Business & Technology
UK cyber survey criticised over AI threat blindness
The Department for Science, Innovation and Technology has published the latest Cyber Security Breaches Survey 2025/2026. Security specialists have questioned whether the government’s approach and business responses match the scale of AI-driven threats.
The annual survey tracks how UK businesses and charities experience and manage cyber incidents. It reports relatively stable headline breach numbers, persistent phishing threats, and a continued emphasis on policy documents, training, and certification.
Several industry figures argue that this apparent stability masks a decline in real-world resilience. They highlight AI’s growing role in both attacks and defence, and point to gaps in funding, incident response, and day-to-day security practice, particularly among smaller organisations.
Merlin Gillespie, Chief Technology Officer at Cybanetix, argued that the survey framework no longer reflects the threat landscape.
“The Cyber Security Breaches Survey is fundamentally flawed because the government is measuring the wrong things. Why? Because it props up a cyber policy that doesn’t fund resilience. The survey shows the same information every year because the policy shaping it hasn’t changed in line with the problem. Attacks are getting cheaper, faster, and more sophisticated, in no small part because they’re AI-assisted. Defences aren’t keeping pace because businesses are being asked to build them voluntarily, without funding, while outcomes are measured through paperwork rather than real-world results. Cyber security is being treated as a private-sector hygiene issue rather than a nationwide public risk. CISOs are exhausted, not because they don’t know what to do technically, but because they’re overwhelmed by risk, compliance, the audit treadmill, and supplier questionnaires.”
“UK cyber policy has turned CISOs into paperwork administrators, and they’re in a doom spiral. Until the government moves from policy to incentives, and recognises technical changes that can move the dial rather than mandating compliance documents that bury teams, every successive survey will show defences eroding. Every year the government’s answer is to encourage more certifications, more training, and more awareness. Microsoft says AI is being used at every stage of the cyber kill chain, but the survey barely mentions it. The attack surface is changing beneath our feet, and everyone is trying to catch up with last year’s paperwork while worrying about the latest novel attack that the average CISO probably has no coverage against and no detections to identify. Phishing remains a top attack, not because defenders are lazy, but because attackers are evolving it faster than policy can adapt. OSINT-driven, multi-channel attacks using email, WhatsApp, and voice are growing.”
“AI-generated content can capture and repurpose real voice and video so instructions appear to come from a real colleague. Meanwhile, we’re being asked to combat it with questionnaires and multiple-choice tests. Incident response should be the headline of the survey, yet it is traditionally buried near the bottom. It consistently shows that most UK businesses have no incident response plan and little guidance on when to escalate an incident externally. As a result, the typical UK business is improvising mid-breach. And in the minority of cases where businesses do take action, it is through training, which doesn’t appear to be working. This is like trying to address a disease when a preventative vaccine would be more efficient. We need to use fiscal levers and provide solutions that work, foster the economy, and strengthen UK businesses, rather than drowning them in overheads and hindsight. The UK government spends £30 million supporting SMEs, which means those businesses are effectively fighting digital terrorists with enough money to buy a bag of chips.”
“The UK cyber sector generated £13.2 billion in revenue last year but attracted under £200 million in venture investment. By comparison, Israeli tech raised $12.2 billion in 2024, up 31% from the year before, with investment heavily concentrated in cyber and backed by stackable R&D grants worth up to $3.3 million per startup and a preferred corporation tax rate of 7.5% versus the UK’s 25%. If we underfund the buyer, starve the sellers, and bury businesses in paperwork with limited demonstrable impact, is it any wonder we have no answer to attackers using Mythos-class game-changing technology? If the government is serious about digital sovereignty and protecting its citizens, it needs fiscal incentives at both ends of the loop: tax credits for UK businesses investing in genuine cyber defence, and R&D grants and preferred tax treatment for UK cyber firms that build and retain their IP in the UK while serving UK citizens.”
Jon Fielding, Managing Director for EMEA at Apricorn, focused on how smaller organisations implement basic controls. He pointed to persistent weaknesses in staff education, device security, and backup strategies.
