The Cybersecurity Breaches Survey for 2025 was published at the beginning of April. The survey is a research study on UK cyber resilience, commissioned by the Department of Science, Innovation and Technology and the Home Office.  Aimed at making the UK’s cyberspace a secure place to do business, the report highlights trends, approaches to risk management, the prevalence of breaches, incident response, and the evolving threat of cybercrime.

You can read the full survey here.

We’ve selected key insights to highlight, with specific reference to small businesses. We’ve commented where Cyber Essentials certification could help your employees increase their awareness of cybersecurity issues, and play a key role in protecting your organisation against the most common cyber threats.

Identifying Incidents

43% of businesses and 30% of charities reported a cybersecurity breach or attack in the last year, equating to approximately 612,000 UK businesses and 61,000 UK charities.

Of these organisations phishing attacks remain the most prevalent and disruptive type of breach or attack (experienced by c85%) with a growing awareness that increasingly sophisticated methods, such as AI impersonation, are becoming mainstream.

Cybersecurity Measures

Small businesses showed improvement in several cyber hygiene practices, including increased uptake of cyber insurance – 62% up from 49% in 2024, and business continuity plans that address cyber security – 53% up from 44% in 2024. However, staff training and awareness raising activities on cyber security are more prevalent in large businesses (76% compared to 19% businesses overall).

The majority of businesses and charities have implemented basic technical controls, such as:

• updated malware protection – 77% businesses and 64% charities.
• network firewalls – 72% businesses and 49% charities.

However, adoption of more advanced controls remains lower than other measures:

• two-factor authentication – 40% businesses and 35% charities.
• a virtual private network for staff connecting remotely – 31% businesses and 20% charities.

Cyber Essentials accreditation requires the use of these tools for businesses to be compliant with its standards, proving itself an effective protector of baseline level cybersecurity.

In addition Cyber Essentials includes cyber insurance with a limit of indemnity at £25,000, which could be used for crisis management and incident response. A 24-hour helpline is available to provide this support.

For details of the Policy, please see our previous blog.

Risk Management and Supply Chains

Small businesses have seen a significant increase in those carrying out risk assessments covering cybersecurity – 48% in 2025, up from 41% in 2024.

Relatively few businesses or charities were taking steps to formally review the risks posed by their immediate suppliers and wider supply chain. Only 14% of businesses said they reviewed the risks posed by their immediate suppliers, and 7% were looking at their wider supply chain.

Business to business assurance is becoming vital to winning new business within a supply chain , with more contracts mandating cybersecurity. To simplify this process, may contracts are simply mandating a recognised security certification, such as Cyber Essentials.

Cyber Accreditations and Official Guidance

The overall proportion of organisations seeking external information or guidance on cyber security remained stable – 42% of businesses and 37% of charities.

Cyber Aware is the most commonly recognised government communications initiative – 24% of businesses and 26% of charities, but there has been a steady decline in awareness of the campaign since 2022. Awareness of the 10 Steps, and Cyber Essentials was lower still. Limited awareness was particularly notable among micro businesses with 22% aware of Cyber Aware and 9% aware of Cyber Essentials.

Incident Response

Small businesses showed a significant increase in implementing various incident response measures compared to 2024, including guidance on internal reporting – 55% compared to 48% in 2024, external communication plans – 29% compared to 21% in 2024, and guidance on external reporting – 48% compared to 41% in 2024.

Additional staff training or communications emerged as the most common preventative measure adopted following a breach – 32% of businesses and 38% of charities.

Cybercrime

Not all cyber security breaches and attacks are classified as cybercrimes under the Computer Misuse Act 1990. Cybercrimes are those deliberately committed against organisations and are considered a subset of all breaches and attacks.

The survey estimated that 20% of businesses and 14% of charities have been victims of at least one cybercrime in the past year, accounting for approximately 283,000 businesses and 29,000 charities.

Whilst the prevalence of cybercrime overall remained static, the prevalence of ransomware among businesses significantly increased during 2024-25 with an increase from < 0.5% in 2024 to 1% in 2025, equating to c19,000 businesses.

Phishing remained the most common type of cybercrime, accounting for 93% of crimes committed against businesses and 95% committed against charities. Businesses that were victims of cybercrime experienced an average of 30 cybercrimes in the last year.

How we can help at Comprendo

We recognise that protecting your business against cyber threats can seem a daunting task. We offer all types of cybersecurity solutions, from email filtering, password management and simulated phishing training, to helping you secure Cyber Essentials accreditation and monitoring your critical systems 24/7/365.

We offer a FREE 2-hour Security Audit of your IT systems, which you can also use to discuss any areas of your IT strategy.

<< Try us out and book your Security Audit at info@comprendo.co.uk, or

<<  Tel. 0345 527 4394 to get the advice you need from our knowledgeable support team.

At Comprendo, we provide customer-focused IT services, solutions and support to businesses throughout North and West Yorkshire, Lancashire and beyond, including Leeds, Bradford, Harrogate, York, Preston and Manchester. Looking to outsource your IT or review your cyber security? We look forward to hearing from you.