The Cyber Security Breaches Survey 2025, commissioned by the UK Government, provides critical insight into how organisations are adapting to the evolving cyber threat landscape. While some headline figures show modest improvements, such as a reduction in the proportion of businesses experiencing breaches, underlying issues remain, particularly in relation to supply chain vulnerabilities and increasingly sophisticated attack methods.

According to the survey, 43% of UK businesses and 30% of charities reported experiencing at least one cyber security breach or attack in the past 12 months. This represents a notable decline from 2024 (50% of businesses), equating to approximately 612,000 businesses and 61,000 charities affected in the last year.

However, this reduction is largely attributable to fewer phishing incidents among micro and small businesses. Among larger organisations, cyber threats remain highly prevalent, 67% of medium and 74% of large businesses reported breaches, consistent with previous years. Phishing remains the most common form of attack, affecting 85% of businesses and 86% of charities.

One of the more concerning developments in 2025 has been the increase in ransomware attacks. The percentage of businesses reporting ransomware incidents doubled from under 0.5% in 2024 to 1% in 2025, affecting an estimated 19,000 UK companies. Though still a relatively small proportion, the increase suggests a growing willingness by threat actors to deploy high-impact, disruptive tactics.

This rise coincides with other signs of operational disruption. Businesses reporting temporary loss of access to files or networks rose from 4% to 7% in the last year. Charities also experienced an increase in third-party service outages (5%, up from 1%), pointing to the broader implications of attacks that affect external providers.

Despite long-standing awareness of third-party risk, the survey found that relatively few organisations have formal processes to assess cyber security threats within their supply chains. Only 14% of businesses review the risks posed by immediate suppliers, and just 7% examine their broader supply chain. These numbers drop further among micro (11%) and small (21%) businesses.

In contrast, larger businesses are more likely to engage in such assessments, 32% of medium and 45% of large organisations do so, likely due to more complex supplier networks and regulatory obligations.

The survey underscores a growing concern: while suppliers often hold sensitive data or have access to internal systems, many organisations lack the visibility and governance necessary to manage these relationships securely. The risks include compromised credentials, malware propagation, and indirect breaches through shared platforms.

Financial impacts remain significant. The average cost of the most disruptive breach reported by businesses in 2025 was £1,600, rising to £3,550 when excluding organisations that reported a £0 cost. For charities, the average was £3,240 (or £8,690 excluding £0 responses), with outlier cases dramatically increasing reported figures, such as one charity reporting losses of £350,000 from a single incident.

Beyond direct financial losses, breaches continue to absorb staff time and affect operational continuity. In larger organisations, the cost of lost productivity and long-term recovery efforts can match or exceed the initial impact of the breach itself.

While cyber security is increasingly seen as a board-level priority, 72% of businesses and 68% of charities said it is high on their management agenda, preparedness still varies widely across sectors and sizes.

Notably, the percentage of small businesses conducting cyber risk assessments has increased from 41% to 48%, and uptake of cyber insurance has grown to 62% (up from 49%). The presence of formal cyber security policies and business continuity planning is also trending upward.

However, only 49% of businesses overall reported having implemented at least one advanced cyber defence activity, such as penetration testing or continuous monitoring, indicating that many organisations still take a reactive rather than proactive approach.

Accreditation schemes such as Cyber Essentials and ISO 27001 are gaining traction, particularly among medium and large businesses. Many cited client demands, board expectations, and stakeholder assurance as driving factors. While the standards offer structured guidance for building cyber resilience, the survey suggests that certification alone is not sufficient, especially when supplier risks remain unmonitored.

In light of these findings, organisations must reassess not just their internal defences but also the supply chains in which they operate. Threats do not respect organisational boundaries, and as supply chains grow, the potential attack surface expands.

Pervade Software delivers the solutions needed to close this gap. Our technology enables organisations to monitor cyber risks across their supply chain, uphold compliance with standards, and achieve a comprehensive view of their overall cyber security posture. As breaches grow increasingly sophisticated, the capability to detect, respond, and report accurately, both internally and with third parties, has become essential rather than optional.