This 2025 update distils the latest official UK research (DSIT/Home Office Cyber Security Breaches Survey 2025), the Verizon 2025 DBIR, and IBMâs 2025 Cost of a Data Breach into one practical briefing for decisionâmakers. Where useful, we highlight UK sector examples (e.g., Synnovis, British Library) and the policy direction for the year ahead (Cyber Governance Code of Practice; Cyber Security & Resilience Bill; ransomware proposals).
Bonus Material: Download Cybersecurity Statistics UK 2025: UK Trends, Facts & Board Actions
Key Findings
- Prevalence down overall to 43% of UK businesses identifying a cyber breach/attack in the last 12 months, but risk concentrates in larger firms (74% of large; 67% of medium). Phishing remains the most disruptive.
- Costs are real even when âsmallâ: the average total cost of the most disruptive breach was ÂŁ1,600 (all businesses) and ÂŁ3,240 (charities). Among those with a nonâzero cost, the mean rises to ÂŁ8,260 (businesses).
- Controls adoption gap persists: only 40% of businesses use any 2âfactor authentication (2FA) (92% of large), with similarly low adoption for VPN (31%) and user monitoring (30%).
- Thirdâparty risk jumped: DBIR 2025 finds thirdâparty involvement doubled to ~30% of breaches; ransomware present in 44% of breaches (median payment $115k; 64% did not pay).
- Policy direction: UK launched a Cyber Governance Code of Practice (Apr 2025), published a policy statement for a Cyber Security & Resilience Bill (Apr 2025), and issued its ransomware proposals response (Jul 2025) signalling restrictions on publicâsector/CNI ransom payments and broader incident/payment reporting.
- What to do now (90 days): baseline to Cyber Essentials (v3.2), adopt NCSC 10 Steps, uplift MFA, patching, backups/IR runbooks, and supplier risk reviews, then prove it with evidence.
Need help operationalising?
⢠Book a demo to see PrivacyEngine in action
⢠Free trial: stand up Records of Processing, DPIA, ThirdâParty Assessments, Incident Playbooks in hours: Get Started
2024 vs 2025 at a glance (UK & global context)
| Metric | 2024 | 2025 | Notes |
|---|---|---|---|
| UK businesses identifying a breach/attack | 50% | 43% | DSIT CSBS, all businesses. |
| Weekly or more (among those hit) | 32% | 29% | Share experiencing weekly+ incidents. |
| âMost disruptiveâ attack = Phishing (businesses) | 61% | 65% | Among orgs that had a breach/attack. |
| Avg total cost of most disruptive breach (all businesses) | ÂŁ1,205 | ÂŁ1,600 | DSIT Table 4.5; includes ÂŁ0 costs. |
| Mean cost among nonâzero cases (businesses) | ÂŁ6,940 | ÂŁ8,260 | DSIT Table 4.5 (outcome cases). |
| Any 2FA in use (businesses) | 39% | 40% | DSIT technical controls. |
| VPN for remote staff | 32% | 31% | DSIT technical controls. |
| User monitoring | 30% | 30% | DSIT technical controls. |
| Ransomware share of breaches (DBIR, global) | 32% | 44% | Verizon DBIR; same definition yearâoverâyear. |
| Thirdâparty involvement in breaches (DBIR, global) | 15% | 30% | Verizon DBIR. |
Index
- Prevalence & Frequency (UK 2025)
- Most Disruptive Attack Types
- Financial Impact
- Controls Adoption (Where UK firms lag)
- Supply Chain & ThirdâParty Risk
- Ransomware Reality Check
- Sector Snapshots: Education & Health
- UK Policy & Regulation in 2025
- What âGoodâ Looks Like (NCSC & Cyber Essentials)
- 90âDay Action Plan + Toolkit
- Sources
Prevalence & Frequency (UK 2025)
Identification of breaches/attacks in the last 12 months:
Overall businesses
By Size
By Sector
By Frequency
Make it measurable with PrivacyEngine: centralise incident logs, nearâmisses and corrective actions in Data Breach Management, and tag by pattern for executive reporting.
Most Disruptive Attack Types
- Phishing remains the most disruptive (~65% of businesses name it as the top disruptor).
- Large organisations are more likely to see impersonation (72%), malware (36%), DDoS (15%), and ransomware (14%) compared with allâbusiness averages.
Board takeaway: invest in peopleâcentric controls (phishing resilience, impersonation detection, requestâtoâpay verification) and technical health (hardening, EDR, email auth; DMARC/SPF/DKIM).
Financial Impact
- Average total cost of the most disruptive breach in the last year: ÂŁ1,600 (all businesses), ÂŁ3,240 (charities).
- Among those with nonâzero costs: mean ÂŁ8,260 (businesses), ÂŁ21,540 (charities).
- Staff time is a material component (median ÂŁ100 among outcome cases; mean ÂŁ2,050).
Practical step: evidence your cost drivers and recovery SLAs inside Business Continuity, link to Incident Plans, and record lessons learned via DPIA followâups.
