The latest Cyber Security Breaches Survey makes for uncomfortable reading for UK businesses. According to the Government’s 2025/2026 report, 43% experienced a breach or attack in the last 12 months – that’s around 612,000 organisations. The findings also estimate approximately 5.19 million cybercrimes over the same period, while the proportion of breaches or attacks resulting in lost revenue or share value has more than doubled, rising from 2% to 5%.

On a surface level, the story is familiar – cyber attacks remain widespread, phishing continues to dominate and businesses are once again being urged to improve resilience. Experts have already described the findings as depressingly familiar, and it’s not difficult to see why. The numbers move slightly from year to year, but the underlying pattern remains largely unchanged, which is the real concern here.

After years of major incidents, boardroom briefings, regulatory warnings and national awareness campaigns, the UK is still stuck in a cycle where risk is recognised, but not consistently governed. Businesses know threat exists, but many still lack the ability to demonstrate, in a structured and reliable way, how that threat is being managed before something goes wrong.

Breach numbers only tell us what has already happened

A breach shows the visible outcome of decisions, controls, gaps and assumptions that existed long before the incident itself. By the time a breach appears in a survey, the more important questions have already been missed: Were the right controls in place and were they being reviewed? Was there clear ownership? The answers to these determine whether an organisation is genuinely resilient or simply fortunate.

The survey tells us a great deal about the scale of cybercrime and reveals too many companies are still measuring risk at the point of failure rather than at the point of control.

The governance gap is hiding in plain sight

Only 31% of businesses have board-level responsibility for cyber security, just 15% review the risks posed by their immediate suppliers and only 6% look at the wider supply chain. The survey also points to small businesses going backwards in some areas of basic preparedness.

Cyber security is still too often treated as a technical function, owned somewhere inside IT and discussed seriously only when an incident takes place. Yet most of the weaknesses exposed by modern incidents are structural, with no clear accountability, no consistent control framework, no live view of risk and no board-level visibility until they are already under pressure.

Small businesses face risk differently from large enterprises

Smaller businesses are often told to adopt better cyber hygiene. Whilst this advice is valid, it can also oversimplify the challenge. SMEs typically operate with less internal capacity, fewer dedicated roles, more informal processes and greater dependence on external suppliers, creating a very different kind risk profile from larger enterprises.

For many, cyber risk is managed through individual knowledge rather than institutional structure. One person knows where the policies are stored, one external provider understands the systems and one senior leader owns the customer assurance process, but that kind of system becomes fragile quickly.

The business needs clear visibility over the data it holds, the systems affected, the suppliers involved, the controls in place, what evidence exists and who is authorised to make decisions. If that information has not been organised in advance, incident response becomes slower and more expensive. This is where governance needs to become more practical.

Smaller organisations don’t need the same level of bureaucracy as global enterprises, but they do need a clear way to map risks, assign ownership, manage controls, maintain evidence and show progress over time. Without that, cyber resilience remains dependent on goodwill, memory and last-minute effort.

Supply chain risk is becoming the unanswered question

Modern companies rely on software providers, outsourced IT partners, consultants, payment systems, logistics platforms, cloud environments and data processors, which means cyber risk rarely sits neatly within the four walls of their organisation. A weakness in one supplier can quickly become a weakness in the business itself.

But as the survey shows, only a small minority of organisations are reviewing immediate supplier risk and even fewer are looking at the wider supply chain. Customers are already asking more detailed questions about security controls, investors are looking more closely at operational resilience, regulators are moving towards stronger expectations around supply chain accountability and insurers are becoming more interested in evidence. In that environment, “we trust the supplier” is not enough.

The Cyber Security and Resilience Bill will raise the evidence bar

The UK is moving away from a model where cyber security is largely treated as voluntary good practice and towards one where resilience must be demonstrated. The Bill is part of that shift.

Demonstrating that the right controls, oversight and processes were in place before a breach happened relies on evidence, ownership and current information. It requires cyber risk to be connected to compliance, operations, procurement and leadership.

This is where many organisations will feel the gap most sharply. They may be doing some of the right things, but if those activities are fragmented, undocumented or disconnected from recognised frameworks, they will struggle to prove it.

The real lesson is not more awareness, but more proof

The UK doesn’t have a cyber awareness problem in the traditional sense. Most business leaders understand that attacks can disrupt operations, damage trust and create financial loss.

But, businesses need to better understand which frameworks apply, which controls are in place, who owns them, when they were last reviewed and where the evidence sits. That means treating compliance as a live management discipline rather than a project that begins shortly before an audit or customer request. Frameworks such as ISO 27001, SOC 2 and Cyber Essentials are becoming more important because they give organisations a common structure for turning cyber intent into demonstrable control. They also help in moving away from reactive reassurance and towards evidence-led governance.

