The Department for Science, Innovation and Technology has published the latest Cyber Security Breaches Survey 2025/2026. Security specialists have questioned whether the government’s approach and business responses match the scale of AI-driven threats.

The annual survey tracks how UK businesses and charities experience and manage cyber incidents. It reports relatively stable headline breach numbers, persistent phishing threats, and a continued emphasis on policy documents, training, and certification.

Several industry figures argue that this apparent stability masks a decline in real-world resilience. They highlight AI’s growing role in both attacks and defence, and point to gaps in funding, incident response, and day-to-day security practice, particularly among smaller organisations.

Merlin Gillespie, Chief Technology Officer at Cybanetix, argued that the survey framework no longer reflects the threat landscape.

“The Cyber Security Breaches Survey is fundamentally flawed because the government is measuring the wrong things. Why? Because it props up a cyber policy that doesn’t fund resilience. The survey shows the same information every year because the policy shaping it hasn’t changed in line with the problem. Attacks are getting cheaper, faster, and more sophisticated, in no small part because they’re AI-assisted. Defences aren’t keeping pace because businesses are being asked to build them voluntarily, without funding, while outcomes are measured through paperwork rather than real-world results. Cyber security is being treated as a private-sector hygiene issue rather than a nationwide public risk. CISOs are exhausted, not because they don’t know what to do technically, but because they’re overwhelmed by risk, compliance, the audit treadmill, and supplier questionnaires.”

“UK cyber policy has turned CISOs into paperwork administrators, and they’re in a doom spiral. Until the government moves from policy to incentives, and recognises technical changes that can move the dial rather than mandating compliance documents that bury teams, every successive survey will show defences eroding. Every year the government’s answer is to encourage more certifications, more training, and more awareness. Microsoft says AI is being used at every stage of the cyber kill chain, but the survey barely mentions it. The attack surface is changing beneath our feet, and everyone is trying to catch up with last year’s paperwork while worrying about the latest novel attack that the average CISO probably has no coverage against and no detections to identify. Phishing remains a top attack, not because defenders are lazy, but because attackers are evolving it faster than policy can adapt. OSINT-driven, multi-channel attacks using email, WhatsApp, and voice are growing.”

“AI-generated content can capture and repurpose real voice and video so instructions appear to come from a real colleague. Meanwhile, we’re being asked to combat it with questionnaires and multiple-choice tests. Incident response should be the headline of the survey, yet it is traditionally buried near the bottom. It consistently shows that most UK businesses have no incident response plan and little guidance on when to escalate an incident externally. As a result, the typical UK business is improvising mid-breach. And in the minority of cases where businesses do take action, it is through training, which doesn’t appear to be working. This is like trying to address a disease when a preventative vaccine would be more efficient. We need to use fiscal levers and provide solutions that work, foster the economy, and strengthen UK businesses, rather than drowning them in overheads and hindsight. The UK government spends £30 million supporting SMEs, which means those businesses are effectively fighting digital terrorists with enough money to buy a bag of chips.”

“The UK cyber sector generated £13.2 billion in revenue last year but attracted under £200 million in venture investment. By comparison, Israeli tech raised $12.2 billion in 2024, up 31% from the year before, with investment heavily concentrated in cyber and backed by stackable R&D grants worth up to $3.3 million per startup and a preferred corporation tax rate of 7.5% versus the UK’s 25%. If we underfund the buyer, starve the sellers, and bury businesses in paperwork with limited demonstrable impact, is it any wonder we have no answer to attackers using Mythos-class game-changing technology? If the government is serious about digital sovereignty and protecting its citizens, it needs fiscal incentives at both ends of the loop: tax credits for UK businesses investing in genuine cyber defence, and R&D grants and preferred tax treatment for UK cyber firms that build and retain their IP in the UK while serving UK citizens.”

Jon Fielding, Managing Director for EMEA at Apricorn, focused on how smaller organisations implement basic controls. He pointed to persistent weaknesses in staff education, device security, and backup strategies.

