UK cyber breach survey bolsters call for legal reform

SHANNON WILLIAMS

News Editor

The UK Government has released the latest Cyber Security Breaches Survey for businesses and charities, highlighting the scale of cyber incidents affecting organisations across the country.

The annual study found that 43% of UK businesses experienced a cyber security breach or attack, compared with 28% of charities. The results form part of official tracking of how organisations manage digital risk and respond to incidents.

Cyber security advocates say the figures expose persistent structural weaknesses in the UK’s legal and governance framework, arguing that current law does not reflect how modern defenders work or how criminal groups operate.

A spokesperson for the CyberUp Campaign said the survey strengthens the case for reform of the Computer Misuse Act, which dates from 1990. The campaign is a coalition of cross-party parliamentarians, academics and industry groups focused on the legal environment for cyber professionals.

“Today’s findings should be a wake-up call. The UK cannot keep warning about the scale of the cyber threat while leaving legitimate cyber professionals constrained by laws written for a different age. Other countries have already moved to protect legitimate cybersecurity activity while keeping strong powers to prosecute criminals, but the UK is falling behind. Without a clear statutory defence, we risk holding back the people working to find vulnerabilities, gather threat intelligence and stop attacks before they cause harm. The Government has rightly recognised cyber resilience as a national priority through the Cyber Security and Resilience Bill and its wider work to strengthen the UK’s cyber defences. But that ambition will fall short unless ministers also modernise the Computer Misuse Act. Reform would strengthen our national resilience, support the UK’s cyber sector and ensure the law targets malicious actors, not those protecting the public,” said a spokesperson for the CyberUp Campaign.

The CyberUp coalition has called for a statutory defence to give legal certainty to penetration testers, threat intelligence analysts and other security specialists. It argues that the current rules risk deterring legitimate research and testing that could identify weaknesses before criminals exploit them.

The survey also examines governance and board oversight of cyber risk. It found that more boards now hold formal responsibility for cyber security, although direct engagement remains patchy.

Jay Kaplan, chief executive officer and co-founder of Synack, said the data points to a gap between stated board responsibility and practical oversight.

“This year’s Cyber Security Breaches Survey shows boards taking on more responsibility for cyber on paper while paying it less attention to it in practice. Board-level responsibility rose from 27% to 31%, which looks like progress on paper. But the share of medium-sized business boards receiving at least annual cyber updates dropped from 78% to 70%. This signals more accountability with less visibility.

“The fix requires speaking the board’s language. Vulnerability management needs to be a corporate goal, not just a security team metric. Frame a breach in terms the board understands: what does it cost the business for every hour critical systems are offline? That calculation changes how leadership prioritises investment far more than any compliance report will. And once a year isn’t enough in a threat landscape that moves in hours. Boards need a continuous read on what’s actually exploitable, what it would cost the business to lose, and what’s been validated against real attack conditions,” said Kaplan.