Business & Technology
UK cyber survey exposes gaps in basic security controls
The UK government has published the 2025/26 Cyber Security Breaches Survey for businesses and charities. Security experts say the findings expose persistent gaps in basic controls, supply chain oversight, and incident reporting.
The latest annual survey points to continued exposure to cyber incidents across UK organisations, alongside uneven adoption of recognised security standards and controls. It is based on research carried out for the Department for Science, Innovation and Technology and the National Cyber Security Centre.
Chris Newton-Smith, Chief Executive Officer at IO, said the findings on formal security frameworks highlighted a structural weakness in many organisations.
“Today’s Cyber Security Breaches Survey has once again revealed some stark and urgent findings about the state of the UK cyber security landscape.”
“The continued low uptake of recognised standards, with only 5% of businesses reporting adherence to Cyber Essentials, signals a missed opportunity to build structured resilience. Frameworks should not be seen as a compliance overhead. They provide proven, repeatable security practices and can reduce reliance on fragmented external advice. Organisations that depend heavily on consultants instead of frameworks risk inconsistent controls and a lack of internal capability. Frameworks such as Cyber Essentials can help turn good intentions into operational discipline.”
“The survey shows some encouraging improvements in baseline hygiene, for example in risk assessments, policies, and insurance. But despite progress in several hygiene practices, small businesses returned to 2023/24 levels. This creates a false sense of security. Organisations are doing visible things, but not necessarily the things that are most effective. Cyber hygiene is improving, but resilience requires depth, not just breadth.”
“This is compounded by the very low level of supplier risk reviews, with only 15% reviewing the risks posed by their immediate suppliers. That highlights a significant systemic vulnerability. It is particularly critical in light of increasing regulatory pressure, especially from rules such as DORA and NIS2, which place strong emphasis on supply chain resilience and third-party risk management. Many organisations are strengthening their internal defences while leaving a critical gap in how they assess and manage supply chain risk, effectively reinforcing the front door while leaving the back door open.”
“Cyber security maturity is not defined by how many tools an organisation deploys, but by how consistently it applies governance, manages risk, and aligns to recognised standards. The organisations that close that gap and achieve true resilience will be the ones that turn cyber security into a genuine competitive advantage.”
Newton-Smith highlighted supplier oversight as a particular concern, given growing regulatory pressure such as the EU’s Digital Operational Resilience Act and updated Network and Information Systems rules. Those regimes place greater scrutiny on third-party risk and operational continuity across digital supply chains.
The survey also reports relatively low adoption of multi-factor authentication across UK companies, despite official guidance treating it as a basic control. The findings suggest many firms still rely on passwords as the primary safeguard for access to systems and cloud services.
Michael Downs, Vice President at SecurEnvoy, said many organisations continue to delay adopting multi-factor authentication despite its role in blocking common attacks.
“The 2026 Cyber Security Breaches Survey still shows surprising figures on how few businesses have implemented multi-factor authentication as a standard security control. Only 47% of businesses have adopted it, meaning a significant proportion of organisations are leaving the door wide open to cybercriminals.”
“MFA is one of the most straightforward controls available and does not require a lengthy procurement process or specialist hire. If an attacker gets hold of a password through phishing or a credential leak, MFA adds another layer of protection. Given that stolen credentials feature in the majority of breaches, there is no excuse not to offer it to employees, contractors, and customers.”
“Businesses also need to be aware that the NCSC’s Cyber Essentials scheme is being updated this year to require MFA on all cloud services, so it will no longer be a nice-to-have. For the many organisations still holding out, implementing MFA is the most direct step they can take to improve their security posture today.”
Regulation features heavily in expert reactions to the survey. Specialist providers see forthcoming rules as a catalyst for more rigorous preparation, especially around detection, response, and reporting.
Richard Groome, OT Cybersecurity Specialist at e2e-assure, said current breach notification levels remain well below the standards set in upcoming legislation.
“Only 50% of businesses surveyed say they currently inform regulators about breaches. Incident reporting is about to become much more important because, under the Cyber Security Resilience Bill, organisations deemed critical will be required to report significant cyber incidents within 24 hours, with a full report due within 72 hours. That is a completely different standard from what most businesses currently operate to, and the gap between today’s practice and tomorrow’s requirement is significant.”
“It is worth noting that regulators can designate any supplier, including SMEs and non-UK entities, as critical if their failure could disrupt essential services. The potential scope is therefore massive and not limited to large organisations.”
“Meeting those reporting deadlines requires mature SOC processes, 24/7 monitoring, and automated detection capabilities that many smaller organisations simply do not have in place today. Most will also need to identify and notify affected customers within that same window, which demands granular visibility into systems and workloads that few have yet built.”
“Organisations should be assessing their incident detection and reporting workflows now, mapping their IT ecosystem, and ensuring they have the monitoring capability to identify a breach quickly enough to meet the new thresholds.”
“The survey shows that senior management are being informed when breaches occur. The CSRB will extend that accountability outward, and businesses need to be ready for it.”
Groome also pointed to the financial impact of serious incidents, which he said often exceeds the direct costs cited by respondents.