“Staff training continues to be a low priority among SMEs, with a third carrying out sessions compared with 84% of large organisations. As a result, the user remains the weakest link, and those users are becoming even more vulnerable as attacks are crafted and refined by AI. Phishing and social engineering attacks are now far more sophisticated and harder to spot, making it vital that employees know how to report suspicious communications. They also need guidance on how to report rogue AI. The syntactic nature of AI means it can change and morph over time, and that could make it the ultimate insider threat,” said Fielding.

“There is still a consistent failure to secure mobile technology, even when it belongs to the business. While 61% insist on on-device security, the needle has barely moved over the past five years. That keeps risk unnecessarily high in a world where mobile and hybrid working are now commonplace. These devices are much easier to compromise outside the office, so businesses should secure everything from mobile phones to laptops and portable storage media,” he added.

“Cyber criminals are increasingly targeting not the data itself but the backups. They know backups contain sensitive data, and by compromising them they can block recovery and hamstring the business, giving them maximum leverage. Another problem revealed by the survey is that wholesale backup of data to the cloud has created a single dependency. Only 48% are backing up data by other means, down from 55% in 2024, and that decline means fewer options when, not if, a business is attacked. The long-standing advice was to keep multiple backups on different media and in different locations, but that has since evolved. Best practice is now the 3-2-1-1-0 rule: three copies of data on two different media, one stored encrypted and offline, at least one backup immutable, and recovery regularly tested to ensure zero errors. Testing recovery is crucial because close to a third of businesses have previously reported that they could not fully recover their data,” Fielding said.

“There continues to be a grey area between corporate and personal device security when it comes to acceptable use. While 84% set rules for how staff can use business-issued devices, only 58% cover personal device use. Yet the vast majority of hybrid workers routinely use personal devices for work, and in our own annual survey the majority, 61%, said they expect those workers to put them at risk of a data breach. So even though remote or mobile working is now routinely included in security policies, there is little follow-through in how it is implemented and enforced. A key example is the use of removable storage such as USBs, which this section of the workforce is highly likely to use. The survey found only 64% stipulate what can be stored on such devices, which suggests that almost half of the mobile workforce is free to move data around on any type of USB stick. That is why policies must set out where and how data can be stored, and why it is sensible to specify the level of on-device security these storage devices should have,” he said.

“UK businesses continue to lag in their approach to cyber security. There is a tendency to put all their eggs in one basket, whether that basket is the cloud or a backup solution, and that increases risk. By taking a more distributed approach, businesses can dilute that risk. At the same time, organisations need to be more prescriptive about what they expect employees to do. Guidance on reporting suspicious communications, using on-device security, and backing up data is badly needed because the hybrid workforce remains largely adrift and is being circled by AI. The picture is further complicated by new threats on the horizon. For instance, digital twinning, where AI adopts the working practices of a human user and performs actions on their behalf, adds another layer between the user and the data. While such advances may increase productivity, they are also likely to make it much harder to safeguard users and corporate data,” Fielding added.

Dan Lattimer, Vice President for EMEA at Semperis, highlighted the gap between preventive controls and structured response.

“Stability in breach numbers should not be mistaken for resilience. The Cyber Security Breaches Survey 2025/2026 highlights a growing gap between prevention and preparedness. While organisations invest in controls such as restricted admin rights (73%) and backups (88%), far fewer have plans to recover their identity infrastructure after a breach. Only 25% of businesses and 19% of charities had a formal incident response plan, and only a minority had actually tested those plans. With phishing still the most disruptive threat and incident response planning still limited, organisations need to assume identity compromise will happen and prepare accordingly. Investing in identity monitoring and recovery alongside prevention is essential to reducing downtime, repeat incidents, and long-term business damage. Incident response without identity recovery is incomplete. The survey shows many organisations still have no plans to restore trust after a breach. That correlates with the increase in businesses reporting that a breach or attack led to loss of revenue or share value, because that is where the real damage begins,” Lattimer said.