Controls Adoption (Where UK firms lag)
Core controls are common (malware protection, firewalls, backups), but advanced measures continue to lag:
- 2âfactor authentication (any): 40% of businesses (92% of large).
- VPN for remote staff: 31%.
- User monitoring: 30%.
- Cyber insurance (any): 45% businesses (specific cyber policy 7%).
- Formal policy & BCP covering cyber: 36% and 32% respectively (all businesses), rising to 87%/79% for large firms.
Close the gap fast with outâofâtheâbox tasking and evidence capture in ThirdâParty Assessments, Risk Management, and Training.
Supply Chain & ThirdâParty Risk
Formal Supplier Risk Reviews
Reality check from DBIR 2025: thirdâparty involvement doubled to ~30% of breaches, with vulnerability exploitation as an initial access vector up 34% YoY to 20%. Only ~54% of perimeterâdevice vulns were fully remediated; median 32 days to remediate.
Move beyond âquestionnaires only.â Use structured ThirdâParty Assessment workflows, request evidence, track findings, and enforce contractual controls.
Ransomware Reality Check
- Present in 44% of breaches (DBIR 2025), up from 32% last year.
- Median payment now $115k, with 64% of victims not paying.
- UK case study: Synnovis (NHS pathology partner) estimated a ÂŁ32.7m financial hit in FY2024 following the June 2024 attack.
- British Library (Rhysida) recovery estimated at ÂŁ6â7m; wide operational disruption into 2024/25.
- Act as if breached: practice isolation, restore, and crisis comms. Map your steps in Incident Playbooks and test quarterly.
Download Cybersecurity Statistics UK 2025
Sector Snapshots: Education & Health
- Education (England): high disruption from phishing and ransomware; significant operational impact when recovery requires fullâterm rebuilds in a minority of cases.
- Health: systemâwide dependency risk: supplierâside ransomware (e.g., Synnovis) cascaded across trusts, reinforce supplier segmentation, offline backup testing, and clinical safety impact assessment.
For regulated sectors, align to NHS DSPT, DfE requirements, ISO 27001/27701 and map into PrivacyEngine risk registers.
UK Policy & Regulation in 2025
- Cyber Governance Code of Practice (launched 8 Apr 2025): sets boardâlevel expectations and links to NCSC Board Toolkit and training.
- Cyber Security & Resilience Bill â Policy Statement (Apr 2025): signals expanded scope for essential digital services, stronger regulator powers, enhanced reporting.
- Ransomware consultation â Government response (22 Jul 2025):
- intent to ban ransom payments for public sector and operators of critical national infrastructure (CNI);
- mandatory incident/payment reporting;
- transparency obligations for privateâsector payers under development.
What this means for boards: treat cyber as a governance obligation; expect tighter reporting and sanctions exposure for unlawful payments; document decisionâmaking.
What âGoodâ Looks Like (NCSC & Cyber Essentials)
- Adopt the NCSC 10 Steps (risk management; architecture/config; vuln mgmt; supply chain; incident mgmt; data security; user awareness; monitoring; identity & access; backups).
- Baseline to Cyber Essentials (Requirements v3.2, April 2025) tightens definitions and reinforces MFA/passwordless options; keep high/critical vulnerability fixes within 14 days; remove endâofâlife software.
Map 10 Steps and Cyber Essentials to your control catalogue in PrivacyEngine; collect evidence and generate auditâready reports.
90âDay Action Plan + Toolkit
First 0â30 Days
- Board mandate: assign cyber owner; adopt Code of Practice; schedule quarterly metrics.
- Baseline: run Cyber Essentials gap; enable MFA for all admins & remote access; disable legacy auth; roll out phishing-resistant factors where feasible.
- Backups: 3â2â1 policy; test restores; document RTO/RPO.
Next 31â60 Days
- Patch & protect edge: 14âday SLA for high/critical; focus on perimeter devices/VPNs; verify with scans.
- Supplier risk: identify tierâ1 criticals; perform evidenceâbacked assessment; require incident reporting and MFA.
- IR ready: publish playbooks (phishing, ransomware, vendor outage); define notify thresholds; rehearse.
Final 61â90 Days
- User & exec drills: impersonation/banking change tests; update finance âraiseâtoâverifyâ.
- Monitoring: enable log retention, alerting on admin anomalies; deploy EDR where gaps exist.
- Assure: run a tableâtop, log actions and owners, produce a board pack.
Helpful PrivacyEngine modules
- Record of Processing Activities: map systems & data flows.
- ThirdâParty Assessment: supplier questionnaires + evidence + risk actions.
- Risk Management: register, heatmaps, treatment plans.
- Data Breach Management: incident workflow, tasks, notifications, lessonsâlearned.
- Data Privacy and Cybersecurity Training: measurable humanârisk reduction.
Talk to us: Schedule a demo or Get Started.
Sources: DSIT, Verizon, IBM, Home Office, IASME/NCSC, Synnovis, British Library Š 2025 PrivacyEngine. This briefing is informational only and does not constitute legal advice.
