A supplier email lands while someone is closing off invoices. A login prompt appears while a manager is moving between systems. A charity administrator receives a document request that appears to relate to a real funding conversation. A team member working from home needs access to a shared file before a meeting starts.
None of these moments feels dramatic. Nobody involved is likely to think, “This is the point where cyber resilience is being tested.” They are trying to complete a task, keep work moving, respond to someone they trust, or remove friction from the day.
That is the useful lens for reading the Cyber Security Breaches Survey 2025/2026. The report is not just a record of breaches, attacks, controls and governance measures. It is a national snapshot of how prepared UK organisations are for the decisions people make when cyber risk appears inside ordinary work.
The survey, commissioned by the Department for Science, Innovation and Technology and the Home Office, explores cyber resilience across UK businesses, charities and educational institutions, although education is covered separately in an annex. For this article, the focus is deliberately on the main business and charity findings. The latest release was published on 30 April 2026, with quantitative survey work and qualitative interviews carried out between August and December 2025.
The most useful question is not whether organisations have heard of cyber threats. Most have. The better question is whether they have built the habits, judgement, verification routes and escalation confidence needed when cyber risk appears inside a request that looks normal, timely and useful.
This is why the survey deserves attention from business owners, charity leaders, senior teams and anyone responsible for people, systems or operations. The findings are not only about cyber incidents after they happen. They are about the conditions that exist before they happen: how work is organised, how decisions are made, how staff respond to familiar requests, and whether cyber security is embedded into the way people actually operate. If those decisions are left informal, they do not disappear. They continue to happen through habit, trust, speed and convenience.
The survey shows a stable but serious national picture
The first thing to take from the survey is that cyber risk is not sitting outside normal organisational life. It is already part of it. Businesses and charities are not dealing with an occasional abstract threat that only becomes relevant during an IT project or after an incident. They are operating in an environment where cyber activity is common enough to require practical preparation.
Just over four in ten businesses, 43%, and around three in ten charities, 28%, reported experiencing some kind of cyber security breach or attack in the previous 12 months. The report estimates this equates to approximately 612,000 UK businesses and 57,000 UK charities. It also makes an important caution clear: the survey only includes breaches and attacks organisations were able to identify and willing to report, so the true level may be underestimated.
That last point matters because cyber resilience is partly about visibility. An organisation can only report what it notices. Smaller organisations in particular may have fewer monitoring tools, less specialist support and less formal reporting activity, which means lower reported prevalence does not always mean lower exposure.
At the same time, this should not be turned into a panic story. Overall prevalence remained broadly in line with last year. The previous 2025 survey also reported 43% of businesses and 30% of charities identifying a breach or attack, after business prevalence had fallen from 50% in 2024 to 43% in 2025.
So the story is not that everything is suddenly getting worse. The more accurate reading is that cyber risk has become a steady feature of UK organisational life. It is serious enough to require attention, but ordinary enough that many organisations still manage it through partial controls, informal habits and uneven training.
The size pattern reinforces this. Medium and large businesses were more likely to identify breaches or attacks in the 2025/2026 survey, with 65% of medium businesses and 69% of large businesses reporting incidents, compared with 42% of micro businesses and 46% of small businesses.
That does not mean large organisations are simply “worse” at cyber security. Larger organisations tend to have more staff, more accounts, more suppliers, more systems, more communication channels and often better detection capability. Smaller organisations may have fewer moving parts, but they may also be less likely to spot or formally record what is happening.
The national picture is therefore steady, but not simple. Cyber risk is widespread, but it appears differently depending on size, structure, resources and maturity. That is why businesses and charities should take notice before turning the survey into either reassurance or alarm. The value is in asking where their own ordinary work creates similar decision points.
Phishing remains the clearest sign that cyber is a decision problem
Phishing continues to dominate because it rarely arrives as a dramatic event. It appears while someone is already doing something useful: processing an invoice, checking a document, responding to a supplier, helping a colleague, managing a donation, or moving between systems.
That is why phishing remains such an important finding in the survey. It was still the most prevalent type of breach or attack, experienced by 38% of businesses and 25% of charities. Among organisations that had experienced a breach or attack, phishing was also described as the most disruptive type by 69% of businesses and charities.
Those figures are useful, but the behaviour behind them is more important. Phishing is not staying relevant because nobody has heard of it. Most people have been told about suspicious links, unexpected attachments, spelling mistakes and strange sender addresses. The problem is that real phishing often appears in a cleaner, more believable context than the examples people remember from training.