Why the numbers keep looking the same

The real value in the Cyber Security Breaches Survey is in showing why progress remains slow. Too many businesses are using an approach that creates the appearance of activity without the discipline of governance and, until that changes, the annual numbers will continue to look familiar.

To move ahead, businesses need to build the evidence first, connect controls to risk, bring suppliers into scope and give leadership a clear view of resilience before pressure hits. Compliance isn’t a report, it’s a posture – that’s what the latest survey is really telling us.

Carriage Company (Oxon) Limited, based in Banbury, was put into compulsory liquidation with immediate effect on February 4 after HMRC filed a winding-up petition seeking debt repayment.

The petition was initially presented on December 9, 2025, by the Commissioners for HM Revenue and Customs, who claimed to be creditors of the company.

The case was heard at the High Court’s Royal Courts of Justice in London on February 4 at 10.30am, resulting in a winding-up order.

READ MORE: Praise for 80s music legend trying to save historic village pub

Documents submitted to Companies House this month revealed that the company’s dissolution has been deferred until April 4, 2032.

Such a move usually allows a company’s legal status to remain active so authorities can wind up legal actions and recover assets.

A notice relating to the Banbury-based firm, signed by the Insolvency Service on behalf of the Secretary of State, reads: “The dissolution of the company [will] be deferred and take effect on April 4, 2032, unless a further direction is issued.”

The taxi operation, which was incorporated on November 6, 2008, had been providing taxi and private-hire vehicle services in the Oxfordshire area for almost 18 years before its collapse.

Companies House records show the firm was registered as a private limited company specialising in taxi operations.

READ MORE: TV legend’s daughter selling £3.95m Oxfordshire mansion with swimming pool

The liquidation comes amid soaring business failures across the UK, with company insolvencies rising sharply in recent months.

Data from the Insolvency Service showed that the number of company insolvencies rose month-on-month to March by 7 per cent to 2,022.

Company administrations surged 52 per cent between February and March to 235 and were 82 per cent higher when compared to March 2025, while compulsory liquidations jumped 18 per cent.

Industry experts have blamed the Iran war and soaring wage bills for sending costs surging across the transport sector.

READ MORE: RIAT 2026 air show cancelled over Middle East concerns

The surge in fuel and energy prices, driven by the intensifying conflict in the Middle East, has severely impacted industries such as transport and manufacturing.

Transport firms have been particularly vulnerable to rising operational costs, with fuel expenses climbing sharply alongside increased wage pressures and regulatory burdens.

The collapse of Carriage Company (Oxon) Limited marks the latest in a series of transport and travel-related business failures in 2026.

Earlier this month, several UK airlines and travel companies also entered liquidation or administration, citing similar cost pressures.

READ MORE: Westgate Oxford chain issues statement on future amid closures

The six-year deferral of dissolution is a relatively lengthy period, suggesting authorities may anticipate complex asset recovery proceedings or ongoing legal matters requiring the company’s legal status to remain active.

HMRC’s involvement as the petitioning creditor indicates the company owed substantial tax debts, though the exact amount has not been disclosed in public filings.

The closure leaves customers and creditors awaiting further details on asset recovery and potential refunds.

This newspaper has approached Carriage Company (Oxon) Limited for comment.

While the European Union accelerates toward a more regulated digital landscape with the Cyber Resilience Act and NIS2, the backbone of its economics SMEs remains perilously exposed. A comprehensive study by PXL University of Applied Sciences and Arts, utilising the OWASP SAMM framework and the relevant industry benchmarks and target postures, reveals a critical structural imbalance in software development. The research finds that while Belgian SMEs excel at reactive operational management, they are almost entirely neglecting proactive security measures like threat modelling and developer education. This article explores the findings, the economic “security debt” being accrued, and the urgent necessity of a “shift-left” strategy for cyber-resilience.

The backbone of the digital economy

Located at the “heart of Europe,” approximately 50 kilometres from Brussels, the Belgian region of Flanders serves as a critical hub for software innovation. In this landscape, small-to-medium enterprises (SMEs) are not merely participants; they are the industry’s engine, representing approximately 99% of the industrial landscape. These companies hold a software market share of between 50% and 60%, meaning the products they develop end up in the hands of millions of daily users and large-scale corporate infrastructures.

