SHANNON WILLIAMS

News Editor

The UK Government has released the latest Cyber Security Breaches Survey for businesses and charities, highlighting the scale of cyber incidents affecting organisations across the country.

The annual study found that 43% of UK businesses experienced a cyber security breach or attack, compared with 28% of charities. The results form part of official tracking of how organisations manage digital risk and respond to incidents.

Cyber security advocates say the figures expose persistent structural weaknesses in the UK’s legal and governance framework, arguing that current law does not reflect how modern defenders work or how criminal groups operate.

A spokesperson for the CyberUp Campaign said the survey strengthens the case for reform of the Computer Misuse Act, which dates from 1990. The campaign is a coalition of cross-party parliamentarians, academics and industry groups focused on the legal environment for cyber professionals.

“Today’s findings should be a wake-up call. The UK cannot keep warning about the scale of the cyber threat while leaving legitimate cyber professionals constrained by laws written for a different age. Other countries have already moved to protect legitimate cybersecurity activity while keeping strong powers to prosecute criminals, but the UK is falling behind. Without a clear statutory defence, we risk holding back the people working to find vulnerabilities, gather threat intelligence and stop attacks before they cause harm. The Government has rightly recognised cyber resilience as a national priority through the Cyber Security and Resilience Bill and its wider work to strengthen the UK’s cyber defences. But that ambition will fall short unless ministers also modernise the Computer Misuse Act. Reform would strengthen our national resilience, support the UK’s cyber sector and ensure the law targets malicious actors, not those protecting the public,” said a spokesperson for the CyberUp Campaign.

The CyberUp coalition has called for a statutory defence to give legal certainty to penetration testers, threat intelligence analysts and other security specialists. It argues that the current rules risk deterring legitimate research and testing that could identify weaknesses before criminals exploit them.

The survey also examines governance and board oversight of cyber risk. It found that more boards now hold formal responsibility for cyber security, although direct engagement remains patchy.

Jay Kaplan, chief executive officer and co-founder of Synack, said the data points to a gap between stated board responsibility and practical oversight.

“This year’s Cyber Security Breaches Survey shows boards taking on more responsibility for cyber on paper while paying it less attention to it in practice. Board-level responsibility rose from 27% to 31%, which looks like progress on paper. But the share of medium-sized business boards receiving at least annual cyber updates dropped from 78% to 70%. This signals more accountability with less visibility.

“The fix requires speaking the board’s language. Vulnerability management needs to be a corporate goal, not just a security team metric. Frame a breach in terms the board understands: what does it cost the business for every hour critical systems are offline? That calculation changes how leadership prioritises investment far more than any compliance report will. And once a year isn’t enough in a threat landscape that moves in hours. Boards need a continuous read on what’s actually exploitable, what it would cost the business to lose, and what’s been validated against real attack conditions,” said Kaplan.

Okta has released its annual Businesses at Work report on identity management and AI governance, finding that most organisations are using AI agents without a comprehensive strategy to govern them.

The findings highlight a gap between board-level concern and operational controls as companies expand their use of autonomous systems. Globally, 99% of C-suite leaders view Identity and Access Management as important to AI adoption, while 58% identify AI agent governance and oversight as their top security concern.

Even so, 90% of organisations do not yet have a comprehensive strategy for governing autonomous agents. The report also found that 91% of enterprises surveyed are already using AI agents, although most remain in early or limited deployment stages.

The research drew on anonymised data from more than 8,000 enterprise integrations in the Okta Integration Network. It portrays businesses moving quickly to introduce AI-driven tools while control frameworks lag behind.

Governance gap

One of the clearest findings is the uneven treatment of AI systems compared with human users. Only 32% of organisations govern AI agents with the same level of scrutiny applied elsewhere, leaving a significant share of non-human activity outside established oversight processes.

That matters because non-human identities are becoming more common across enterprise systems. The report found that 42% of organisations now have widespread use of non-human identities, suggesting autonomous software is moving into routine business operations rather than remaining in isolated pilots.