A message arrives at the right time. It refers to a supplier that exists. It matches a conversation already happening. It appears to come from a known colleague, client, trustee or platform. The requested action is small enough to feel routine: open this, confirm this, approve this, update this, sign in here.
The decision is not usually framed as “should I ignore cyber security?” It is framed as “does this fit the work in front of me?” If it does, acting can feel reasonable.
The 2025/2026 survey also shows that among organisations that experienced a breach or attack, the proportion experiencing phishing only increased for both businesses and charities. Among affected businesses, this rose from 45% last year to 51% this year. Among affected charities, it rose from 46% to 57%.
That does not remove the importance of other threats, but it does show why phishing remains central to cyber resilience. It is the place where everyday judgement is repeatedly tested. The issue is not simply whether someone can spot a suspicious email in isolation. It is whether they can recognise when a normal-looking request deserves a second route of verification.
For businesses and charities, this matters because phishing does not usually interrupt work from the outside. It blends into work that already exists. If staff only recognise phishing when it looks obviously wrong, the organisation remains exposed to the more difficult moments: the request that fits the day, the sender that looks familiar, and the action that feels like the easiest way to keep moving.
Cyber hygiene is improving, but unevenly
The report does not show organisations doing nothing. That is important. Many businesses and charities have basic controls in place, and some areas show improvement. The problem is that cyber hygiene is not only a question of whether a control exists. It is whether the control survives contact with real work.
A password policy can exist, but staff still have to manage access under pressure. Two-factor authentication can be enabled, but people still need to understand why it matters and what to do when prompts become confusing. A VPN can be available, but remote workers still need a practical route that does not push them towards shortcuts when time is tight.
The 2025/2026 survey found that many organisations had implemented basic technical controls, including updated malware protection, cloud backups, password policies, firewalls and restricted admin rights. However, adoption was lower for controls such as two-factor authentication, used by 47% of businesses and 38% of charities, and VPNs for staff connecting remotely, used by 36% of businesses and 17% of charities.
This is where the behaviour layer matters. Controls that create friction need to be understood and normalised, otherwise people may work around them. In a busy environment, the fastest route often feels like the most sensible route, especially when the task itself is legitimate.
There are positive signs. Micro businesses saw increases in some practical controls, including only allowing access via company-owned devices, requiring two-factor authentication and using external cyber security providers. That suggests some smaller organisations are strengthening their foundations in ways that are realistic for their size.
But the picture is not consistent. After improvements last year, small businesses returned to earlier levels in areas such as cyber security risk assessments, formal cyber security policies and cyber-related business continuity plans.
That is not a reason to blame small businesses. It is a reason to understand the pressure they operate under. Small businesses often sit in a difficult middle ground. They may have grown beyond informal owner-led decision-making, but not yet have the governance, budget or specialist support of a larger organisation. More people have access. More suppliers become involved. More cloud tools are used. More decisions are spread across more roles.
Cyber hygiene becomes harder to sustain when the organisation is changing faster than its processes. The risk is not that nobody cares. The risk is that secure habits are not yet built deeply enough into how work happens.
This is why businesses should pay attention to hygiene findings as more than a control checklist. Controls are only useful if people can apply them while doing the job. Where secure processes feel unclear, slow or detached from real work, people will often rely on judgement in the moment. That judgement needs support.
The real gap is training and practised judgement
This is where the survey becomes most revealing. If cyber risk is appearing inside routine work, then staff need more than occasional reminders that threats exist. They need practice recognising what risk looks like when it feels familiar, urgent, useful or expected.
Yet staff training and awareness raising remained limited. The report found that 19% of businesses had provided cyber security training or awareness raising in the last 12 months, the same as the previous year. Among charities, the figure fell from 21% to 17%, driven by a decline among low-income charities.
This is one of the clearest gaps in the whole survey. Many organisations recognise that cyber matters, but fewer are regularly preparing people for the decisions that matter most.
Those decisions rarely look like textbook cyber moments. A member of staff has to decide whether to question an instruction from someone senior. A finance worker has to decide whether a change in payment details needs independent confirmation. A charity employee has to decide whether a request linked to a donor, trustee or beneficiary feels normal enough to act on. A remote worker has to decide whether to use a faster workaround when the secure route feels awkward.
Why does the less secure decision sometimes make sense? Because the person is trying to complete legitimate work. They are responding to pressure, familiarity, trust, authority, convenience or the expectation that things should keep moving.
Training that only explains cyber threats in general terms will always struggle with that reality. The real value is in helping people practise judgement inside the situations they actually face. That means recognising when something that fits the task still deserves verification. It means knowing how to pause without feeling obstructive. It means escalating uncertainty before it becomes an incident.
