Join speakers from the Department for Science, Innovation and Technology in Manchester (The National Football Museum) & London (The Gherkin) for CyberSmart Live. Register your interest today 🚀
Login Book a call
Search
Clear search icon

8 key takeaways from DSIT’s Cyber Security Breaches Survey 2025

Rob S
Cyber Security Breaches Survey 2025
Back to blog

Table of contents

Want to speak with sales?

Book a call

Spring has sprung, and Easter has just passed. That can only mean one thing: the Department for Science, Innovation & Technology’s (DSIT) Cyber Security Breaches Survey 2025 has arrived.

If you’re unfamiliar with it, the annual report acts as a barometer of the UK’s cyber resilience. It outlines what UK organisations are doing to protect themselves, levels of cyber knowledge, common threats, the costs of breaches, and much more besides. However, it is also a very long report. So, as in previous years, we’ve pulled together the key takeaways for you.

1. Cyber breaches fall 

Let’s begin with some good news. Just over four in ten businesses (43%) and around a third of charities (30%) reported having experienced any kind of cybersecurity breach or attack in the last 12 months. This works out at around 612,000 businesses and 61,000 charities.

This represents a fall from the 2024 edition, where 50% (or 718,000) of businesses experienced a breach or attack. The figures are still higher than 2022 (39%), but it’s the first time in a few years that we’ve seen a decline rather than an increase.

The decrease is primarily driven by fewer micro and small businesses identifying phishing attacks (35% of micro businesses down from 40% in 2024 and 42% of small businesses down from 49% in 2024). However, breaches in medium and large businesses remain very high (67% medium and 74% large) with little change from 2024.

It’s hard to know what to make of this. On the one hand, it’s entirely possible that SMEs are simply bothering to report phishing attacks less often (as they’re so common), rather than a real decline in attacks. But, on the other hand, it could be an early indication that cybercriminals have redoubled their attacks on larger businesses.

2. Phishing remains the most common (and disruptive) cyber threat

Phishing scams have been by far the most common cyber threat faced by UK organisations for several years now. Unsurprisingly, 2025 is no different. 85% of businesses and 86% of charities experienced at least one phishing attack in the last year.

Phishing scams are seen by organisations as the most disruptive because of the time needed to investigate and address them, due to the sheer volume of attacks. And, more interestingly, because most businesses recognised the importance of employee training to combat the threat.

The interviews cited in the report also reveal that businesses of all sizes are increasingly worried about the growing sophistication of phishing attacks. In particular, many organisations mentioned AI impersonation as a threat they felt fearful of.

3. Ransomware attacks on the rise?

DSIT reports a significant growth in ransomware incidents in the last year. Just over 1% of businesses experienced an attack, compared to less than 0.5% in the 2024 edition of the survey. What’s interesting is that, despite the increase in ransomware attacks, several sources are reporting a global decline in the prevalence of ransomware payments.

For example, CyberEdge Group’s 2025 Cyberthreat Defense Report reveals that only 41% of targeted organisations chose to pay out last year, a drastic fall from 63% three years ago. Likewise, the Data Security Incident Response Report from US law firm Baker-Hostetle suggests fewer attacks and lower ransom payments than in previous years.

Could we be seeing the last days of ransomware’s prevalence as a cybercrime tactic, as more and more organisations refuse to pay and governments (including the UK) actively discourage it?

4. Small businesses get serious about supply chains

Although the proportion of businesses conducting supplier risk assessments (29%) has remained relatively flat (31% in 2024), we’ve seen a significant increase among SMEs.48% of small businesses carried out a risk assessment covering cybersecurity, up 7% from 2024. While, in an ideal world, the figure could be higher, this represents real progress in small businesses’ awareness of supply chain threats.