“Staff training continues to be a low priority among SMEs, with a third carrying out sessions compared with 84% of large organisations. As a result, the user remains the weakest link, and those users are becoming even more vulnerable as attacks are crafted and refined by AI. Phishing and social engineering attacks are now far more sophisticated and harder to spot, making it vital that employees know how to report suspicious communications. They also need guidance on how to report rogue AI. The syntactic nature of AI means it can change and morph over time, and that could make it the ultimate insider threat,” said Fielding.
“There is still a consistent failure to secure mobile technology, even when it belongs to the business. While 61% insist on on-device security, the needle has barely moved over the past five years. That keeps risk unnecessarily high in a world where mobile and hybrid working are now commonplace. These devices are much easier to compromise outside the office, so businesses should secure everything from mobile phones to laptops and portable storage media,” he added.
“Cyber criminals are increasingly targeting not the data itself but the backups. They know backups contain sensitive data, and by compromising them they can block recovery and hamstring the business, giving them maximum leverage. Another problem revealed by the survey is that wholesale backup of data to the cloud has created a single dependency. Only 48% are backing up data by other means, down from 55% in 2024, and that decline means fewer options when, not if, a business is attacked. The long-standing advice was to keep multiple backups on different media and in different locations, but that has since evolved. Best practice is now the 3-2-1-1-0 rule: three copies of data on two different media, one stored encrypted and offline, at least one backup immutable, and recovery regularly tested to ensure zero errors. Testing recovery is crucial because close to a third of businesses have previously reported that they could not fully recover their data,” Fielding said.
“There continues to be a grey area between corporate and personal device security when it comes to acceptable use. While 84% set rules for how staff can use business-issued devices, only 58% cover personal device use. Yet the vast majority of hybrid workers routinely use personal devices for work, and in our own annual survey the majority, 61%, said they expect those workers to put them at risk of a data breach. So even though remote or mobile working is now routinely included in security policies, there is little follow-through in how it is implemented and enforced. A key example is the use of removable storage such as USBs, which this section of the workforce is highly likely to use. The survey found only 64% stipulate what can be stored on such devices, which suggests that almost half of the mobile workforce is free to move data around on any type of USB stick. That is why policies must set out where and how data can be stored, and why it is sensible to specify the level of on-device security these storage devices should have,” he said.
“UK businesses continue to lag in their approach to cyber security. There is a tendency to put all their eggs in one basket, whether that basket is the cloud or a backup solution, and that increases risk. By taking a more distributed approach, businesses can dilute that risk. At the same time, organisations need to be more prescriptive about what they expect employees to do. Guidance on reporting suspicious communications, using on-device security, and backing up data is badly needed because the hybrid workforce remains largely adrift and is being circled by AI. The picture is further complicated by new threats on the horizon. For instance, digital twinning, where AI adopts the working practices of a human user and performs actions on their behalf, adds another layer between the user and the data. While such advances may increase productivity, they are also likely to make it much harder to safeguard users and corporate data,” Fielding added.
Dan Lattimer, Vice President for EMEA at Semperis, highlighted the gap between preventive controls and structured response.
“Stability in breach numbers should not be mistaken for resilience. The Cyber Security Breaches Survey 2025/2026 highlights a growing gap between prevention and preparedness. While organisations invest in controls such as restricted admin rights (73%) and backups (88%), far fewer have plans to recover their identity infrastructure after a breach. Only 25% of businesses and 19% of charities had a formal incident response plan, and only a minority had actually tested those plans. With phishing still the most disruptive threat and incident response planning still limited, organisations need to assume identity compromise will happen and prepare accordingly. Investing in identity monitoring and recovery alongside prevention is essential to reducing downtime, repeat incidents, and long-term business damage. Incident response without identity recovery is incomplete. The survey shows many organisations still have no plans to restore trust after a breach. That correlates with the increase in businesses reporting that a breach or attack led to loss of revenue or share value, because that is where the real damage begins,” Lattimer said.
SOFIAH NICHOLE SALIVIO
News Editor
CyberCube has partnered with Affinity Marketplace to integrate cyber insurance quoting into a single broker workflow, targeting the SME cyber insurance market.
The partnership combines Affinity Marketplace’s quoting process with CyberCube’s Broking Manager software, which provides information on a client’s cyber risk profile. The integrated setup is designed to help brokers discuss financial exposure and compare risk transfer options without leaving the same system.
SME cyber insurance has been held back by a lack of specialist knowledge, the challenge of explaining technical risk to smaller businesses, and the time brokers need to place cover. The integrated process is intended to reduce those points of friction for generalist brokers and their clients.