This is where organisations should take notice. If staff are already making cyber-relevant decisions during finance tasks, supplier communication, remote working, leadership requests, charity administration or customer service, then training is not an optional extra sitting outside the work. It is part of making the work safer, clearer and more consistent. Without that practice, the same moments continue to rely on individual confidence, memory and judgement under pressure.
The previous 2025 survey also showed low training levels, with around a fifth of businesses and charities providing some form of staff training in the previous 12 months. The 2025/2026 survey therefore does not suggest a sudden collapse. It shows a persistent gap.
That persistence is the point. Cyber resilience is not built by awareness existing somewhere in the organisation. It is built when people repeatedly practise the decisions that protect normal work.
Senior priority has to reach the point of action
The training gap also makes the senior leadership findings more important. Many organisations say cyber security matters at the top. The harder question is whether that priority reaches the person making the decision at the point of work.
In the 2025/2026 survey, cyber security was considered a high priority for senior management in 72% of businesses and 60% of charities. Board-level responsibility sat lower, at 31% of businesses and 30% of charities, although businesses did see an increase from 27% the previous year.
That is a useful distinction. Priority is not the same as embedded culture. A leadership team can discuss cyber risk, include it on a risk register, approve policies, renew insurance and still leave staff uncertain about what to do when a request looks legitimate but feels slightly off.
The decision does not happen in the boardroom. It happens when someone is halfway through a task.
A director may receive a cyber update in a meeting. Everyone may agree that cyber security is important. But later, a staff member still has to decide whether to challenge a supplier request, report a suspicious login, verify an unexpected instruction or pause a process that appears to be urgent.
If the culture around those moments is unclear, people will make the decision that feels safest socially and operationally. They may keep the task moving because they do not want to delay work. They may avoid questioning someone senior because it feels uncomfortable. They may decide not to report something because they are unsure whether it is serious enough.
This is where leadership priority needs to become visible. Not through more concern, but through clearer expectations. People need to know that verification is part of good work, that escalation is not overreaction, and that pausing at the right moment is a professional decision rather than an inconvenience.
For charities, the leadership picture deserves particular care. The 2025 survey found that 68% of charities said cyber security was a high priority for senior management. In 2025/2026, that figure fell to 60%, driven by low-income charities.
This does not suggest charities suddenly stopped caring. It suggests competing pressures may be making cyber harder to keep visible. That is exactly why cyber resilience needs to be embedded into normal leadership, staff and operational decisions, rather than relying on occasional attention when the subject becomes urgent.
Different organisation sizes face different decision pressures
The survey also shows why cyber resilience cannot be treated as one problem. As organisations grow, the decision environment changes.
In a micro business, cyber decisions are often close to the owner or a very small team. The same person may handle invoices, client communication, passwords, cloud tools, supplier access and device decisions. That can make communication fast, but it can also make cyber resilience depend heavily on individual judgement. When everything is informal, good habits matter because there may not be much process to fall back on.
In a small business, the pressure changes. The organisation may now have staff, shared systems, customer data, suppliers, remote access and more formal responsibilities, but still lack the support structure of a larger organisation. This is where cyber tasks can become everyone’s responsibility and nobody’s clear role. The survey’s finding that small businesses returned to earlier levels on some formal practices, including risk assessments and cyber-related business continuity plans, fits that picture.
In a medium business, the challenge becomes coordination. More people are involved in more workflows. Decisions are spread across departments. A policy may exist, but the practical question is whether it is understood consistently by the people handling payments, systems, clients, suppliers and data. The survey found that 65% of medium businesses identified a breach or attack, and almost six in ten medium businesses had a formal cyber security strategy.
That combination matters. Formal strategy is useful, but it does not remove the need for behaviour. The organisation may know what it wants to happen. The test is whether people can apply that expectation when the situation is live, pressured and ambiguous.
In a large business, the issue is usually not total absence of structure. Large organisations are more likely to have formal strategies, board-level responsibility and incident response plans. The 2025/2026 survey found that around seven in ten large businesses had a formal cyber security strategy, and 68% had board-level responsibility for cyber security.
The challenge is scale. Large organisations have more systems, more teams, more handovers, more suppliers and more distance between policy and action. A policy can be strong and still fail to shape a decision if the person making that decision does not recognise the moment as one where the policy applies.
Across all sizes, the lesson is the same but the environment changes. Cyber resilience has to fit the organisation people are actually working in. A micro business does not need the same structure as a large enterprise, but both need people to make better decisions when work creates pressure.