Despite their significance, the cybersecurity maturity of these organisations has remained a “blind spot” in both scientific literature and practical application. A research team from PXL University of Applied Sciences and Arts, led by Cyber Security Research Coordinator Dr Koen Gilissen and researcher Savannah Eggers, recently set out to map this maturity using a rigorous, internationally recognised framework.

Their findings suggest that the digital foundation of Europe is built on a “reactive” rather than “proactive” culture, a trend that poses significant risks as global cyber threats continue to increase exponentially.

Understanding the framework: OWASP SAMM 

To measure the security posture of these SMEs, the PXL team utilised the OWASP Software Assurance Maturity Model (SAMM). OWASP (the Open Worldwide Application Security Project) is a non-profit foundation providing community-driven resources that act as the “gold standard” for application security.

SAMM assesses an organisation across five functional pillars, each essential to a secure Software Development Life Cycle (SDLC):

1. Governance: Strategy, metrics, policy, compliance, and education.

2. Design: Threat assessment, security requirements, and secure architecture.

3. Implementation: Secure build, secure deployment, and defect management.

4. Verification: Architecture assessment, requirements-driven testing, and security testing.

5. Operations: Incident, environment, and operational management.

The research findings: a “critical structural imbalance”

The analysis of Flemish software SMEs exposed a stark reality: security is often treated as a “thin sauce” poured over the end product rather than being embedded within the software itself.

The “Operations” illusion

The PXL study found that SMEs score relatively high in the Operations pillar. In fact, scores for Environment Management and Operational Management actually exceeded the “Target Posture LOW BASELINE” – the minimum requirement to avoid being considered an “easy target”. This indicates that Belgian SMEs are competent at managing systems that are already “live”.

The proactive gap

However, the “proactive” phases of the SDLC, specifically Governance and Design, showed alarming deficiencies. The most pressing observations involved two critical activities:

• Education and Guidance: Measured at a staggering 0.02 average, compared to a target baseline of 1.0.

• Threat Assessment: Measured at 0.25 average, against a target of 1.9.

Dr Gilissen noted, “The results were at least lower than I naively expected”. This imbalance suggests that companies are “extinguishing fires” in production rather than preventing vulnerabilities at the source.

The economic reality: Features vs. Security

Why do these gaps exist? The PXL team identified several “limitation factors” common to SMEs: a lack of manpower, expertise, skills, and, most crucially, time and resources.

Every line of code that contributes to a new feature is viewed as direct value creation or “money”. Conversely, security efforts are perceived as heavy investments that slow down the development process. This leads to what the researchers call “Security Debt”.

“What is saved today by skipping security will be paid back tomorrow, more than double, in the form of complex patches and recovery work,” the PXL problem statement warns.

This “technological debt” does more than just increase the risk of a breach; it exponentially raises future maintenance costs and threatens the long-term viability of the software.

The “shift-left” necessity and regulatory pressure

The study argues for a fundamental “shift-left” strategy. This concept involves moving security considerations to the earliest possible stages of the development cycle, such as threat modelling and developer education, rather than waiting until the implementation or verification phases.

This shift is no longer just a “best practice”, it is becoming a requirement for market access. New European regulations, such as the Cyber Resilience Act (CRA), the AI Act, and NIS2, are imposing strict demands on software security.

Under the NIS2 legislation, supply chain security is paramount. Larger clients are increasingly demanding proof of security maturity from their SME subcontractors. A low SAMM score could lead to the loss of crucial B2B contracts as larger firms seek to minimise their own third-party risks.

Hope through frameworks

Despite the “no hope” feeling some SMEs might experience when faced with mounting legislation, the PXL team remains optimistic. Frameworks like OWASP SAMM provide a manageable roadmap.

Savannah Eggers highlighted the value of structured guidance: “With SAMM, it’s very easy to pinpoint what you need to know. It tells you, okay, here’s a resource to learn more about security principles”. By breaking down maturity into levels (1, 2, and 3), the framework allows companies to prioritise their limited resources for the “biggest bang for their buck”.

Conclusion: a call to action for Flemish SMEs

The PXL study serves as both a warning and a guide. For the thousands of SMEs in Flanders and the wider Belgian and European region, the “time is now” to address the critical gaps in Education and Threat Assessment.

Increasing a company’s cybersecurity posture is not just about compliance; it is a significant business opportunity. Those who can demonstrate a secure development process will differentiate themselves from competitors, secure lucrative B2B contracts, and build products that are resilient by design rather than by chance.

As Dr Gilissen summarises for the next generation of developers, SMEs have the potential to make a massive difference in regional cyber-resilience. The journey from “firefighting” to “prevention” begins with the first step of the shift-left strategy: a good analysis of where we stand.