UK cyber survey shows stagnant breach preparedness

The UK Government has released its Cyber Security Breaches Survey 2026, prompting criticism from security specialists and legal experts who say progress remains limited.

The annual survey tracks the frequency and impact of cyber incidents across organisations of different sizes and sectors. It also examines how businesses and charities approach risk management, staff training and supply chain security.

Initial industry reaction points to what many describe as stagnation in key measures of preparedness, with phishing, supplier vulnerabilities and the position of smaller firms emerging as particular concerns.

Tom Kidwell, co-founder of security firm Ecliptic Dynamics and a former British Army and UK Government intelligence specialist, said the 2026 results suggest too few lessons have been learned from recent attacks on well-known consumer brands.

"After years of headline-grabbing cyber attacks, this survey feels depressingly familiar. Breach levels haven't shifted, preparedness hasn't improved, and despite all the noise around breaches causing serious damage to major brands like Marks and Spencer and the Co-Op, too many organisations are still failing to act. Talking about cyber security clearly isn't the same as doing anything meaningful about it. Too many companies are still in the mindset that 'it won't happen to me.'"

Phishing remains the most commonly reported form of attack in the government study. Security practitioners argue that attackers are using increasingly sophisticated and targeted methods, often supported by artificial intelligence tools.

For Kidwell, the survey exposes a disconnect between the scale of the phishing threat and current investment in staff awareness programmes.

"What really stands out is phishing. It continues to dominate, and it's becoming smarter, more targeted and more damaging thanks to advances in AI, yet the Government's Cyber Security Breaches Survey shows that staff training levels remain considerably low. When fewer than one in five organisations train their people, it's no surprise attackers keep walking straight through the front door," he said.

Experts also single out supply chain exposure. The survey shows relatively low levels of structured risk assessment of immediate suppliers, despite a series of high-profile disruptions.

"The same applies to supply chain attacks. Despite Jaguar Land Rover hitting the headlines last year with one of the most significant supply chain attacks, amounting to almost £500m in losses, a measly 15% of companies review risks associated with their immediate suppliers. This is creating a glaring blind spot, one that attackers are increasingly exploiting," Kidwell said.

Smaller organisations appear to be under particular pressure. The latest figures suggest some modest gains in basic security practices recorded in previous years have not been sustained.

"Small businesses are the biggest concern. Last year's modest improvements in basic cyber hygiene have gone into reverse, with fewer risk assessments, fewer policies and weaker continuity planning. Companies appear to be abandoning the bare minimum required to keep their businesses secure," Kidwell said.

Government awareness efforts receive some recognition from specialists, but they argue that publicity and campaigns have yet to translate into sustained improvements in resilience.

"Government campaigns such as the Cyber Aware campaign are being recognised a little more, which is encouraging, but awareness alone is clearly not building resilience. Until cyber risk is treated as a practical business issue, and not a compliance tick-box exercise, these numbers in the annual Cyber Breaches Survey won't change," Kidwell said.

He also questioned the wider response from law enforcement and government agencies to rising levels of cyber crime, arguing that better organisational defences must be matched by stronger efforts to disrupt the groups behind attacks.

"While awareness is clearly important and businesses need to play their role, a question to ask is how is the Government tackling this wave of crime? With such prevalence of the activity, what is being done to disrupt the actors conducting it? Defensive and preventative actions can only go so far, upstream disruption is required alongside this," Kidwell said.

Legal specialists view the survey as further evidence of a gap between the severity of cyber risk and the way many boards approach the issue. They also point to nation-state threats and the complexity of global vendor networks as added pressures on governance.

Ross McKean, co-chair of the UK Data Protection and Cyber Response Practise at DLA Piper, said:

"While some welcome progress has been made, today's figures show a persistent gap between the potential existential nature of cyber threats and board-level engagement, especially across smaller businesses. With nation state threat actors increasingly targeting Western organisations and global supply chains becoming ever more interconnected, there is a pressing urgency to close this gap, including by ensuring businesses consistently identify, assess and prepare for vulnerabilities across their third-party vendor networks and take steps to defend against new technologies such as AI which potentially render current vulnerability patching practices redundant."

McKean argued that boards should incorporate cyber considerations into broader resilience planning and crisis management, with clear priorities for keeping critical functions running after an incident.

"As a first step, all organisations, no matter their size, should have a clear picture of their 'minimum viable business' and urgently establish tested and effective workarounds that allow them to keep going should primary systems be offline. Fundamentally cyber risk is a business resilience, board level consideration," McKean said.