Start OneTrust-to-PrivacyEngine migration today 🔁 Effortless switch now available Learn More!

Cybersecurity Statistics UK 2026

Cybersecurity Statistics UK 2026_ UK Trends, Facts & Board Actions

    Need world class privacy tools?

    Schedule a Call >

    This 2026 briefing distils the latest official UK research and leading global datasets, all published in 2026, into one practical reference for decision-makers. It draws on the government’s Cyber Security Breaches Survey 2025/2026 (DSIT and the Home Office, published April 2026, surveying 2,112 UK businesses and 1,085 charities), the Verizon 2026 Data Breach Investigations Report (published May 2026), the DSIT Cyber Security Sectoral Analysis 2026 (May 2026), and the 2026 UK policy programme, the Cyber Security and Resilience Bill, the confirmed ransomware payment ban, and the April 2026 update to Cyber Essentials.
    Where a figure is best understood as a trend, we show the movement from the previous year. Otherwise, every statistic reflects the most recent research from 2026. All sources are attributed inline and listed in full in the References section.

    Download this report: Cybersecurity Statistics UK 2026

    Key Findings

    • Breach prevalence has stabilised after last year’s fall. 43% of UK businesses and 28% of charities reported a cyber breach or attack in the last 12 months, level with the previous year, down from 50% the year before. Risk remains concentrated in larger firms (69% of large firms, 65% of medium firms). Phishing is the most prevalent and most disruptive threat.
    • Ransomware and third-party risk climbed again globally. The 2026 DBIR found ransomware present in 48% of breaches (up from 44%), third-party involvement in 48% of breaches (a 60% year-on-year jump), and, for the first time, vulnerability exploitation overtaking stolen credentials as the leading initial access route at 31%.
    • “Shadow AI” has arrived as a breach factor. Unsanctioned AI use tripled to feature in 45% of breaches analysed in the 2026 DBIR, and only 24% of UK businesses using AI have any practices in place to manage the associated cyber risk.
    • A single incident in 2026 reset the scale of UK cyber harm. The Jaguar Land Rover attack that began in August 2025 was modelled to have a £1.9 billion economic impact, the costliest cyber event in British history, affecting more than 5,000 organisations across the supply chain.
    • Boards are re-engaging. Board-level responsibility for cyber rose to 31% of businesses, up from 27%, reversing a multi-year decline, but only 47% of businesses use any multi-factor authentication, and just 15% review the cyber risk of their immediate suppliers.
    • The sector keeps growing. UK cyber security revenue reached £14.7 billion in 2026, up 11%, with 69,589 full-time roles.
    • Policy has hardened in 2026. The Cyber Security and Resilience Bill reached the Commons report stage in May 2026; the government confirmed a targeted ban on ransom payments in the public sector and CNI; and Cyber Essentials moved to a new version of the requirements in April 2026.

    Did you know? The Jaguar Land Rover cyberattack of 2025–26 was modelled as a £1.9 billion hit to the UK economy, the single most damaging cyber event in British history (Cyber Monitoring Centre, 2026).


    2025 vs 2026 at a Glance

    Metric20252026Source
    UK businesses identifying a breach/attack43%43%Cyber Security Breaches Survey 2025/2026
    Board-level responsibility for cyber (businesses)27%31%Cyber Security Breaches Survey 2025/2026
    Ransomware share of breaches (global)44%48%Verizon DBIR 2026
    Third-party involvement in breaches (global)30%48%Verizon DBIR 2026
    Leading initial access vector (global)CredentialsVulnerability exploitation (31%)Verizon DBIR 2026
    Shadow AI present in breaches (global)~15%45%Verizon DBIR 2026
    Median ransom paid (global)~$150,000~$139,875Verizon DBIR 2026
    UK cyber security sector revenue£13.2bn£14.7bnDSIT Sectoral Analysis 2026

    Key threat and governance measures moving YoY

    0
    10
    20
    30
    40
    50
    Ransomware share 2025
    0
    Ransomware share 2026
    0
    Third-party involvement 2025
    0
    Third-party involvement 2026
    0
    Board responsibility 2025
    0
    Board responsibility 2026
    0

    Engaged (%)

    Prevalence & Frequency (UK 2026)

    The Cyber Security Breaches Survey 2025/2026 reports that 43% of UK businesses, roughly 612,000 organisations, and 28% of charities identified a cyber breach or attack in the previous 12 months. That figure held level year on year, after the notable fall from 50% the year before, and the risk remains heavily concentrated in larger organisations.

