Cyber-crime Nearly half of UK businesses pwned last year as phishing keeps doing the job like it's 2005 Turns out the real problem is not AI but staff still clicking on dodgy emails from 'IT support' Carly Page Thu 30 Apr 2026 // 11:35 UTC Nearly half of UK businesses are still getting breached, and in many cases, the attacker's big breakthrough is an employee clicking "sure, why not" on a fake login page. The UK government's latest Cyber Security Breaches Survey , released on Thursday, puts the hit rate at 43 percent of businesses and 28 percent of charities reporting a cyber incident in the past year, equating to approximately 612,000 UK businesses and 57,000 UK charities, numbers that have barely budged since the last time it asked. Most of these breaches do not start with anything especially cutting-edge. Phishing leads "by far," usually via impersonation emails that send staff to fake login pages or get them to click links, open attachments, or hand over sensitive information. Everything else barely gets a look-in. Around 85 percent of businesses that reported a breach or attack said it involved phishing, leaving malware, ransomware, and unauthorized access trailing some distance behind. Among businesses that report break-ins, about a quarter say they occur at least once a week, with a smaller share reporting daily occurrences. Charities are seeing attacks land more often, with the share reporting weekly incidents rising from 18 percent to 26 percent over the past 12 months. Against that backdrop, there are signs that organizations are trying to get a grip of the problem. Around six in ten medium and large businesses report having a formal cybersecurity policy in place, and incident response planning and cyber insurance have both ticked up year on year. Larger organizations are consistently more likely to have these measures in place than smaller ones. Policies on ransomware are still a bit of a mixed bag. Around half of businesses (49 percent) and a third of charities (34 percent) say they have a rule not to pay up, about the same as last year. Plenty are still in the dark, with roughly a quarter of businesses and a fifth of charities saying they do not know what their policy is. Most are covering the basics – at least two-thirds of organizations say they have things like updated malware protection, cloud backups, password rules, firewalls, and restricted admin access in place – but after that, it starts to tail off. Fewer report using measures such as two-factor authentication, formal data backup rules, policies on personal data storage, VPNs, or user monitoring. What's more, among small businesses, some of the basics have slipped compared with last year. The proportion carrying out cyber security risk assessments has dropped to around four in ten, reversing earlier gains and suggesting those improvements have not stuck. Pass the key, passwords have passed their sell-by date UK govt dept sent a document 'in error.' Now it's being used in a £370M contract lawsuit Dev targeted by sophisticated job scam: 'I let my guard down, and ran the freaking code' Medical data of 500k Biobank volunteers listed for sale on Alibaba, UK minister reveals Supply chains remain another weak spot. Only around one in seven businesses say they review the risks posed by their immediate suppliers, and fewer go any further. The survey puts it at 15 percent checking direct suppliers and just 6 percent looking at the wider chain. Charities are lower again, at 9 percent and 4 percent, respectively. Then there is the data itself. Around 14 percent of businesses and 22 percent of charities say they hold personal data that is not protected by measures like encryption or anonymization, which means if someone does get in, there is a decent chance they will find something useful. Overall, breach rates remain high, and phishing continues to do most of the work. The basics exist, they're just not applied everywhere they should be. ® Share More about Data Breach Security United Kingdom More like these × More about Data Breach Security United Kingdom Narrower topics 2FA Advanced persistent threat Application Delivery Controller Authentication BBC BEC Black Hat Brexit British Armed Forces BSides Bug Bounty Center for Internet Security CHERI CISO Common Vulnerability Scoring System Cybercrime Cybersecurity Cybersecurity and Infrastructure Security Agency Cybersecurity Information Sharing Act Data Protection Data Theft DDoS DEF CON Digital certificate Encryption End Point Protection ESA Exploit Firewall Five Eyes Google Project Zero Government of the United Kingdom Hacker Hacking Hacktivism Identity Theft Incident response Infosec Infrastructure Security Kenna Security London NCSAM NCSC Palo Alto Networks Parliament of the United Kingdom Password Personally Identifiable Information Phishing Quantum key distribution Ransomware Remote Access Trojan REvil RSA Conference Scotland Software Bill of Materials Spamming Spyware Surveillance TLS Trojan Trusted Platform Module Vulnerability Wannacry Zero trust Broader topics EMEA Europe More about Share POST A COMMENT More about Data Breach Security United Kingdom More like these × More about Data Breach Security United Kingdom Narrower topics 2FA Advanced persistent threat Application Delivery Controller Authentication BBC BEC Black Hat Brexit British Armed Forces BSides Bug Bounty Center for Internet Security CHERI CISO Common Vulnerability Scoring System Cybercrime Cybersecurity Cybersecurity and Infrastructure Security Agency Cybersecurity Information Sharing Act Data Protection Data Theft DDoS DEF CON Digital certificate Encryption End Point Protection ESA Exploit Firewall Five Eyes Google Project Zero Government of the United Kingdom Hacker Hacking Hacktivism Identity Theft Incident response Infosec Infrastructure Security Kenna Security London NCSAM NCSC Palo Alto Networks Parliament of the United Kingdom Password Personally Identifiable Information Phishing Quantum key distribution Ransomware Remote Access Trojan REvil RSA Conference Scotland Software Bill of Materials Spamming Spyware Surveillance TLS Trojan Trusted Platform Module Vulnerability Wannacry Zero trust Broader topics EMEA Europe TIP US OFF Send us news