“For organisations that experienced a breach in the past 12 months, the average perceived cost is just £940, but this rises to £20,000 at the 95th percentile. These costs might sound manageable, but the reality for those at the more severe end of the spectrum is anything but.”
“The Jaguar Land Rover attack was estimated to cost the business around £5 million per day in lost profits, with the wider economic impact running into billions across the supply chain. The M&S ransomware attack resulted in losses of £300 million.”
“A large part of these costs is due to the downtime caused by attacks. With this in mind, we need to be acutely aware that our Critical National Infrastructure is particularly vulnerable to shutdowns, and the knock-on costs of downtime will have an even greater impact on the organisations we all depend on to live: power, water, and food.”
“Attackers know this. Modern ransomware attacks go beyond encrypting data. Attackers understand that months of downtime, and the financial damage that comes with it, are a lucrative bargaining chip in ransom negotiations.”
“UK businesses need to invest in continuous monitoring, faster detection, and tested incident response. That not only reduces the likelihood of a breach but also directly limits the financial exposure when one occurs.”
Region to Season, in Blackbird Leys Road, was given a one star rating by Oxford City Council environmental health officers following a routine health visit inspection.
Stating that ‘major improvement’ was necessary, inspectors handed the store a one-out-of-five food hygiene rating.
READ MORE: Popular Oxford burger restaurant given one star food hygiene rating
One key issue identified in the latest inspection was the management of food safety, meaning the systems in place to ensure food served is safe to eat, which were deemed to require ‘major improvement’.
Inspectors also found the cleanliness and condition of facilities and the building needed ‘major improvement’.
But they found the hygienic food handling was ‘generally satisfactory’ at the shop.
The Jamaican and Afro-Caribbean food specialist store was visited by the officers in March.
The store sells a range of food including fruit, vegetables, meat, fish and canned goods.
KALEAH SALMON
Head of Growth
RedCloud has announced three artificial intelligence agents for commercial decision-making in the fast-moving consumer goods sector. The tools are being developed for distributors and brand managers across the company’s markets.
The products are designed to support routine decisions on stock, pricing, sales targeting and market planning using trade data collected through RedCloud’s platform. Its system has processed nearly USD $6.9 billion in FMCG transactions across emerging markets, including Nigeria, Brazil, South Africa and Saudi Arabia.
One tool, the RedAI Inventory Agent, is intended for distributors managing stock levels. It is designed to predict demand and recommend when to reorder and in what quantities, with the aim of reducing both shortages and excess stock.
A second product, the RedAI Sales Agent, is aimed at distribution sales teams. It is intended to identify buyers most likely to place orders, suggest pricing approaches, and recommend product bundles, while reducing time spent on low-probability leads.
The third product, the RedAI Market Planning Agent, is intended for FMCG brand managers. It is designed to provide a local view of product performance at the category and stock-keeping unit level, alongside information on competitive activity, channel trends, and areas of potential growth.
The agents are being built on RedCloud’s RAID engine, short for Realtime AI for Distribution. The tools are expected to operate in local languages across its active markets and include embedded trading and payment functions through local payment providers.
Data focus
RedCloud framed the launch around the volume of daily decisions made across consumer goods supply chains, from reorder timing to pricing and promotion. It said many of those decisions are still made without real-time supply-and-demand data and argued that the resulting information gap contributes to lost inventory opportunities across the sector.
The company put that missed opportunity at USD $2 trillion a year globally, citing external market research. It also cited figures valuing the wider global FMCG market at USD $14.6 trillion.
RedCloud operates in high-growth consumer markets, selling software and services to brands, distributors and retailers. Its wider platform combines trade data, market intelligence and transaction tools intended to digitise product flows across supply chains.
Rollout plans
The three agents are planned for rollout in the second half of 2026, with a phased launch through live customer deployments in RedCloud’s operating countries.
That timeline means the products remain in development rather than in general use. RedCloud did not provide customer names, pricing details or deployment targets for the new tools.
Artificial intelligence products aimed at operational workflows have become an increasingly important area of interest for enterprise software groups and supply chain technology firms. RedCloud’s approach centres on narrow, task-specific systems trained on transaction data generated inside its own trade network, rather than broad consumer-facing AI models.
The focus on distributor and brand workflows reflects the fragmented structure of many FMCG markets, particularly in developing economies where ordering, merchandising and route-to-market decisions often rely on incomplete or delayed information. In those settings, better data on local demand and sell-out trends can affect working capital, product availability and sales efficiency.
Justin Floyd, Chief Executive Officer and Co-Founder of RedCloud, outlined the company’s view of the shift in a statement accompanying the announcement: “Global trade has never had intelligence. RAID changes that. Specialist AI Agents powered by the RAID will transform FMCG and supply chain professionals into decision-making gurus – delivering performance and efficiency across the supply chain. This is intelligent infrastructure unlocking growth and prosperity.”
