Cyber Breaches Survey: Business Cybersecurity is at Risk

The financial and operational implications of cyber security breaches are reshaping business strategy across the UK, with new data suggesting that organisations must integrate cyber resilience into their growth plans.

According to the latest Cyber Breaches Survey, commissioned by the Department for Science, Innovation and Technology (DSIT) and the Home Office, 43% of businesses and 28% of charities reported having experienced a breach or attack in the past year.

The survey reveals critical insights into how cyber threats could impact business continuity, revenue protection and market competitiveness.

For organisations pursuing expansion or exploring new revenue streams, these findings highlight the commercial risks that inadequate cyber security could pose to growth trajectories.

Larger organisations face disproportionate targeting, with 69% of large businesses and 65% of medium-sized firms reporting incidents, compared with 46% of small businesses and 42% of micro organisations.

This targeting pattern suggests that as businesses scale and their market presence grows, their exposure to cyber threats increases proportionally, making security infrastructure a critical component of sustainable growth strategy.

Leadership prioritisation drives competitive advantage

The commercial case for cyber security is gaining traction in boardrooms, with 72% of businesses and 60% of charities now considering it a high priority, rising to 100% among large organisations.

This shift reflects a growing understanding that cyber resilience could directly influence customer trust, partner relationships and market reputation.

However, Muhammad Yahya Patel, virtual Chief Information Security Officer (vCISO) and Cyber security Advisor for EMEA at Huntress, suggests that strategic intent must translate into operational readiness.

"It's encouraging to see boardroom engagement starting to recover, but accountability without preparation is performative," Muhammad says. "Knowing cyber is a risk and having a tested plan for when it happens are two very different things."

The business implications extend to emerging technology adoption. "AI is growing the attack surface faster than most organisations can track.

When three in four businesses exploring AI have no security framework around it, you're building on an unstable foundation," Muhammad says.

For businesses leveraging artificial intelligence (AI) to drive efficiency gains or develop new products, this could represent a significant vulnerability in their innovation strategy.

Revenue impact escalates as threats evolve

Phishing affected 38% of businesses and 25% of charities over the past year, with 69% of organisations that experienced a breach ranking it as their most disruptive incident.

The proliferation of AI-generated phishing campaigns has lowered barriers for attackers, enabling more sophisticated targeting at scale.

More traditional threats such as ransomware appear to be less commonly reported, suggesting attackers are adapting their tactics to exploit different vulnerabilities.

77% of businesses and 69% of charities have implemented safeguards such as encryption or anonymisation, yet 14% of businesses and 22% of charities still hold unprotected personal data, creating potential regulatory and commercial exposure.

The financial consequences are intensifying. The proportion of businesses reporting financial loss from cyber incidents has more than doubled, rising from 2% to 5% year on year.

Reputational damage cases have climbed from 1% to 3%, indicating that high-impact incidents could increasingly threaten brand value and customer retention.

"The median cost disguises the real exposure," Muhammad says. "For the 5% of businesses experiencing revenue or reputational impact, the numbers are serious and those are just the ones that recognised and reported it.

The full cost of a breach is almost always larger than the initial assessment. In a digital economy, trust is your most valuable currency and it's the hardest thing to recover once a breach goes public."

Supply chain vulnerabilities threaten growth

For businesses pursuing partnerships, acquisitions or market expansion, supply chain cyber security represents a critical blind spot.

Only 15% of businesses and 9% of charities formally review cyber risks posed by immediate suppliers, while just 6% of businesses and 4% of charities assess wider supply chain vulnerabilities.

"Supply chain risk is where attackers are increasingly pivoting and this data shows the vast majority of UK businesses have essentially no visibility into it," Muhammad says.

Recent high-profile breaches including the Trivy incident (reported by TechCrunch in 2024), the Axios breach (disclosed in their security advisory) and the Rockstar Games hack via Anodot (widely reported in 2022) demonstrate how third-party vulnerabilities can compromise larger organisations.

Strategic preparedness varies significantly by organisation size. While 70% of large businesses and 57% of medium firms have formal cyber security strategies, smaller organisations lag behind.

Nearly a third of micro businesses consider cyber security a low priority, potentially limiting their ability to secure partnerships with larger enterprises that increasingly mandate supplier security standards.

These findings suggest that while awareness of cyber risk is improving, implementation gaps could constrain commercial opportunities.

As organisations integrate digital technologies into their growth strategies, the alignment between cyber security capabilities and business objectives may increasingly determine competitive positioning and market success.