Cybersecurity

612,000 UK Businesses Breached: What the 2026 Survey Means

The government's Cyber Security Breaches Survey 2025/26 counted 612,000 breached businesses, with phishing dominant and costs doubling. What small firms should actually do.

N

Nerdster Team

3 July 2026

Every year the government publishes the Cyber Security Breaches Survey, and every year it gets summarised into a scary headline and then forgotten. This year’s edition deserves better, because underneath the headline number — roughly 612,000 UK businesses identified a breach or attack in the past year — the details tell small firms exactly where to spend their next pound.

We have read it so you do not have to. Here is what actually matters.

The Numbers Worth Remembering

Three findings stand out from this year’s survey and the industry research published alongside it:

  • Phishing remains the front door. Email-based attacks are the most common type by a distance, and respondents report that AI tooling has made convincing phishing easier to produce, not harder. The badly spelled scam email is a museum piece; what lands in your finance inbox now reads like your supplier wrote it.
  • The cost of a breach is climbing sharply. Reported revenue impact has roughly doubled year on year, and separate industry research puts the average cost of a successful attack on an SME at over £25,000 — before you count the client relationships that quietly end afterwards.
  • The preparation gap is the real story. Around half of SME employees have had no security training at all, and a worrying share of small firms spend less than £100 a year on security. Meanwhile, more than a quarter of small business owners say a single serious attack could put them out of business.

Put those together and the picture is uncomfortable but clear: attacks are cheap to launch, expensive to receive, and most small firms are structurally unready — not because protection is unaffordable, but because nobody owns the problem.

Why Small Firms Are the Target Now

There is a persistent myth that attackers only care about big companies. The economics say otherwise. A criminal group choosing between one hardened bank and five hundred accountancy practices with no MFA will take the accountants every time — smaller payouts, vastly higher success rate, and the tooling is automated anyway.

London professional firms carry an extra burden: you hold other people’s sensitive data. A breached law firm or wealth manager is not just explaining itself to the ICO — it is explaining itself to every client whose files were in the blast radius.

What Actually Moves the Needle

The encouraging part of the survey, year after year, is how unglamorous the effective defences are. Firms that avoid serious breaches tend to have the same short list in place:

1. Multi-factor authentication everywhere. Not just email — the accounting platform, the CRM, the remote access. Most account-takeover attacks die here. It costs almost nothing.

2. Trained, slightly suspicious staff. Security awareness training is the highest-ROI line in the budget when half the workforce has never had any. One well-timed “this invoice looks odd” pays for years of it.

3. Patched, supported systems. Unpatched software is the other front door — which is why the Windows 10 ESU deadline this October is a security decision, not just an IT one.

4. Tested backups. Ransomware’s business model collapses when you can restore. “We have backups” and “we have restored from backups within the last quarter” are very different sentences — see our guide to backup and disaster recovery for what good looks like.

5. A framework to hang it on. Cyber Essentials covers the fundamentals above, gives you a certificate that wins tenders, and typically trims insurance premiums. For a small firm it is the single most efficient package of the survey’s own recommendations — and certification takes about four weeks when it is run properly.

Notice what is not on the list: exotic threat-hunting platforms, six-figure security operations centres, or anything with “military-grade” in the brochure. Those have their place — our MDR and SOC service exists for regulated firms that genuinely need 24/7 eyes — but the survey is blunt about where most small-business breaches actually start: an email, a password, an unpatched machine.

The Questions to Ask Yourself This Week

If you want to know where your firm stands without commissioning anything, answer these honestly:

  1. Could anyone log into your email from a new device with just a password?
  2. When did a member of staff last report a suspicious email — and did anything happen when they did?
  3. If your main file store was encrypted by ransomware tonight, how many days of work would you lose?
  4. Is every machine in the office running a supported operating system?
  5. Who, by name, is responsible for the answers above?

If question five produced a pause, that is the actual finding. Security fails in small firms not for lack of tools but because it is everyone’s job and therefore no one’s.

The Bottom Line

The 2026 survey says the same thing the 2025 one did, louder: the threat is industrialised, the victims are increasingly small, and the effective defences are boring and affordable. The gap between the two is a management decision.

If you would rather have a professional answer those five questions for you, book a free 30-minute IT assessment — we will tell you plainly where you stand, what to fix first, and what it costs. Usually less than people fear, and always less than £25,000.

cyber securitybreachesphishingsmall businessUK statistics

Related insights

Replies the same business day

Ready to fix your IT?

Book a free 30-minute IT assessment. We'll review your setup, identify risks, and show you exactly what better IT looks like.

  • 30-day rolling contracts
  • No callout fees
  • Free assessment