5. Small businesses’ cyber hygiene is improving

Most encouragingly, there’s evidence of real improvements in the cyber readiness and hygiene of the UK’s small businesses. All of the following areas saw significant increases in this year’s survey: 

  • Cyber security risk assessments (48%, up from 41%)
  • Cyber insurance coverage (62%, up from 49%)
  • Formal cyber security policies (59%, up from 51%)
  • Business continuity plans addressing cyber risks (53%, up from 44%)

This appears to indicate a real sea change in small businesses’ perceptions of cyber risk and what they need to do to manage it. In previous years, small businesses have typically been weak on measures like cyber insurance and formal policies and continuity plans. However, these figures demonstrate that SMEs are beginning to take cybersecurity much more seriously.

6. The financial impact of cyber breaches increases

Although it’s not a marked change, the average total cost of a business’s most disruptive breach increased this year. Among those businesses that were breached but with no outcome, the figure for this year is £1,600 (up from £1,205 in 2024). 

It’s a similar, if slightly more expensive, story for those businesses that experienced a breach with an outcome. For these businesses, the average cost was £8,260, up from £6,940 last year. 

It’s hard to gauge exactly what’s behind this rise. The costs are self-reported, so it’s possible that they’re within the normal range of difference we’d expect to see year-to-year. However, it’s also possible that it demonstrates a larger trend of breaches growing more disruptive.

7. Most businesses have the basics in place

Another real point of encouragement in this year’s survey is the widespread adoption of basic technical controls. Most businesses and charities have implemented basic cyber controls, including:

  • Network firewalls (72% of businesses and 49% of charities)
  • Backing up data securely via a cloud service (71% of businesses and 58% of charities) 
  • Restricted admin rights (68% of businesses and 68% of charities)
  • Updated malware protection (77% of businesses and 64% of charities)
  • Password policies (73% of businesses and 57% of charities)

However, there’s definitely room for improvement. The adoption of more advanced controls like multi-factor authentication (40% of businesses and 35% of charities), a virtual private network for staff connecting remotely (31% of businesses and 20% of charities), and user monitoring (30% of businesses and 31% of charities) remains low.

Likewise, although cybersecurity training and awareness activities are pretty widespread in large businesses (76%), few medium, small and micro businesses are offering it to staff. Just 19% of all businesses have some sort of training or awareness programme in place.

8. Governance and certifications are a mixed bag

The good news is that cybersecurity is a high priority for the majority of organisations (72% of businesses, 68% of charities), much the same as in previous years. However, a trend is emerging in who is responsible for cybersecurity. Board-level responsibility for cybersecurity seems to be on a gradual decline since its high of 38% of organisations in 2021 (it’s 27% in 2025).

This could mean that organisations are increasingly hiring specialists to manage security. Alternatively,  it could be that boards are increasingly delegating the responsibility to subordinates who’ve gained greater cyber knowledge. At this point, we don’t know for sure, but it’s certainly a trend worth watching.

Finally, while businesses appear to be prioritising cybersecurity like never before, awareness of NCSC campaigns and accreditations like Cyber Essentials is declining.

For example, the NCSC’s Cyber Aware Campaign has declined from 2021(when 34% of businesses and 38% of charities were aware of it). Likewise, just 12% of businesses and 15% of charities are aware of Cyber Essentials.

What can we do in 2025?

It’s clear that, while there are plenty of positives to take from this year’s Cyber Security and Breaches Survey, we in the cybersecurity community have some work to do. So, what should we prioritise in 2025? Here are our suggestions for Managed Service Providers, resellers, cybersecurity specialists or anyone involved in the sector

  • Enhance our outreach and education for micro and small businesses, in particular, focusing on the importance of phishing awareness, security training, and advanced technical controls like MFA
  • Develop our own solutions and threat awareness resources to counter the rise of malicious AI use
  • Encourage organisations to formalise cybersecurity responsibilities at the board level
  • Promote the integration of cyber risk considerations in software procurement
  • Highlight the importance and accessibility of Cyber Essentials and government guidelines to improve baseline cybersecurity practices

Did you know 59% of SMEs provide no mobile cybersecurity training to staff? Find out why this is a problem and what to do about it in our SME Mobile Threat Report.