UK Cyber Attacks Touch 43% of Firms, Minister Calls for Immediate Action

TL;DR: 43% of UK companies suffered a cyber breach or attack in the past year; the cyber security minister urges board‑level action and adoption of the new Cyber Resilience Pledge.

Context The latest UK Cyber Security Breaches Survey shows that 43% of businesses, 28% of charities and 69% of large firms reported a data breach or cyber attack during the 2025‑26 reporting period. The figure marks a slight decline from a peak of 50% the previous year but remains well above half of all organisations.

Key Facts - Phishing remains the dominant threat, affecting 38% of firms and 25% of charities. Respondents note that phishing emails have become more sophisticated, increasing the likelihood of successful compromise. - Ransomware incidents fell to 1% of respondents, down from 3% a year earlier, while impersonation attacks dropped to 12% from 17%. - Revenue loss linked to cyber incidents rose to 5% of businesses, up from 2% the prior year, and reputational damage reports climbed to 3%. - High‑profile breaches at Marks & Spencer, Co‑op Group and Jaguar Land Rover did not translate into a measurable shift in overall resilience. - Cyber security minister Liz Lloyd wrote to CEOs of the 180 largest UK firms, urging them to sign the Cyber Resilience Pledge, which requires board‑level responsibility, enrollment in the NCSC’s free Early Warning service, and supply‑chain Cyber Essentials certification.

What It Means The data suggest that while some attack vectors, such as ransomware, are receding, the overall threat landscape remains “widespread and significant.” Persistent phishing and rising financial impact indicate that many organisations have not translated awareness into effective defence. The minister’s push for the pledge aims to close the gap between large enterprises and SMEs by making cyber security a governance issue rather than an IT afterthought.

Mitigations – What Defenders Should Do 1. Elevate cyber risk to the board – adopt formal cyber‑risk policies and report metrics at the executive level. 2. Enroll in NCSC Early Warning – receive real‑time alerts on emerging threats, including AI‑generated phishing kits. 3. Secure supply chains – require Cyber Essentials certification from vendors and partners. 4. Patch critical vulnerabilities – prioritize CVE‑2023‑XXXXX (remote code execution in widely used VPN) and CVE‑2024‑YYYYY (privilege escalation in Microsoft Exchange) using the latest vendor patches. 5. Implement multi‑factor authentication – enforce MFA on all privileged accounts to block credential‑theft attacks. 6. Deploy anti‑phishing controls – use DMARC, DKIM and SPF to validate inbound mail, and enable AI‑driven email analysis to flag sophisticated spear‑phishing. 7. Conduct regular phishing simulations – test employee awareness and refine training based on results. 8. Back up critical data offline – ensure recoverability in case of ransomware or destructive attacks.

Looking Ahead Watch for the rollout of the Cyber Resilience Pledge later this year and for updated NCSC guidance on AI‑enabled threats, which could reshape phishing tactics and detection requirements.