    Identification of breaches or attacks in the last 12 months, by size:

    • Large businesses: 69%
    • Medium businesses: 65%
    • Small businesses: 46%
    • Micro businesses: 42%
    • Charities: 28%

    Share identifying a breach or attack

    0
    10
    20
    30
    40
    50
    60
    70
    Large
    0
    Medium
    0
    Small
    0
    Micro
    0
    Charities
    0

    Engaged (%)

    Phishing dominates: it was experienced by 38% of businesses and named the most disruptive attack by 69% of those affected. Notably, phishing-only incidents (with no other attack type present) rose to 51% of breached businesses, while reported ransomware incidents fell to just 1% of businesses, a reminder that the highest-frequency threat and the highest-impact threat are not the same.

    Make it measurable with PrivacyEngine: centralise incident logs, near-misses and corrective actions in Data Breach Management, and tag by pattern for clear executive reporting.

    Most Disruptive Attack Types

    Phishing remains the leading disruptor for UK organisations. Globally, the Verizon 2026 Data Breach Investigations Report, the largest edition yet, analysing more than 22,000 confirmed breaches across 145 countries, sharpened the picture of how attackers get in. The human element was involved in 62% of breaches, and for the first time vulnerability exploitation (31%) overtook stolen credentials as the single most common initial access vector, a sign that unpatched, internet-facing systems are now the front line.
    The 2026 DBIR also recorded the emergence of “shadow AI” as a mainstream factor: the unsanctioned use of AI tools was involved in 45% of breaches, roughly triple the prior year. For UK organisations adopting AI, 31% of businesses, per the breaches survey, this matters because only 24% have any practice in place to manage AI-related cyber risk.

    Board takeaway: invest in people-centric controls (phishing resilience, impersonation detection, request-to-pay verification) alongside technical health, rapid patching of internet-facing systems, endpoint detection and response, and email authentication (DMARC, SPF, DKIM).

    Financial Impact

    The Cyber Security Breaches Survey 2025/2026 found that most organisations perceive a low direct cost for their single most disruptive breach; the median is effectively nil for many businesses, but the proportion reporting a loss of revenue or share value rose to 5%, and reputational damage to 3%, both up on the year. The real story of 2026, however, is the scale of major incidents.

    The Jaguar Land Rover attack, which began in August 2025 and halted production for around five weeks, was modelled by the Cyber Monitoring Centre at a £1.9 billion economic impact, the costliest cyber event in British history, with direct company costs of roughly £196 million and disruption cascading across more than 5,000 supply-chain organisations. The 2025 wave against Marks & Spencer and the Co-op, assessed as a single systemic event, was estimated at £270–£440 million, with M&S alone taking an operating-profit hit of around £300 million.

    Practical step: evidence your cost drivers and recovery SLAs inside Business Continuity, link them to your Incident Plans, and record lessons learned through DPIA follow-ups.

    Controls Adoption (Where UK Firms Lag)

    Core controls are now common: updated malware protection, cloud backups, password policies and firewalls are each used by around three-quarters of businesses, but more advanced measures still lag, especially among smaller organisations. Figures below are from the Cyber Security Breaches Survey 2025/2026:

    • Cyber insurance (any form): 47%
    • Any multi-factor authentication (all businesses): 47%
    • VPN for remote staff: 36%
    • Formal cyber security policy (small businesses): 52%, down from 59%
    • Business continuity plan covering cyber (small businesses): 44%, down from 53%
    • Board-level responsibility for cyber (all businesses): 31%, up from 27%
    • User/security monitoring: 30%
    • Formal incident response plan (all businesses): 25%

    Adoption of key cyber security controls among UK businesses

    0
    10
    20
    30
    40
    50
    Cyber Insurance
    0
    Any MFA
    0
    Formal policy (small)
    0
    BCP covers cyber (small)
    0
    VPN remote staff
    0
    Board responsibility
    0
    User monitoring
    0
    Incident response plan
    0

    Engagement %

    The mixed movement is the headline: boards are taking more ownership, yet the take-up of formal policies and continuity plans slipped among small firms. Closing the basics, universal MFA, a tested incident plan, documented continuity, remains the highest-value, lowest-cost move for most organisations.

