The UK government has published the 2025/26 Cyber Security Breaches Survey for businesses and charities. Security experts say the findings expose persistent gaps in basic controls, supply chain oversight, and incident reporting.

The latest annual survey points to continued exposure to cyber incidents across UK organisations, alongside uneven adoption of recognised security standards and controls. It is based on research carried out for the Department for Science, Innovation and Technology and the National Cyber Security Centre.

Chris Newton-Smith, Chief Executive Officer at IO, said the findings on formal security frameworks highlighted a structural weakness in many organisations.

“Today’s Cyber Security Breaches Survey has once again revealed some stark and urgent findings about the state of the UK cyber security landscape.”

“The continued low uptake of recognised standards, with only 5% of businesses reporting adherence to Cyber Essentials, signals a missed opportunity to build structured resilience. Frameworks should not be seen as a compliance overhead. They provide proven, repeatable security practices and can reduce reliance on fragmented external advice. Organisations that depend heavily on consultants instead of frameworks risk inconsistent controls and a lack of internal capability. Frameworks such as Cyber Essentials can help turn good intentions into operational discipline.”

“The survey shows some encouraging improvements in baseline hygiene, for example in risk assessments, policies, and insurance. But despite progress in several hygiene practices, small businesses returned to 2023/24 levels. This creates a false sense of security. Organisations are doing visible things, but not necessarily the things that are most effective. Cyber hygiene is improving, but resilience requires depth, not just breadth.”

“This is compounded by the very low level of supplier risk reviews, with only 15% reviewing the risks posed by their immediate suppliers. That highlights a significant systemic vulnerability. It is particularly critical in light of increasing regulatory pressure, especially from rules such as DORA and NIS2, which place strong emphasis on supply chain resilience and third-party risk management. Many organisations are strengthening their internal defences while leaving a critical gap in how they assess and manage supply chain risk, effectively reinforcing the front door while leaving the back door open.”

“Cyber security maturity is not defined by how many tools an organisation deploys, but by how consistently it applies governance, manages risk, and aligns to recognised standards. The organisations that close that gap and achieve true resilience will be the ones that turn cyber security into a genuine competitive advantage.”

Newton-Smith highlighted supplier oversight as a particular concern, given growing regulatory pressure such as the EU’s Digital Operational Resilience Act and updated Network and Information Systems rules. Those regimes place greater scrutiny on third-party risk and operational continuity across digital supply chains.

The survey also reports relatively low adoption of multi-factor authentication across UK companies, despite official guidance treating it as a basic control. The findings suggest many firms still rely on passwords as the primary safeguard for access to systems and cloud services.

Michael Downs, Vice President at SecurEnvoy, said many organisations continue to delay adopting multi-factor authentication despite its role in blocking common attacks.

“The 2026 Cyber Security Breaches Survey still shows surprising figures on how few businesses have implemented multi-factor authentication as a standard security control. Only 47% of businesses have adopted it, meaning a significant proportion of organisations are leaving the door wide open to cybercriminals.”

“MFA is one of the most straightforward controls available and does not require a lengthy procurement process or specialist hire. If an attacker gets hold of a password through phishing or a credential leak, MFA adds another layer of protection. Given that stolen credentials feature in the majority of breaches, there is no excuse not to offer it to employees, contractors, and customers.”

“Businesses also need to be aware that the NCSC’s Cyber Essentials scheme is being updated this year to require MFA on all cloud services, so it will no longer be a nice-to-have. For the many organisations still holding out, implementing MFA is the most direct step they can take to improve their security posture today.”

Regulation features heavily in expert reactions to the survey. Specialist providers see forthcoming rules as a catalyst for more rigorous preparation, especially around detection, response, and reporting.

Richard Groome, OT Cybersecurity Specialist at e2e-assure, said current breach notification levels remain well below the standards set in upcoming legislation.

“Only 50% of businesses surveyed say they currently inform regulators about breaches. Incident reporting is about to become much more important because, under the Cyber Security Resilience Bill, organisations deemed critical will be required to report significant cyber incidents within 24 hours, with a full report due within 72 hours. That is a completely different standard from what most businesses currently operate to, and the gap between today’s practice and tomorrow’s requirement is significant.”

“It is worth noting that regulators can designate any supplier, including SMEs and non-UK entities, as critical if their failure could disrupt essential services. The potential scope is therefore massive and not limited to large organisations.”

“Meeting those reporting deadlines requires mature SOC processes, 24/7 monitoring, and automated detection capabilities that many smaller organisations simply do not have in place today. Most will also need to identify and notify affected customers within that same window, which demands granular visibility into systems and workloads that few have yet built.”

“Organisations should be assessing their incident detection and reporting workflows now, mapping their IT ecosystem, and ensuring they have the monitoring capability to identify a breach quickly enough to meet the new thresholds.”

“The survey shows that senior management are being informed when breaches occur. The CSRB will extend that accountability outward, and businesses need to be ready for it.”

Groome also pointed to the financial impact of serious incidents, which he said often exceeds the direct costs cited by respondents.

“For organisations that experienced a breach in the past 12 months, the average perceived cost is just £940, but this rises to £20,000 at the 95th percentile. These costs might sound manageable, but the reality for those at the more severe end of the spectrum is anything but.”

“The Jaguar Land Rover attack was estimated to cost the business around £5 million per day in lost profits, with the wider economic impact running into billions across the supply chain. The M&S ransomware attack resulted in losses of £300 million.”

“A large part of these costs is due to the downtime caused by attacks. With this in mind, we need to be acutely aware that our Critical National Infrastructure is particularly vulnerable to shutdowns, and the knock-on costs of downtime will have an even greater impact on the organisations we all depend on to live: power, water, and food.”

“Attackers know this. Modern ransomware attacks go beyond encrypting data. Attackers understand that months of downtime, and the financial damage that comes with it, are a lucrative bargaining chip in ransom negotiations.”

“UK businesses need to invest in continuous monitoring, faster detection, and tested incident response. That not only reduces the likelihood of a breach but also directly limits the financial exposure when one occurs.”