CyberCube’s Broking Manager generates reports on company-specific financial exposure, along with benchmarking data on policy limits and cover structures. Affinity Marketplace provides the digital environment where brokers can obtain automated quotes.
Nate Brink, Head of Broker Sales & Account Management at CyberCube, said the model addresses both economic and training challenges in the market.
“This strategic relationship between CyberCube and Affinity Marketplace solves the margin and education crunch that has long plagued the SME cyber insurance sector. By automating the quoting process directly alongside actionable exposure data within the same workflow, brokers can instantly demonstrate real risk without using complex technical jargon,” Brink said.
The approach allows brokers to stay within one system from the initial client discussion through to quotation. It also presents cyber risk in business terms that smaller companies can relate to when deciding whether to buy insurance and how much cover to take.
Founded in 2023, Affinity Marketplace focuses on digital distribution for specialty insurance. Its platform connects brokers and agents with managing general agents, carriers, and technology providers across quoting, binding, renewals, and carrier connectivity.
Andrew Suesserman, Co-founder of Affinity Marketplace, said: “Affinity Marketplace is all about giving brokers the tools they need to scale efficiently, and this collaboration with CyberCube does exactly that. We’ve combined rapid, automated cyber quoting with clear risk diagnostics in a single environment. This removes the complex jargon that usually stalls SME sales and gives generalist brokers the confidence to advise on exposures and limits like seasoned cyber specialists. We can’t wait to see our brokers leverage this to unlock new, highly profitable growth.”
Broker response
Wholesure, which uses the combined setup, said the integration has changed how its brokers and retail agents handle SME cyber placements. The brokerage cited a shortage of cyber specialists across the market as a barrier to broader take-up among smaller businesses.
Kevin Merchant, National Cyber Practise Leader at Wholesure, said: “With too few cyber specialists in the market today, closing the critical SME protection gap has felt like an uphill battle. Combining Affinity Marketplace with CyberCube has been an absolute game changer for our brokers, retail agents, and the insureds we protect. By utilizing Affinity Marketplace, our brokers gain instant access to seamless, efficient cyber quotes, eliminating the traditional friction of the placement process. Coupled with CyberCube’s robust financial loss impact and benchmark reports, our retail agents are equipped with the exact data-driven storytelling tools they need to educate insureds. We can present small business owners with clear, quantified evidence of their true financial exposure and show them how their peers are structuring their risk transfer.”
CyberCube was established within Symantec in 2015 and has operated as an independent company since 2018. It provides cyber risk analytics software to insurance institutions and has offices in San Francisco, New York, Chicago, London, and Tallinn.
The partnership is available through the Affinity platform.
David Lincoln who lives in Barton, said delivery problems have been ongoing for around five years.
The 73-year-old said: “You get it, then it goes away, then it starts again. It’s beyond a joke and getting ridiculous.”
Residents receive emails apologising for “resourcing issues” at the Oxford East delivery office.
But, Mr Lincoln claims two staff are still sent out on rounds and “take it in turns” to prioritise parcels one week, with letters left to the following week.
He said he has waited longer than his bank’s specified timeframe for a new card and missed hospital appointments because of delayed letters.
READ MORE: Oxford private school adds compulsory addition to curriculum
With multiple health conditions, he says the uncertainty around when post will turn up is causing “growing anxiety”.
A Royal Mail spokesperson said: “We know how important it is for letters to arrive on time, particularly where they relate to hospital appointments.
“Our latest results show 92 per cent of letters arrive on time and more than 99% arrive within a week. However, some delivery offices can be temporarily affected by local issues such as sick absence.
“We list areas experiencing temporary disruption on our service updates page, which includes Oxford East Delivery Office. We are working to get services back to normal and, where mail is delayed, we aim to deliver it the following day.”
JobSpace AI has published research showing that 35% of UK job applications fall below the threshold needed to progress to interview. The findings are based on an analysis of 5,782 CV scans matched against UK job descriptions.
The data challenges the long-circulated claim that 75% of CVs are rejected automatically before a recruiter reads them. Instead, the figures suggest most applications in the sample reached a level classed as interview-ready, while a sizeable minority did not.
