and behaviour, often with the help of AI tools that make phishing attempts more targeted, convincing, and effective.
Culture and leadership lag behind
One of the more worrying findings in the 2025 report is the decline in cyber accountability at the board level. Just 30% of surveyed businesses have a board member responsible for cybersecurity, a drop from earlier years. This is not a technology problem; it’s a leadership one.
Cybersecurity must be embedded in an organisation’s strategic thinking. When it’s left solely to IT departments, there’s a risk it becomes siloed, underfunded, or misunderstood. Boards need to treat cyber threats in the same way they approach financial, operational, or reputational risks. This requires not just assigning responsibility but also building fluency. Executives should be asking the right questions: How are we protecting our most valuable assets? How quickly can we detect a breach? What is our incident response plan?
Supply chains remain a soft target
A particularly glaring weakness is in third-party risk management. Only 14% of organisations review the cyber resilience of their immediate suppliers, and a mere 7% consider risks beyond that first tier. In an era where businesses rely heavily on digital service providers, outsourced IT, cloud platforms, and logistics networks, this oversight is both common and catastrophic.
We’ve already seen what can go wrong. The Synnovis ransomware attack, which affected NHS blood testing services, was not just a problem for the supplier, it disrupted hospitals and patients across London. In today’s economy, a breach in your partner’s system can quickly become your problem too.
Organisations must tighten supply chain controls, insisting on minimum standards such as multi-factor authentication, secure data handling, and routine cyber audits. Contracts should reflect these expectations, and critical suppliers should be treated as extensions of the business, subject to the same scrutiny and safeguards.
A shift in mindset: from reactive to resilient
Too often, cybersecurity investments are reactive, prompted only by a breach or a compliance deadline. But cyber threats evolve daily, and static defences won’t hold up. The message from the 2025 survey is clear: it’s time for a mindset shift.
To become truly cyber-resilient, organisations must focus on three core areas:
- Visibility: Know where your assets are, understand your attack surface, and regularly assess vulnerabilities. This means not only monitoring your own systems but also those of third parties.
- Preparedness: Provide ongoing training across the organisation. Everyone, from front-line staff to senior management, plays a role in identifying and reporting suspicious activity. Well-informed employees are one of the most powerful defences.
- Resilience: Accept that no system is completely immune. Build robust incident response and disaster recovery plans. Test them frequently. The goal is not just to prevent attacks—but to bounce back quickly and minimise impact when they do occur.
Government support is there - but it’s underused
The UK Government offers schemes like Cyber Essentials to help organisations, particularly SMEs, improve their baseline defences. But the uptake remains limited. Many businesses either don’t know these programmes exist or fail to see their relevance. That’s a missed opportunity.
Stronger engagement is needed, from government, industry bodies, and larger enterprises that can lead by example. Better communication, clearer incentives, and simpler onboarding processes would go a long way in increasing adoption and improving collective resilience.
Cybersecurity as a shared responsibility
The digital economy doesn’t work in isolation. Whether you’re a start-up, a charity, a public institution, or a multinational corporation, your security depends on the actions of others as much as your own. That’s why cybersecurity must be seen not just as an internal function, but as a shared responsibility across sectors.
The 2025 Cyber Security Breaches Survey is more than a collection of statistics; it’s a warning. It shows us that the threats are real, frequent, and increasingly sophisticated. But it also reveals the gaps: in leadership, in preparation, and in collaboration. If businesses continue to treat cybersecurity as a low-priority IT issue, the damage will keep mounting. Now is the time to move from discussion to decisive action.
Jonathan Lee
Jonathan Lee is a respected cybersecurity professional, strategist and thought leader, driving strategic communications and stakeholder engagement across the public and private sectors. Jonathan currently serves as Director of Cybersecurity at Trend Micro.