That is why the survey should prompt reflection rather than comparison. The useful question is not whether an organisation looks better or worse than another size category. It is whether its current level of structure matches the decisions its people are already making.
Charities face the same decisions under mission pressure
Charities face many of the same cyber decisions as businesses, but they often make them under a different kind of pressure. A commercial organisation may talk about continuity, customer trust and operational efficiency. A charity is often also thinking about beneficiaries, donors, volunteers, trustees, funding deadlines and the need to keep services running with limited resources.
That matters because cyber security can feel like one more demand on already stretched teams. If a service needs to run, a beneficiary needs support, a funding report needs submitting or volunteers need coordinating, the most visible pressure is usually the mission. Cyber may be recognised as important, but not always immediate.
The 2025/2026 survey found that 28% of charities identified a cyber breach or attack in the previous 12 months. It also found that cyber security being considered a high priority among charities fell from 68% in 2024/2025 to 60% in 2025/2026, while staff training and awareness raising fell from 21% to 17%, driven by low-income charities.
This should not be read as indifference. It is better understood as resource pressure. Low-income charities may be trying to maintain essential work while dealing with restricted budgets, staffing constraints and operational demand.
The decision moment in a charity is often deeply human. A trustee asks for a document. A donor query comes in. A volunteer needs access. A beneficiary record needs updating. A funding platform sends a prompt. The person responding is trying to protect the work, not create risk.
That is why charity cyber security needs careful language. It should not be framed as another burden. It should be framed as part of protecting trust, continuity and responsible service delivery.
The useful question for charities is not “do you care about cyber?” It is “where do your people already make decisions involving data, access, communication, money, systems or trust, and are they supported in those moments?”
That question matters because mission pressure does not remove cyber risk. It changes how cyber risk is experienced. When work is urgent, under-resourced and people-centred, the decision to keep moving can feel especially reasonable. Cyber support has to respect that reality.
Supplier trust and AI convenience show where the next decisions are forming
The same pattern becomes clearer when looking at areas that are less mature or harder to manage consistently. Supply chain risk and AI risk may look different on paper, but in practice both depend on everyday judgement.
Supply chain risk often begins with trust that has already been earned. A supplier is known. The platform is familiar. The contact name is recognised. The organisation has worked with them before. That familiarity is useful, but it can also reduce scrutiny when something changes.
A supplier sends a new link. A software provider asks someone to confirm access. A managed service provider requests approval for a configuration change. An invoice arrives with amended payment details. The request fits the relationship, so proceeding feels reasonable.
That is why the supplier figures matter. Only 15% of businesses and 9% of charities said they reviewed the cyber risks posed by immediate suppliers. Wider supply chain review was even lower, at 6% of businesses and 4% of charities.
These figures were broadly similar to the previous report, where 14% of businesses reviewed immediate supplier risk and 7% looked at the wider supply chain, with charities again at 9% and 4%.
The point is not that every organisation needs a complex supplier assurance programme overnight. The point is that supplier trust should not replace verification. Procurement checks, contracts and questionnaires are useful, but supply chain cyber risk also appears later, inside ordinary communication and system access.
AI introduces a similar issue through convenience. Someone uses an AI tool to summarise meeting notes, draft a donor email, analyse customer feedback, prepare a client update or speed up internal admin. The tool helps them work faster, which is exactly why the decision feels reasonable.
The 2025/2026 survey found that around a third of businesses and a quarter of charities were using AI, adopting it or actively considering it. Among those organisations, only around a quarter reported having cyber security practices or processes in place to manage AI risks.
This should not be turned into a dramatic warning that AI is automatically dangerous. The practical issue is more grounded. What information can be entered? Which tools are approved? What outputs can be trusted? When does a person need to check the result? How does the organisation stop convenience becoming uncontrolled disclosure?
AI risk, like supplier risk, becomes real in the moment someone decides what to trust and what to share. It is another example of cyber security moving into ordinary work faster than many organisations can formalise it.
That is why businesses and charities should not wait for supply chain and AI questions to become major incidents before giving them attention. These are already working decisions. They are already happening in procurement, operations, finance, admin, fundraising, communications and leadership. The earlier they are recognised as judgement issues, the easier they are to handle calmly and practically.
Incident response shows why behaviour can become visible too late
Incident response is where hidden decision-making becomes visible. Before an incident, a small uncertainty can feel too minor to report. After an incident, that same moment may be recognised as the point where earlier escalation would have helped.
