The UK’s 2025/2026 Cyber Security Breaches Survey shows 43% of businesses and 28% of charities reported a cyber incident in the past year. The headline is not just persistence; it is operational exposure. Phishing remains the dominant route in, education is absorbing heavier pressure, and supplier-r
SAP npm packages poisoned with credential-stealing malware in "Mini Shai-Hulud" attack. Malicious preinstall hooks harvest GitHub tokens, cloud keys and CI/CD secrets. Attackers weaponise AI agent configs for persistence, turning Claude and VS Code settings into execution paths.
Medtronic says a third party accessed data in corporate IT systems, while ShinyHunters claims more than nine million records were stolen. The incident did not disrupt products or patient care, but it exposes the widening risk around corporate IT, identity data and medical technology supply chains.
The UK’s 2025/2026 Cyber Security Breaches Survey shows 43% of businesses and 28% of charities reported a cyber incident in the past year. The headline is not just persistence; it is operational exposure. Phishing remains the dominant route in, education is absorbing heavier pressure, and supplier-r
The latest UK Cyber Security Breaches Survey arrives with a message most organisations will recognise, even if they would prefer not to. The breach economy is not being driven by sophisticated exploits or rare vulnerabilities. It continues to run on familiar weaknesses, led by phishing, inconsistent controls, and limited visibility across supplier networks.
The numbers tell a steady story. Around 43% of UK businesses and 28% of charities reported a cyber incident in the past year, representing more than 600,000 organisations. While that figure has edged down from previous peaks, it has not improved enough to suggest that risk is being meaningfully reduced. Instead, cyber exposure appears to be settling into a persistent baseline.
Phishing remains the most reliable entry point. It was reported by 38% of businesses and sits behind the vast majority of breaches. In practical terms, attackers are succeeding not because they are technically advanced, but because they are consistently able to exploit trust, identity, and routine workflows. Email remains one of the most effective attack surfaces in the modern enterprise.
Pressure is particularly visible in the education sector, where breach rates are now exceptionally high. Secondary schools, colleges, and universities are dealing with frequent incidents rather than isolated events. These environments combine large user populations, decentralised access, and a wide mix of systems and partners, making them especially vulnerable to repeated phishing attempts and credential compromise.
| Indicator | 2025/2026 Finding | Why it matters |
|---|---|---|
| Businesses reporting any breach or attack | 43% | The national breach rate remains stubbornly high rather than exceptional. |
| Charities reporting any breach or attack | 28% | Smaller, trust-based organisations remain exposed despite fewer resources. |
| Estimated UK businesses affected | 612,000 | Cyber risk is a mainstream operational issue, not a niche technology problem. |
| Businesses experiencing phishing | 38% | Phishing remains the most common entry point and should still dominate control testing. |
| Charities experiencing phishing | 25% | Social engineering continues to scale across resource-constrained sectors. |
| Businesses reporting ransomware | 1% | Ransomware prevalence is lower in the survey, but impact remains concentrated when it lands. |
| Businesses affected by cyber-facilitated fraud | 3% | Fraud linked to cyber incidents remains a direct financial-risk channel. |
The latest UK Cyber Security Breaches Survey is blunt about where the real pressure sits. It finds that phishing remains the most common and most disruptive incident type, with 38% of businesses and 25% of charities reporting phishing attacks in the past 12 months, according to the official 2025/2026 release. Among organisations that experienced any kind of breach or attack, phishing dominates even more clearly, with around 85% of affected businesses and 86% of affected charities saying it was involved, based on analysis of the same survey data. In practical terms, most real‑world incidents are still starting with a lure in an inbox rather than a sophisticated exploit against a hardened system.
For leadership teams, that should narrow the conversation rather than dilute it. If phishing is doing most of the work, then awareness training, identity controls, help‑desk verification, multifactor authentication and meaningful email‑security telemetry are not optional extras; they are the front line, as consistently highlighted in the UK Government’s reporting. The survey also notes that a growing share of organisations are experiencing phishing as their only breach type, rising for both businesses and charities, which underlines how often attackers do not need anything more advanced once they can reliably persuade someone to click.
Taken on its own, phishing can sound like background noise, an irritant to be managed rather than a strategic issue. The survey data suggests something very different. It shows a threat that is ordinary and central at the same time: widespread across sectors, closely tied to everyday workflows, and still effective against organisations that believe they have the basics in place. When close to nine in ten affected organisations report that phishing formed part of their breach story, it becomes difficult for any board to argue this is a marginal risk.
This is why the findings deserve to be read as a leadership test, not just another set of technical statistics. The real question is no longer whether phishing risk is understood, but whether its success rate is falling in a measurable way year on year. If that answer is unclear, the survey’s numbers strongly suggest the organisation is standing still while attackers continue to rely on the same, very human entry point into systems and supply chains.
Get the stories that matter to you.
Subscribe to Cyber News Centre and update your preferences to follow our Daily 4min Cyber Update, Innovative AI Startups, The AI Diplomat series, or the main Cyber News Centre newsletter — featuring in-depth analysis on major cyber incidents, tech breakthroughs, global policy, and AI developments.
SAP npm packages poisoned with credential-stealing malware in "Mini Shai-Hulud" attack. Malicious preinstall hooks harvest GitHub tokens, cloud keys and CI/CD secrets. Attackers weaponise AI agent configs for persistence, turning Claude and VS Code settings into execution paths.
Medtronic says a third party accessed data in corporate IT systems, while ShinyHunters claims more than nine million records were stolen. The incident did not disrupt products or patient care, but it exposes the widening risk around corporate IT, identity data and medical technology supply chains.
Vercel confirms a security incident after a compromised third-party AI tool's OAuth token allowed attackers to pivot into internal systems, exposing environment variables and API keys across its platform.
According to Microsoft’s April 2026 Security Update Guide, the company fixed more than 160 vulnerabilities across Windows, Office and core services, including an actively exploited SharePoint zero‑day and a Defender privilege‑escalation flaw.
Where cybersecurity meets innovation, the CNC team delivers AI and tech breakthroughs for our digital future. We analyze incidents, data, and insights to keep you informed, secure, and ahead. Sign up for free!
