Cyber Breaches Survey: Phishing & Supply Chain Risks Soar

By Rithula Nisha

May 01, 2026

undefined mins

Share this article

Prioritise Us on Google

Share this article

Prioritise Us on Google

Cyber Breaches Survey is commissioned by the Department for Science, Innovation and Technology (DSIT) and the Home Office | Credit: Getty

UK's Cyber Breaches Survey reveals the attack surface where phishing is the most disruptive threat, while supply chain visibility lags severely behind

Cyber attacks wreak havoc in a significant share of UK organisations, with the latest Cyber Breaches Survey revealing that 43% of businesses and 28% of charities reported having experienced a breach or attack in the past year.

Commissioned by the Department for Science, Innovation and Technology (DSIT) and the Home Office, the survey helps us understand the clutch of cyber threats on UK organisations and their level of preparedness.

The lion’s share of attacks are focussed on the larger organisations.

Around 69% of large businesses and 65% of medium-sized firms reported incidents, compared with 46% of small businesses and 42% of micro organisations.

Encouragingly, senior leadership attention is holding steady.

Cyber security is considered a high priority by 72% of businesses and 60% of charities, rising to 100% among large organisations.

“It's encouraging to see boardroom engagement starting to recover, but accountability without preparation is performative,” says Muhammad Yahya Patel, vCISO and Cybersecurity Advisor for EMEA at Huntress.

Muhammad Yahya Patel, vCISO and Cybersecurity Advisor for EMEA at Huntress | Credit: LinkedIn

“Knowing cyber is a risk and having a tested plan for when it happens are two very different things.

“AI is growing the attack surface faster than most organisations can track. When three in four businesses exploring AI have no security framework around it, you're building on an unstable foundation.”

Phishing dominates as the most disruptive cyber threat

The most common and disruptive attack of the past year was Phishing.

It affected 38% of businesses and 25% of charities, and was also ranked as the most disruptive incident by 69% of organisations that experienced a breach.

With AI that can generate unsuspecting phishing emails en masse, exploiting the human vulnerability unsurprisingly ranks high.

At the same time, more traditional high-profile threats such as ransomware appear to be less commonly reported, suggesting a shift in attacker tactics rather than an overall reduction in risk.

Considering the rising risk, most organisations report taking steps to protect sensitive information.

Percentage of businesses, by size, over time where cyber security was seen as a high priority for directors, trustees and other senior managers | Credit: gov.uk

Around 77% of businesses and 69% of charities have safeguards such as encryption or anonymisation in place.

However, a notable minority still fall short, with 14% of businesses and 22% of charities holding unprotected personal data.

Financial and reputational impact of breaches

While the overall number of breaches has remained relatively stable, the consequences are becoming more serious.

The proportion of businesses reporting financial loss from cyber incidents has more than doubled, rising from 2% to 5% year on year.

Similarly, reputational damage is increasing, with reported cases climbing from 1% to 3%.

Though these figures may appear small, they point to a growing subset of high-impact incidents.

“The median cost disguises the real exposure,” Muhammad notes.

“For the 5% of businesses experiencing revenue or reputational impact, the numbers are serious and those are just the ones that recognised and reported it.

“The full cost of a breach is almost always larger than the initial assessment.

“In a digital economy, trust is your most valuable currency and it's the hardest thing to recover once a breach goes public.”

Supply chain blind spots and preparedness gaps persist

With 2026 increasingly shaping up to be the year of the supply chain, with a number of hard hitters such as the Trivy breach, Axios breach and Rockstar games hack that came from Anodot breach, the survey data on supply chain visibility does not bring much peace.

Percentage of organisations that have rules or controls in place | Credit: gov.uk

Only 15% of businesses and 9% of charities said they formally review cyber risks posed by immediate suppliers.

The wider supply chain shows a starker gap with just 6% businesses and 4% charities doing their due diligence.

At a time when attackers are increasingly targeting third-party relationships as a route into larger systems, the figures are disturbing.

“Supply chain risk is where attackers are increasingly pivoting and this data shows the vast majority of UK businesses have essentially no visibility into it,” Muhammad points out.

Preparedness also varies widely by organisation size.

While 70% of large businesses and 57% of medium firms have a formal cyber security strategy, smaller organisations lag behind.

Alarmingly, nearly a third of micro businesses consider cyber security a low priority.

Together, these findings suggest that while awareness of cyber risk is improving, action is not keeping pace.

As threats evolve and the attack surface expands, particularly with emerging technologies, the gap between perception and preparedness may prove to be one of the biggest risks facing UK organisations.