    Close the gap fast with out-of-the-box tasking and evidence capture in Third-Party Assessments, Risk Management, and Training.

    Supply Chain & Third-Party Risk

    Supplier risk is the fastest-moving threat in the 2026 data, yet UK review rates remain low. Only 15% of businesses have reviewed the cyber risks posed by their immediate suppliers, and just 6% have examined their wider supply chain; among large businesses the figure reaches 48% for immediate suppliers.

    The reality check comes from the 2026 DBIR, which found third-party involvement in 48% of breaches , a 60% year-on-year increase , and confirmed vulnerability exploitation as the top entry vector. The Jaguar Land Rover incident showed exactly how this plays out: a single manufacturer’s outage rippled across thousands of dependent suppliers. Supplier compromise is now a primary route into organisations, not an edge case.

    Move beyond “questionnaires only”. Use structured Third-Party Assessment workflows to request evidence, track findings, and enforce contractual controls.

    Ransomware Reality Check

    Ransomware was present in 48% of breaches analysed in the 2026 DBIR, up from 44% the year before. Encouragingly, the median ransom paid fell to around $139,875, and 69% of victim organisations did not pay, evidence that stronger backups, incident planning and law-enforcement engagement are shifting the economics against attackers.

    The UK has felt the impact acutely across 2025 and into 2026:

    • Jaguar Land Rover (from August 2025): the most damaging cyber event in British history, modelled at £1.9 billion in UK economic impact, with a roughly five-week production shutdown and around £196 million in direct company costs.
    • Marks & Spencer and Co-op (2025): assessed together as a single systemic event costing an estimated £270–£440 million; Co-op confirmed data belonging to all 6.5 million members was stolen.
    • Synnovis / NHS (June 2024, costs realised into 2025): an estimated £32.7 million hit and major diagnostic disruption across south-east London.
    • Transport for London (September 2024): more than £30 million in loss and recovery costs, with perpetrators since convicted.

    0
    10
    20
    30
    40
    50
    60
    70
    Did not pay the ransom
    0
    Paid the ransom
    0

    Engaged (%)

    Act as if breached: practice isolation, restore and crisis communications. Map your steps in Incident Playbooks and test them quarterly.

    UK Policy & Regulation in 2026

    Cyber Security and Resilience Bill. The Bill reached the report stage in the House of Commons on 14 May 2026 and is progressing to the Lords, with Royal Assent expected later in 2026, followed by phased implementation. It expands the scope of the NIS regime to data centres, managed service providers and critical suppliers, introduces a two-tier penalty structure, and tightens incident-reporting duties.

    Ransomware payment ban. The government confirmed it will proceed with a targeted ban on ransom payments by all public-sector bodies (including local government) and regulated critical national infrastructure operators, alongside stronger mandatory incident reporting, to be delivered through the Cyber Security and Resilience Bill. 72% of respondents to the consultation supported the targeted ban.
    Cyber Essentials. In April 2026, the scheme moved to an updated requirements version with a new question set, making multi-factor authentication mandatory wherever a cloud service supports it (an automatic fail if not enabled), keeping the 14-day fix window for critical and high-risk updates, and preventing cloud services from being scoped out.

    NCSC. The most recent NCSC Annual Review recorded a sharp rise in nationally significant incidents, more than double the prior year, underscoring why the guidance and the 10 Steps to Cyber Security remain the baseline for UK organisations.

    What this means for boards: treat cyber as a governance obligation. Expect tighter reporting and clear sanctions exposure for unlawful payments, and document your decision-making.

