News Reaction: UK Cyber Security Breaches Survey 2025/2026 shows persistent risk and gaps in readiness

May 2026: Yesterday, 30 April, the UK Government published its Cyber Security Breaches Survey 2025/2026. These annual official statistics examine the cost, prevalence and impact of cyber breaches and attacks on UK businesses, charities and educational institutions to inform government policy on cyber security.  

Chris Brown, SVP UK Market Leader at NCC Group, comments: 

"The Breaches Survey shows that cyber risk remains widespread and increasingly complex. While headline breach levels may have stabilised, the underlying picture is being driven by persistent weaknesses in supply chain assurance and the rapid adoption of AI without adequate security and governance. 

Organisations are more interconnected than ever, which means resilience can no longer stop at the edge of the business. Boards are starting to engage more seriously with cyber risk, but the priority now must be closing the gap between awareness and action, strengthening oversight of third parties, embedding AI security by design, and ensuring incident response plans are tested, not theoretical."

The latest findings show that cyber risk remains a persistent issue for UK organisations. Just over four in ten businesses (43%) and around three in ten charities (28%) reported experiencing a cyber security breach or attack in the last 12 months. The survey also notes that this is likely to underestimate the true scale of the problem, as it only captures incidents organisations were able to identify and willing to report.  

The survey’s new findings on AI also suggest that adoption is beginning to outpace security readiness. The results show that AI use is growing across businesses and charities, but only around a quarter of organisations already using, adopting or considering AI say they have security practices in place to manage the risks. 

Phishing remains the most common and disruptive threat, affecting 38% of businesses and 25% of charities, while more serious business impacts are becoming more visible. Among businesses, reported loss of revenue or share value had a year-on-year rise from 2% to 5%, and reputational damage from 1% to 3%. At the same time, formal preparedness still lags behind the scale of the threat, with only 25% of businesses having a formal incident response plan, and just 15% formally reviewing the cyber risks posed by immediate suppliers, falling to 6% for the wider supply chain.  

These findings echo concerns NCC Group has already raised in our own threat intelligence and supply chain research, including the growing role of AI in making phishing more convincing and the continued gap between organisations’ confidence in suppliers and the level of real scrutiny applied to supplier risk.