Okta linked that trend to a broader rise in governance activity. Access requests per company increased 158% year on year and 1,140% over two years, indicating a sharp increase in the amount of access organisations are trying to monitor and manage.

Service account governance also rose quickly, with centrally managed non-human identities up 650% year on year. That suggests many businesses are laying the administrative foundations for more extensive use of automated systems, even if formal governance of AI agents remains incomplete.

Security pressure

The report also highlights a widening mismatch between the pace of threats and the pace of defensive upgrades. It says the threat landscape is accelerating 6.3 times faster than organisations are adopting high-assurance protections, creating what it describes as a phishing gap.

Credential-based attacks remain a central risk. They account for 60% of all security incidents and 88% of web application breaches, reinforcing the importance of login controls and authentication policies in reducing exposure.

At the same time, the data suggests companies are putting more effort into stronger authentication methods. FastPass phishing-resistant authentications grew 81% year on year, pointing to increasing adoption of passwordless and phishing-resistant approaches.

These shifts come as regulators and policymakers place greater focus on accountability in AI systems. For businesses operating in Europe, governance around access, authentication and oversight is likely to face closer scrutiny as AI compliance obligations take shape.

Regional stakes

The report places particular emphasis on EMEA organisations as they assess how identity controls apply to AI tools and agents. The issue is not simply whether businesses are adopting AI, but whether they can establish clear lines of control over systems that may act autonomously across applications and workflows.

Industry forecasts cited in the report point to further growth in this area. Gartner predicts that 40% of enterprise applications will feature task-specific AI agents by the end of 2026, up from less than 5% in 2025, suggesting identity governance questions are likely to spread well beyond early adopters.

That projection helps explain why senior executives are paying closer attention. More than half of C-suite leaders surveyed, 52%, said IAM is very important to AI adoption, up from 46% in 2024, indicating growing concern as AI moves deeper into day-to-day operations.

For Okta, the results underline a tension between adoption and control. Businesses appear willing to introduce AI agents into the enterprise, but many have not yet matched that rollout with the same governance discipline used for employees, contractors or conventional service accounts.

Matt Ellard, General Manager EMEA at Okta, said: “For organisations across EMEA, the challenge now is to make sure governance catches up with AI adoption. As AI agents take on more operational roles, identity is what gives businesses the visibility and control to deploy them responsibly.”

A total of 47 per cent of business owners revealed they are most concerned about online fraud and cybercrime.

Meanwhile, 39 per cent of respondents also claimed they were concerned about damage to property.

READ MORE: Crowds of 18,500 people celebrate May Morning in Oxford

Pablo Lounge in Abingdon closed last year after being deemed commercially nonviable (Image: Andy Ffrench)

35.3 per cent of business owners also revealed they were worried about anti-social behaviour impacting their businesses.

Tool theft was also a concern, with 31.7 per cent of businesses answering it as a concern.

Meanwhile, only 17 per cent of owners answered shoplifting as a concern, 19 per cent answered in person fraud, and 19 per cent of fraud.

Respondents also answered what is holding their business back, with 48 per cent of businesses stating that finding staff with the right skills is a concern.

34 per cent of businesses also stated energy costs as a limit on their business.

Meanwhile, only 10 per cent of respondents claimed a fear of crime was holding their business back.

Matthew Barber (Image: Contributed)

Planning applications, local regulations, availability of property, parking, public transport, and lack of demand were also identified as a limit to local businesses.

The survey conducted by police and crime commissioner for Thames Valley, Matthew Barber, has revealed the crimes business owners are most concerned about.

The survey also asked businesses what type of business they are, how many employees they have, what taxes affect their business the most, and what is holding their business back.

Businesses identified corporation tax, national insurance, and VAT as the taxes affecting them most.

Retail businesses, hospitality services, professional services, IT businesses, agriculture businesses, and arts and entertainment services were all part of the survey.