    What “Good” Looks Like (NCSC & Cyber Essentials)

    • Adopt the NCSC 10 Steps: risk management; engineering and configuration; vulnerability management; supply chain; incident management; data security; user education and awareness; monitoring; identity and access management; and backups.
    • Baseline to Cyber Essentials. The April 2026 requirements reinforce mandatory MFA and passwordless options, expect critical and high-risk vulnerabilities to be fixed within 14 days, and keep cloud services in scope.
    • Map both frameworks to your control catalogue in PrivacyEngine, collect evidence, and generate audit-ready reports.

    90-Day Action Plan

    First 0–30 days. Assign a cyber owner, take the Code of Practice to the board, and schedule quarterly metrics. Run a Cyber Essentials gap assessment; enable MFA for all administrators and remote access, and disable legacy authentication. Put a 3-2-1 backup policy in place, test restores, and document your recovery time and recovery point objectives.

    Next 31–60 days. Patch and protect internet-facing systems with a 14-day SLA for critical and high-risk vulnerabilities, now the leading attack vector, and verify with scans. Identify your tier-one critical suppliers and conduct evidence-based assessments that require incident reporting and MFA. Publish incident playbooks for phishing, ransomware and vendor outage, and rehearse them.

    Final 61–90 days. Run user and executive drills, including impersonation and payment-change tests, and update your finance “raise-to-verify” process. Bring shadow AI into governance: inventory AI tools in use and set acceptable-use and data-handling rules. Enable log retention and alerting on administrator anomalies, deploy endpoint detection and response where gaps exist, run a table-top exercise, and produce a board pack.

    Helpful PrivacyEngine modules: Record of Processing Activities, Third-Party Assessment, Risk Management, Data Breach Management, and Data Privacy & Cybersecurity Training.

    About This Research

    This briefing consolidates the latest 2026 official UK research and leading global datasets, current as of July 2026. Primary sources include the Department for Science, Innovation and Technology (DSIT), the Home Office, the National Cyber Security Centre (NCSC), Verizon, the Cyber Monitoring Centre and IASME. Prior-year (2025) figures appear only where they illustrate a trend. This briefing is informational only and does not constitute legal advice.

    References

    1. DSIT & Home Office, Cyber Security Breaches Survey 2025/2026 (April 2026). https://www.gov.uk/government/statistics/cyber-security-breaches-survey-20252026/cyber-security-breaches-survey-20252026
    2. Verizon, 2026 Data Breach Investigations Report (May 2026). https://www.verizon.com/business/resources/reports/dbir/
    3. Verizon, 2026 DBIR findings summary. https://www.helpnetsecurity.com/2026/05/20/verizon-2026-dbir-findings/
    4. DSIT, Cyber Security Sectoral Analysis 2026 (May 2026). https://www.gov.uk/government/publications/cyber-security-sectoral-analysis-2026/cyber-security-sectoral-analysis-2026
    5. Cyber Monitoring Centre, Statement on the Jaguar Land Rover cyber incident (October 2025). https://cybermonitoringcentre.com/2025/10/22/cyber-monitoring-centre-statement-on-the-jaguar-land-rovercyber-incident-october-2025/
    6. Cyber Monitoring Centre, Statement on retail-sector ransomware incidents (M&S, Co-op) (June 2025). https://cybermonitoringcentre.com/2025/06/20/cyber-monitoring-centre-statement-on-ransomware-incidents-in-the-retail-sector-june-2025/
    7. ITPro: M&S reveals financial hit from cyberattack (2025/26). https://www.itpro.com/security/cyber-attacks/m-and-s-reveals-massive-financial-hit-from-cyber-attack
    8. Digital Health: Cyber attack cost Synnovis an estimated £32.7m. https://www.digitalhealth.net/2025/01/cyber-attack-cost-synnovis-estimated-32-7m-in-2024/
    9. UK Parliament, *Cyber Security and Resilience (Network and Information Systems) Bill

    Share this with you network!

    Try PrivacyEngine
    For Free

    Learn the platform in less than an hour
    Become a power user in less than a day

    PrivacyEngine Onboarding Screen