The proportion of businesses in the UK reporting cyber attacks and data breaches has dropped from 50% to 43% in the last year. A government study has attributed this to the “observed strengthening of cyber hygiene among small businesses.”
The prevalence of cyber crime overall among UK businesses and charities of all sizes has remained consistent year-over-year, according to a recent government study. Phishing also remained the most common type of cyber crime, attack, or breach among organisations in the UK. Only 680,000 of the 8.58 million cyber crimes experienced by businesses were not categorised as phishing. Nevertheless, ransomware attacks in the UK have doubled from 0.5% of businesses experiencing them in 2024 to 1% in 2025.
The results were published in the cyber breaches survey by the Department for Science, Innovation and Technology and Home Office. Its findings were based on responses from 180 businesses and 1,081 charities between August and December 2024.
UK’s cyber crime stats by company size
While the prevalence of cyber incidents among medium and large businesses has remained relatively consistent at around 67% and 74% respectively, the number of phishing attacks among micro and small businesses has declined markedly.
In 2024, 49% of small businesses and 40% of micro-businesses reported phishing attacks, but these figures dropped to 42% and 35% in 2025. The study found that they are increasingly adopting cyber security risk assessments, cyber insurance, cyber security policies, and business continuity plans.
Government data also showed that the larger the organisation, the more likely they are to experience cyber crime, which constitutes a subset of all breaches and attacks. Naturally. attackers are looking for a big payday, and they are less likely to get one from smaller firms with limited assets or lower-data value.
SEE: UK Announces ‘World-First’ Cyber Code of Practice
Cyber budgets now pitched to boards with fewer in-house experts
The government survey made an interesting observation when it came to who takes responsibility for cyber security in UK organisations. Only 27% have a cyber specialist on their board of directors, marking a significant decline since 2021 when that same figure was 38%.
This means that many technical teams must now present to non-specialists on the board to request more cyber investment. An IT and Digital Services Manager at an unnamed charity said in an interview as part of the research that their board is “very involved” and does not give them “full autonomy.”
“We need to have a constant dialogue about what we’re doing, this is why we’re doing it,” they said. A cyber architect also said that “nothing gets approval” at their medium-sized company without first making a pitch to the board, outlining the exact use case and its business impact.
