The cyber security risk landscape in the United Kingdom (UK) has come to the fore recently following a number of cyber attacks on high street retailers. It may feel that the UK is being targeted by cyber criminals but it is not alone, cyber crime is a global challenge.
43% of businesses surveyed experienced a cyber security incident within the last 12 months
In April 2024 the findings of a three year intensive research study by the University of Oxford and UNSW Canberra to compile the first ‘World Cybercrime Index[1]’ was published, which identifies global cybercrime geographical hotspots. The index ranked the UK eighth behind Russia, Ukraine, China and the United States.
The Department for Science Innovation and Technology (DSIT) published its latest annual report in April 2025[2] (DSIT Report) following a survey examining the threat of cyber security breaches in businesses, charities and educational institutions (the DSIT Report). The survey conducted during August 2024 to December 2024[3] involved 2,180 UK businesses, 1,081 UK registered charities and 574 education institutions[4]. This article explores the key findings from the DSIT Report concentrating on businesses.
43% of businesses surveyed experienced a cyber security incident within the last 12 months, which is a slight decrease from 50% for 2024. It was suggested that the decrease was driven by a reduction in phishing attacks on micro and smaller businesses. It is worthy of note that the prevalence of cyber security incidents for medium and large businesses remained high, at 67% and 74% respectively out of the 43% who experienced an incident.
Phishing
Phishing attacks continue to dominate with 85% of businesses experiencing them. Phishing is a preferred modus operandi by criminals who are taking advantage of technological advancements. Attacks are becoming more sophisticated in their design to bypass heightened security measures that are being implemented by businesses.
Ransomware
Ransomware continues to be a major cyber crime threat to the UK[5] despite efforts from law enforcement to disrupt activities. The recent National Crime Agency’s (NCA) Serious and Organised Crime Threat Assessment stated that 502 ransomware incidents were reported to the NCA during 2024 as a result of serious and organised crime activity impacting organisations and businesses in the UK. We have seen the impact of ransomware attacks on their victims in the recent high profile retailer attacks, which has caused significant financial loss, risk to personal data being sold on the dark web, exploitation and reputational damage.
However, the DSIT Report has identified that 7% of businesses surveyed fell victim to a ransomware attack[6], whilst this figure seems low in comparison to phishing attacks, the number of ransomware attacks reported had increased significantly from 2024. This includes attacks where a financial ransom was demanded. However, it was understood that some businesses had measures in place to identify and block the attack before a ransom demand was made.
Regarding the payment of ransom demands, the guidance from regulators and law enforcement provides that businesses should consider the correct legal and regulatory practice before making any payment. Paying the ransom does not fulfil any regulatory obligations and will not reduce any regulatory penalties imposed. Furthermore, paying a ransom does not guarantee access to the impacted devices or data and businesses may be vulnerable to further attacks as criminal groups will know that they are willing to pay the demand. Furthermore, payments may not be lawful, particularly if it is made to an entity or area sanctioned by the UK with an accompanying concern of ransom payments funding further criminal activity.
The DSIT Report has identified that cyber criminals are behind the most common causes of cyber security incidents. Serious and organised crime continues to rise. During 2024 advancements in technology were considered to be the driver for this increase, with criminals taking advantage of new technology and greater online connectivity to advance their illicit activities[7].
There is also evidence of cyber criminals benefitting from artificial intelligence (AI)[8]. Interestingly those businesses surveyed suggested that they were more conscious of cyber attacks due to the increased sophistication in the nature of attacks, such as AI impersonation. Attacks are becoming faster and more sophisticated, particularly in respect of CEO fraud, with cyber criminals moving away from traditional whaling emails and diversifying their methodologies using AI tools such as deepfake videos and voice cloning to exploit their victims.
72% of businesses reported that cyber security was a high priority for their senior management, particularly for professional services sectors and financial and insurance sectors. Cyber security risk management should be integrated within the overall organisational risk profile and appetite. Boards and senior management are expected to take ownership of managing cyber security risk and set the tone in promoting a positive cyber security culture, whereby people are encouraged to raise concerns or make suggestions without fear of retribution.
The report suggests that engagement from boards and senior management can help secure buy-in and adherence from others. The findings from the DSIT Report shows that board level responsibility for cyber security has been steadily declining amongst businesses since 2021. This is concerning as the average annual cost to businesses for dealing with the most disruptive cyber security incidents ranges between £500 to £3,110[9]. The costs incurred included recovering stolen monies, upgrading IT software and systems, legal fees, insurance excess, fines and compensation.
DSIT in conjunction with the National Cyber Security Centre has recently published The Cyber Governance Code of Practice[10], which has been produced for medium to large businesses to support boards and directors understand their responsibilities governing cyber risk. It deals with managing the risk, strategy, people, incident planning, response and recovery and assurance and oversight.
The data from the Information Commissioner’s Office suggests that human error continues to be the most common cause for a cyber security incident[11], whether it be from sending an email to an incorrect recipient or falling victim to a phishing campaign.
People are an integral cog in the risk management wheel and businesses need to ensure that all policies controls and procedures are practical and effective. Education and awareness consisting of a continuous programme of training and communications, using case studies from lessons learned, was the most common preventative measure being adopted by 32% of businesses being surveyed. Training was provided annually by a fifth of businesses which included mechanisms to test knowledge, particularly pertaining to data protection and regulatory obligations.
Almost half of businesses reported having some form of insurance cover in place against cyber security risks as part of a wider insurance policy with only 7% having specific cyber security insurance. Larger businesses were more likely to have a specific policy in place. Alarmingly one fifth of businesses did not know if they had any form of cyber security insurance in place.
7% of businesses having reported on having specific cyber security insurance
This year’s survey asked organisations who did not have cyber insurance, why they did not have cover in place. The largest barriers cited were:
Interestingly, when interviewed during the study businesses who held cyber insurance rarely claimed on their policy despite being eligible to do so because they felt it was not worthwhile financially due to the payment of policy excesses and increased premiums. Larger businesses considered it was more beneficial to invest in cyber controls and recovery rather than insurance. However, those businesses who did have insurance saw the benefits as it encouraged more robust cyber security protocols, increased accountability and provided access to expert advice.
What is clear is that businesses are operating in a complex, volatile and evolving cyber security landscape. Due to the complexities, frequencies and severities of this risk there is no single security solution and businesses need to adopt a multi layered approach to protect themselves.
By adopting a robust cyber strategy, businesses can minimise the financial, operational and reputational impact from a cyber security incident. The strategy should reflect the size, nature and needs of the business and be able to respond to changes to the business, technological advancements and regulatory and legislative obligations to ensure they remain resilient in a volatile cyber security landscape.
