Small businesses backsliding on cyber security

The UK Government’s Cyber Security Breaches Survey 2025/2026, published 30 April 2026, reveals that small businesses (10–49 employees) are backsliding on basic cyber hygiene after improvements last year.

Key findings

• 46% of small businesses experienced a cyber breach or attack in the last 12 months (43% across all UK businesses).
• Cyber hygiene measures among small businesses declined year-on-year:
  • Cyber security risk assessments: 48% → 41%
  • Formal cyber security policy: 59% → 52%
  • Business continuity plans covering cyber: 53% → 44%
• Phishing remains the most common attack vector, responsible for 83% of incidents among businesses that reported a breach.
• Only 25% of businesses have a formal incident response plan in place.
• Cyber Essentials certification among small businesses improved (5% → 12%), but the vast majority remain uncertified.

What this means

The survey paints a clear picture: UK small businesses understand the threat (72% say cyber security is a high priority for senior management), but that awareness is not translating into action. Basic defences — risk assessments, written policies, tested continuity plans — are slipping.

For most businesses, the immediate cost of a breach is low (median £0), but the top 5% of cases faced costs of £4,000 or more. With phishing attacks becoming harder to detect and regulatory expectations under UK GDPR continuing to rise, the gap between intention and action is a growing liability.

What to do

• Run a cyber security risk assessment — if you haven’t done one this year, you are not alone, but you should.
• Review your incident response plan — if you do not have one, start with the NCSC’s exercise in a box.
• Consider Cyber Essentials certification — it covers the five technical controls that prevent the majority of common attacks.

We help small businesses close the gap between awareness and protection. Talk to us about your cyber security.