Soumaya Hamzaoui, Chief Product Officer and Co-Founder of RedCloud, said the products are intended to support existing staff workflows before taking on more autonomous tasks in limited cases: “For years, FMCG and supply chain professionals have had to make critical decisions based on incomplete data. That era is over. Our specialized AI agents, powered by the RAID Engine, will focus on specialist workflows in support of our customer’s employees, in time working autonomously with human-in-the-loop oversight for larger decisions. This is how intelligent infrastructure is set to reshape the way software is presented to enable humans to inform their judgement and perform in their roles.”
Startup Moldova has announced partnerships with Unicorn Factory Lisbon, SeedBlink and the Ukrainian Startup Fund, linking the country’s startup sector more closely to European funding and acceleration networks.
The agreements were unveiled at the Startup Moldova Summit in Chișinău, which organisers said drew more than 2,000 participants, 150 startups, 60 speakers and international investors for its largest edition so far.
The new partnerships are intended to widen Moldovan founders’ access to acceleration programmes, investor networks and cross-border funding channels. Under one agreement, Unicorn Factory Lisbon and Startup Moldova will support local startups seeking entry to international acceleration programmes and expansion into EU markets.
Another partnership brings together Moldova Innovation Technology Park, Startup Moldova and the Ukrainian Startup Fund to support cross-border cooperation, improve access to finance and deepen integration with the wider European innovation system.
SeedBlink and Startup Moldova also plan to launch a crowdinvesting platform for Moldovan startups, designed to help companies raise money through syndicated investment rounds and connect with European angel investors.
The moves come as Moldova seeks to develop a small but growing technology sector. The country’s startup ecosystem now includes more than 300 companies and has been expanding by 20% year on year.
At the summit opening, Olga Melniciuc outlined the sector’s latest growth figures. “Moldova’s ecosystem has grown to over 300 companies, expanding by 20% year over year. In 2025 alone, startups generated over $60 million in revenue, created over 1,500 jobs, and attracted over $17 million in investment, demonstrating that startups are becoming a real driver of the country’s economic growth. The theme of the Summit – ‘Born in Moldova. Built for the World.’ – reflects the ambition of our founders, who are building companies designed to compete globally from day one,” said Olga Melniciuc, chief executive of Startup Moldova.
The figures point to a startup market that remains modest by regional standards but is trying to connect more directly with larger European capital pools. For countries on the edge of the EU, those links can matter as much as domestic policy in determining whether founders stay local or move abroad.
Moldova has also been trying to make its business environment more attractive to technology companies. Moldova Innovation Technology Park offers a 7% flat tax for eligible IT and digital activities, while the country is developing digital nomad and remote-work frameworks and preparing a fund of funds intended to widen access to venture and equity finance.
Officials have also highlighted efforts to digitise public services and business processes, including contactless business tools, e-governance measures and digital public infrastructure such as the EVO government app, which is intended to simplify public and business-facing services.
Regional links
The involvement of the Ukrainian Startup Fund underlines a wider regional dimension to Moldova’s approach. By building ties not only with western European organisations but also with neighbouring ecosystems, the country is seeking to position itself as a more connected part of the European startup map.
Sergiu Rabii, who leads the Innovate Moldova Programme funded by Sweden and the United Kingdom, said the agreements reflected a broader shift in how Moldovan founders are being connected to international markets and expertise. “These partnerships show that Moldova’s startup ecosystem is becoming more connected and internationally relevant. By improving access to capital, expertise and markets, Sweden and the United Kingdom are helping Moldovan founders scale faster and build companies with global potential,” said Sergiu Rabii, director of the Innovate Moldova Programme.
The European Union has also backed efforts to support entrepreneurship in Moldova through EU4Innovation East. That support reflects a broader push to strengthen startup structures in countries linked economically and politically to the bloc.
Julien Schmitt, director of the EU4Innovation East programme, said growth in the number of companies was increasing demand for stronger support systems and better financing routes. “Startup Moldova Summit 2026 reflects the continued progress of Moldova’s entrepreneurial ecosystem. For the second consecutive year, the European Union, through EU4Innovation East, is proud to support this platform that connects founders, investors and international markets. As the number of startups in Moldova grows, so does the need for stronger support structures and access to capital,” he said.
Summit focus
The event also featured a Startup Alley, where 42 startups presented their products, along with the national final of the Startup World Cup pitching competition. Ten startups pitched to a jury of international investors.
Prompted AI won the competition, while LyricFluent and Argus AI placed second and third.
-
Crime & Safety2 weeks agoBicester man denies sexually assaulting two young girls
-
Oxford News2 weeks agoBanbury cake company with 400 year history shut down
-
UK News2 weeks agoStarmer says it ‘beggars belief’ he wasn’t told about Mandelson vetting failure as he faces Commons – UK politics live | Politics
-
UK News1 week agoTV tonight: Shetland meets CSI in a new drama about a disgraced cop | Television
-
Crime & Safety3 weeks agoLorry overturns on Oxfordshire A43 roundabout with driver trapped
-
UK News2 weeks agoFears over rogue parking by sunrise-chasers at national park after overnight ban
-
Crime & Safety2 weeks ago‘A red kite stole my mother-in-law’s sausage rolls’
-
UK News4 weeks agoUkraine war briefing: Russian oil facilities burn as Zelenskyy tours Middle East | Ukraine