Breach prevalence is falling. Business impact is rising. AI adoption is outpacing AI security.
You already know the threats exist. What the NCSC Cyber Security Breaches Survey 2025/2026 gives you is the data to contextualise it, benchmark your organisation against it, and make the case for action where it is needed most. Published 30 April 2026 by DSIT and the Home Office, here is an honest read of what the survey shows, where things have genuinely improved, and where the gaps still matter.
Breach Prevalence: a Positive Trend, With An Important Caveat
Breach prevalence has been moving in the right direction. It fell significantly from 50% in 2023/2024 to 43% in 2024/2025, and has held at 43% this year. That is worth acknowledging.
The caveat is in the impact data. Among organisations that did experience a breach, the consequences are becoming more serious:
- Loss of revenue or share value rose from 2% to 5% year on year
- Reputational damage rose from 1% to 3%
- 69% of breached organisations identified phishing as their most disruptive incident
Phishing remained the most prevalent threat by a significant margin, with 38% of businesses and 25% of charities experiencing it. The survey’s qualitative interviews noted that respondents perceived phishing attacks as becoming easier to execute, contributing to what they felt was an increase in attack volumes. The proportion of breached businesses experiencing phishing as their only attack type rose from 45% to 51%.
There is one positive data point in this section worth noting: ransomware attacks among businesses declined from 3% in each of the previous two years to 1% this year. That is a meaningful reduction, even if the overall threat picture remains challenging.
The practical takeaway: fewer organisations are getting breached than two years ago, which is a positive direction. But for those that are hit, the business impact is growing. If your board is still treating this as an IT issue rather than a business risk, the impact figures above are the conversation that needs to happen.
Supply Chain Risk Is The Gap No One Has Closed
Only 15% of businesses formally reviewed the cyber risks posed by their immediate suppliers. Just 6% looked at their wider supply chain.
For medium and large businesses those figures rise, with around a third of medium businesses and nearly half of large businesses reviewing immediate supplier risk, but even those numbers are low given the regulatory direction of travel. The pending Cyber Security and Resilience Bill is expected to mandate supplier assurance, and organisations not yet doing this are both exposed now and unprepared for what is coming.
The data is straightforward: the majority of UK businesses have no formal view of the risk their suppliers introduce. If you have not mapped your third-party risk exposure, that is the gap to address first.
AI Adoption Is Outpacing AI Security
Around a third of businesses said they are using, adopting, or actively considering AI. Of that group, only 24% have cyber security practices in place to manage the risks it introduces.
The survey’s qualitative findings add important context: respondents perceived that AI had made phishing attacks easier to execute and harder to detect. That perception, combined with the low rate of AI security readiness, creates a specific question for security leaders whose organisations are adopting AI tools:
- Which AI tools are being used across the organisation, and by whom?
- What data are those tools accessing or processing?
- Do existing controls (MFA, access management, monitoring) extend to AI-connected systems?
The survey does not prescribe answers, but the gap between adoption rate and security readiness is clear. It is worth establishing where your organisation sits before that gap widens further.
Basic Controls: A Reasonable Baseline, With Notable Gaps
Most businesses have core hygiene measures in place:
- Updated malware protection: 81%
- Secure cloud backups: 74%
- Password policies: 74%
- Network firewalls: 74%
- Restricted admin rights: 73%
But adoption of some controls is significantly lower.
Only 47% of businesses have adopted multi-factor authentication, and from April 2026, Cyber Essentials v3.3 requires MFA on all cloud services.
Only 5% of businesses hold Cyber Essentials certification, up from 3% last year. Just 24% have all five technical controls the scheme requires.
For organisations working toward certification, or those with insurance renewals approaching, the MFA gap is the most pressing item. Cyber insurers are already tightening MFA requirements as a condition of cover.
Incident Response Planning: Most Organisations Are Underprepared
Only 25% of businesses and 19% of charities have a formal incident response plan. The survey notes that a minority of those test their plans in any structured way.
Following a breach or attack, 61% of businesses and 57% of charities reported taking some action to prevent future incidents, most commonly people or training changes. That is a reactive posture. The survey data points to a gap between experiencing an incident and having a structured, pre-tested plan for managing one.
For organisations in the 75% without a formal plan, the practical question is straightforward: if an incident occurred tomorrow, who does what, in what order, and who has the authority to make decisions? A plan that has not been tested under realistic conditions is unlikely to hold up when it is needed most.
What The Survey Means For Security Leaders
The report’s conclusions are measured. Board-level ownership of cyber security sits at 31% of businesses. Staff training activity has been flat among businesses for two consecutive years. Supply chain risk review remains low across all business sizes.
The organisations that are making progress are those treating cyber security as an ongoing operational discipline rather than a periodic compliance exercise. Based on the survey’s findings, the priorities are clear:
- Close the MFA gap: it is now a Cyber Essentials requirement and an insurer expectation
- Extend risk assessment to include supply chain exposure, not just internal controls
- Build AI security practices in parallel with AI adoption, not after it
- Test incident response plans against realistic scenarios, not just document them
- Bring board-level conversations to the level of business risk, not IT reporting
The 2025/2026 survey is a useful benchmark. The Cyber Security and Resilience Bill is moving, the insurance market is tightening, and the cost of acting now is lower than the cost of acting after an incident.
If you want to understand where your organisation sits against the survey’s key benchmarks, across technical controls, supply chain risk, and incident readiness, our Cyber Maturity Assessment gives you a structured picture. For organisations working toward Cyber Essentials certification, our team can support the full process. And if you want to test whether your incident response plan would hold up under real pressure, our Red Teaming and Penetration Testing services are designed for exactly that.