The survey found that formal incident response plans were not yet widespread, reported by 25% of businesses and 19% of charities. These plans were much more common in larger organisations, with 57% of medium businesses and 76% of large businesses having one, compared with 21% of micro businesses.
That matters because the first response to a potential incident is often not technical. It is human.
Someone notices something unusual. A system behaves differently. A link has already been clicked. A payment may have been changed. A suspicious login prompt appears. A file has been shared in the wrong place. A staff member is unsure whether what happened is serious enough to mention.
The decision is whether to say something now or wait. Whether to escalate even if it might be nothing. Whether to preserve evidence. Whether to tell a manager, IT provider, trustee, director or colleague.
Those decisions are shaped by confidence and culture. If people fear blame, they may delay. If they are unsure what counts as reportable, they may keep quiet. If they believe escalation will cause disruption, they may try to fix things quietly themselves.
The survey also found that after a breach or attack, 61% of businesses and 57% of charities took action to prevent future incidents. The most common action was people or training changes, reported by 31% of businesses and 37% of charities.
That is one of the strongest behaviour-led findings in the report. When something happens, organisations often recognise that people, communication and training need attention. The better move is to build that confidence before an incident forces the conversation.
Incident response is not only about having a document. It is about whether people know what to do when something does not feel right, and whether they feel safe enough to act early.
This is why the survey should prompt action before an incident, not only after one. If an organisation already knows that people and training are often part of the post-incident response, it makes sense to strengthen those areas while decisions are still ordinary, calm and manageable.
UK cyber resilience is a decision-making challenge
The 2025/2026 Cyber Security Breaches Survey does not show a country that knows nothing about cyber security. It shows a country where cyber security is recognised, discussed and partially controlled, but not always translated into everyday decisions.
That distinction matters.
Many businesses and charities have technical controls. Many senior teams say cyber is a priority. Some micro businesses are improving practical safeguards. Some larger businesses are strengthening governance. Cyber Essentials adoption among businesses also increased from 3% in 2024/2025 to 5% in 2025/2026, driven by increases among large and small businesses.
There are positive signs in the report, and they should not be ignored.
But the recurring gap is still clear. Phishing remains dominant. Training remains limited. Supplier risk reviews remain uncommon. AI governance is still catching up with adoption. Incident response planning is uneven. Charities appear to be facing reduced prioritisation and training activity at the same time as mission pressures continue.
The state of UK cyber resilience is therefore not best understood as a simple lack of awareness. It is better understood as a decision-making gap.
Cyber risk becomes real when a message arrives, a request looks familiar, a supplier seems trusted, a system prompt feels routine, a tool offers convenience, or a person has to decide whether to continue, verify or escalate.
Those moments are where resilience is either strengthened or weakened. They are also where organisations need to focus more attention.
Not through fear. Not through blame. Not by treating staff as the problem.
The practical lesson from the survey is that cyber resilience depends on helping people make better decisions in the conditions they actually work in. That means building judgement around urgency, familiarity, authority, trust, convenience and routine. It means making verification feel normal. It means making escalation feel safe. It means helping leaders turn cyber priority into visible behaviour across the organisation.
For UK businesses and charities, that is the real message of the 2025/2026 survey. Cyber security is no longer a separate issue that only appears during incidents, audits or IT projects. It is part of ordinary work. The organisations that recognise that can begin to ask a more useful question: where are our people already making cyber-relevant decisions, and how well are we supporting them in those moments?
That does not require fear, blame or dramatic messaging. It starts with looking honestly at how work happens, where pressure appears, and where verification or escalation needs to feel normal. From there, behaviour-led cybersecurity training becomes a practical way to help people make clearer decisions before those decisions become incidents.
Director of Training and Development, Cyber Rebels.
Andy Longhurst is the founder of Cyber Rebels and a cybersecurity practitioner and educator focused on how risk actually shows up in real organisations. His work sits at the intersection of digital safety, education, and practical risk management — helping teams understand not just what policies say, but what happens in the moments where decisions are made under pressure.
With a background spanning adult education, web development, and technical consultancy, Andy specialises in translating complex security concepts into clear, usable understanding. Rather than focusing solely on tools or compliance frameworks, his approach centres on human behaviour, judgement, and the systems that shape everyday choices.
He delivers live, interactive cyber awareness training for organisations of all sizes, from small businesses and education providers to public-sector teams and larger organisations operating in complex risk environments.
Outside of delivery, Andy spends his time analysing emerging attack patterns, refining training design, and exploring how organisations can build resilience that holds up in the real world — usually with a strategically sized cup of tea close to hand.
