The Department for Science, Innovation & Technology releases a Cybersecurity Breaches Survey every year, detailing the facts and figures surrounding cyber attacks and concerns for businesses across the UK. In 2024, the survey discovered that 50% of businesses experienced a breach or attack of some sort – though the results for 2025 proved to be quite shocking.
Usually, when surveys like this are produced, the figures tend to trend upwards – as was the case in 2024, which saw an increase of nearly 18% from 2023. The shocking thing about this year’s survey is that reports of cyber breaches and attacks are down for businesses all over the country. Just over 43% of companies experienced a cyber issue this year, and more of the main figures are broken down for you below:
- 35% of micro businesses faced a cyber breach or attack (down from 40% last year)
- 42% of small businesses faced a cyber breach or attack (down from 49% last year)
- 67% of medium businesses faced a cyber breach or attack (down from 70% last year)
- 74% of large businesses faced a cyber breach or attack (down from 75% last year)
This data immediately tells us that small and micro businesses did a better job of controlling their cybersecurity habits in 2025. Comparatively, there’s not much change for larger and medium-sized companies – but why is that the case?
Smaller Businesses Improved Basic Cyber Hygiene
The 2025 survey was shocking in that it produced some pleasantly surprising information about small businesses and their approach to cyber hygiene. By cyber hygiene, we’re referring to the general practices a company undergoes to protect itself against cyber attacks and threats. Improvements amongst small and micro businesses can be put down to their increased willingness to work with cyber security companies, as well as concentrated efforts to invest in key areas that may have been lacking the year before.
Data from the survey backs this up, showing that small businesses improved in the following areas:
- 48% of small businesses now conduct cybersecurity risk assessments (Up 9% from 2024)
- 62% of small businesses took out cyber insurance (Up 13% from 2024)
- 59% of small businesses implemented formal cybersecurity policies (Up 8% from 2024)
- 53% of small businesses had business continuity plans that address cybersecurity (Up 9% from 2024)
There have been some clear steps in the right direction to help smaller businesses bolster their cyber defences and ward off breaches and attacks. These basic ideas weren’t as prevalent before, which could signify why so many more smaller businesses suffered threats in 2024 compared to 2025.
Perhaps the most interesting data point from the research focuses on the overall percentage of businesses carrying out cybersecurity risk assessments. Bizarrely, only 29% of all companies conducted one of these risk assessments – which is down 2% from the previous year. The intriguing thing about this is that you can see almost half of all small businesses now conduct cybersecurity risk assessments, and that’s an increase from 2024.
It’s clearly an area where other companies need to improve, as there’s a potential correlation between carrying out risk assessments and experiencing cyber breaches. Is it a coincidence that smaller companies put more effort into this part of cyber hygiene and saw a bigger drop in threats than larger companies? Perhaps, though the data would have you believe otherwise.
An Increased Need For Cyber Insurance
What’s also fascinating is that businesses saw a greater need for cyber insurance in 2025 than in any other previous year. Around 45% of all businesses obtained some form of cybersecurity insurance this year – though small and medium businesses were more likely to take out a policy, and by some distance.
- 62% of small businesses have a cyber insurance policy
- 65% of medium-sized businesses have a cyber insurance policy
The strange thing about these statistics is that you’d expect large businesses to be the most in need of cyber insurance. Looking back at the headline stats, almost three-quarters of large businesses experienced a cyber breach of some sort in 2025. Everyone is aware of the importance of cybersecurity for businesses, so why aren’t larger companies investing in insurance when they’re the most at risk of an attack?
Large Businesses Focus More On Prevention
While smaller businesses are more inclined to conduct risk assessments, large businesses are perhaps more focused on preventative measures within their organisations. One of the most dramatic statistics from the survey looked at staff training and awareness:
- Just 19% of all businesses implemented staff training and awareness in cybersecurity
- 76% of large businesses implemented staff training and awareness in cybersecurity
That’s arguably the biggest gulf out of all the information we’ve found, and it tells a valuable story. From looking at this, you can deduce that large businesses see internal problems as the biggest threat to their cybersecurity. Whether it’s from intentional data breaches or employee negligence leading to data breaches, there’s a clear worry that this is the weakest point in a large company’s cyber infrastructure.
It makes sense when you consider how many employees a large business will have compared with smaller ones. The survey categorises large businesses as companies with 250 or more employees. By comparison, medium businesses could have as few as 50 employees, while small and micro could have anywhere between 1 and 10. Some of the large businesses surveyed may have thousands of employees – and the more employees a company has, the more holes there are to plug up.
Is The Survey Good Or Bad News For Businesses?
It’s always hard to take these surveys and decide if they’re good or bad news. On the one hand, there has been a clear incentive for businesses without many employees to up their general cyber hygiene. More are working with external companies and implementing basic things like risk assessments to help tighten their security – and it’s clearly worked, with a significant drop in breaches for small and micro businesses over the last twelve months.
That being said, medium and large businesses may not find much to be happy about. The data shows these types of organisations are still the most at risk of threats, without a change from the last year. Perhaps it’s the jolt these businesses need to improve their cybersecurity measures even more.