Of the 5,782 CVs analysed, 64.5% scored 75 or above, which JobSpace AI classed as interview-ready. Another 22.4% scored between 50 and 74 and were deemed at risk of rejection, while 13.1% scored below 50 and were considered likely to be filtered out before reaching a recruiter.
The research drew on CV scans submitted by UK job seekers and assessed against job descriptions supplied by the same users. The sample covered submissions made over a four-month period and was based on actual candidate documents rather than recruiter surveys or modelled estimates.
Keyword gap
A smaller subset of 248 CVs received full keyword analysis. In that group, candidates matched an average of 48% of the keywords in the job descriptions they targeted and missed 9.1 keywords per application on average.
The missing terms were most often linked to process and governance rather than technical expertise. Phrases such as continuous improvement, compliance, customer service, SLA or service levels, change management, and stakeholder management appeared regularly in job adverts but were often absent from applicants’ CVs.
That pattern suggests the issue for many applicants lies less in their underlying experience than in how they describe it. Recruiters and screening systems often look for the language used in role specifications, especially in functions where process, oversight, and service delivery feature heavily.
“The gap most candidates don’t see isn’t a skills gap – it’s a language gap,” said Nicholas Barooah, Founder, JobSpace AI.
“Job adverts are written around frameworks and processes. Most CVs describe what someone achieved without using the governance and process terminology recruiters are screening for. Candidates who bridge that gap move from the 35% to the 65% – often with relatively small changes to how they describe existing experience,” Barooah said.
Myth questioned
The findings also cast doubt on one of the most frequently repeated claims in careers advice: that three quarters of CVs are screened out automatically. According to JobSpace AI, that figure has circulated for years across careers media, social media posts, and CV-writing services, but lacks a traceable primary source.
Its analysis points to a different picture. Automated filtering remains part of recruitment practice, but the results suggest the bigger issue is not universal exclusion by software. Instead, a notable share of applicants may be weakening their prospects by failing to reflect the wording and priorities set out in job adverts.
That distinction matters because it shifts attention away from the idea of a closed system and towards one in which many applications can be improved. For candidates whose CVs fall into the middle band or lower-scoring group, the data suggests relatively modest revisions in terminology and alignment may affect whether an application progresses.
How scoring worked
The scoring model assessed keyword alignment, formatting compatibility, and role-seniority match. Each CV was measured against a real job description, and the resulting score was used to place the application into one of three categories.
The research focused on UK users and was intended to reflect real-world submissions rather than hypothetical tests. Because job seekers provided the documents voluntarily, the dataset offers a snapshot of how candidates are currently presenting themselves in live applications.
The figures also underline the competitive nature of recruitment, even when most CVs are not screened out immediately. A document that reaches a recruiter is not necessarily a strong contender, particularly when employers compare applicants on closely matched wording, evidence of process knowledge, and relevance to the stated brief.
For applicants, the results point to the importance of reading job descriptions closely and mirroring terms that accurately reflect their experience. The most commonly absent phrases in the sample were not specialist jargon, but standard language around operations, governance, and delivery.
JobSpace AI said its platform has analysed more than 5,000 real UK job applications since launch, and the latest sample adds to that picture by quantifying how many candidates may be missing interview thresholds because of wording rather than lack of experience.
US Open 2026: golf under way but weather disrupts day one – live | US Open
CyberCube & Affinity Marketplace streamline SME cyber quotes
Branding the beautiful game: How the World Cup logo signifies the commercialisation of football
-
Crime & Safety4 weeks agoRyan Bridge speaks of London arrest after Oxford incident
-
UK News4 weeks agoEx-minister Shapps quits aerospace firm over rule concerns
-
UK News4 weeks agoRussian threats against Baltics ‘unacceptable’ and danger to ‘our entire union’, EU’s von der Leyen says – Europe live | Europe
-
Oxford News3 weeks agoOxfordshire families invited to free day of fun in Bicester
-
Business & Technology3 weeks agoNew ‘high-quality’ mushroom business launched in Oxford
-
Crime & Safety3 weeks agoPhotos as 1979 Pontiac Firebird ‘bursts in flames’ at Tesco
-
Business & Technology4 weeks agoOxford: Rare watch sold for £40k after being saved from skip
-
Crime & Safety4 weeks agoNew video call system to help domestic abuse victims