The UK Cyber Security Breaches Survey, viewed over time, reveals not progress but stabilisation. Breach rates remain persistently high, attack methods largely unchanged, and improvements in governance lag behind rising exposure. The data shows a system that has normalised insecurity, where awareness has increased, but action has not kept pace, resulting in a steady-state of widespread, structurally embedded cyber risk.

Executive Summary

If you read this year’s Cyber Security Breaches Survey in isolation, it looks like cautious progress.

But when you compare it across years, a different pattern emerges: not improvement, but convergence toward a stable, insecure equilibrium.

The UK hasn’t meaningfully reduced cyber risk. It has learned to live with it.

And that creates a series of uncomfortable truths:

• Breach rates haven’t fallen, they’ve plateaued
  The system isn’t getting safer. It’s becoming predictably exposed.
• The biggest “improvement” is reduced detection, not reduced attacks
  Especially among SMEs, fewer recognised phishing incidents are driving the numbers, not fewer threats.
• Phishing still dominates after decades of investment
  The core failure is not technical capability, but human and organisational behaviour.
• Large organisations aren’t more secure, just more observable
  Their consistently high breach rates reflect scale and visibility, not resilience.
• Governance is rising, but too slowly to matter
  Board awareness is increasing, but operational readiness remains weak.
• Advanced threats are not the main problem
  The majority of breaches still come from low-complexity, high-scale attacks.
• Awareness has outpaced action
  The UK understands cyber risk better than ever—but still underinvests in addressing it.
• Cyber incidents are now a normal operating condition
  The question is no longer “if” but “how often” and “how well you recover.”

Taken together, these trends point to a system that is neither failing nor improving.

It is stabilising.

And that stability is the real risk.

Contents

1. Introduction

If you read any single year of the Cyber Security Breaches Survey, it tells a story.

If you read them together, over time, it tells a very different one.

This article steps back from the 2025/26 snapshot and instead asks a harder question:

What has actually changed in UK cyber security over time?

Because trend analysis doesn’t just show movement.
It shows what refuses to move.

1.1 The Cyber Breach Series 2026

This article forms part of the Cyber Breach 2026 Series, a three-part analysis of the UK Cyber Security Breaches Survey and its wider implications for the UK cyber ecosystem.

Each article approaches the same dataset from a different angle:

• Article 1: Stagnation, Scale, and the Illusion of Progress
  A close reading of the 2025/26 survey shows that what appears to be an improvement is, in many cases, a measurement artefact, revealing a system that has stabilised at a high level of persistent exposure.
• Article 2: A Decade of the UK Cyber Security Breaches Survey
  A longitudinal view across survey releases, identifying the key trends that have shaped the UK cyber landscape, and showing how apparent movement resolves into a stable, insecure equilibrium over time.
• Article 3: The Gap Between Reality and Reporting
  A structural model that overlays Breaches Survey, ICO, and NCSC data to reveal a deeper issue: that UK cyber risk is not directly observed, but filtered through layers of detection, reporting, and significance.

Taken together, these three perspectives move from observation, to trend, to model, and show that the real problem isn’t just cyber risk.

It’s how we measure it.

2. Breach Prevalence: From Volatility to Plateau

At first, the survey felt dynamic. Numbers moved, narratives shifted, and there was a sense that progress, positive or negative, was happening.

But over time, that movement has slowed. What looked like change has resolved into something far more stable, and far more revealing.

• ~50% of businesses reported breaches in 2024
• ~43% in 2025/26
• Similar figures persist across recent years
• Equivalent figures for charities remain ~30%

Critically, the latest drop is attributed largely to fewer small businesses identifying phishing attacks, not necessarily fewer attacks occurring.

Which leads to a key trend insight:

The UK has not reduced cyber breaches.
It has stabilised its ability to observe them.

What we are seeing is not improvement, it is the emergence of a steady-state level of exposure.

3. The Persistence of Phishing: 20 Years, No Structural Change

If cyber security were evolving in line with technological change, we would expect the dominant attack vectors to shift over time.

Instead, the data shows a system stuck in a loop, solving new problems while failing to resolve old ones.

Because across multiple survey years:

• Phishing remains the most common attack type
• It is also consistently the most disruptive
• A majority of breaches still originate from human interaction with malicious content

In recent data:

• Up to 85%+ of organisations experiencing attacks cite phishing involvement

The trend here is not change, it is entrenchment.

The UK cyber ecosystem has spent a decade building new defences,
while continuing to fail at the same old problem.

This tells us that the constraint is not capability, it is behaviour, adoption, and execution.

4. Large Organisations: Consistently High Exposure

There’s an assumption baked into much of cyber thinking: that scale brings control, and that maturity increases as organisations grow.

But longitudinal data challenges that assumption directly.

Across every year of the survey, one pattern holds:

• Medium and large businesses consistently report ~65–75% breach rates
• This has remained broadly stable over time

For example:

• ~70%+ in 2024
• ~67–74% in 2025
• ~65–69% in 2025/26

This consistency matters.

Scale does not reduce cyber risk.
It simply changes how it manifests.

Over time, what has improved is not exposure, but visibility and governance.

Large organisations are not necessarily more secure. They are simply more observable systems under stress.

5. SMEs: The Measurement Gap is the Trend

Where large organisations show consistency, SMEs show fluctuation. But that fluctuation is often misinterpreted as real change.

In reality, it reflects something more fundamental: how much of the system we can actually see.

Year-on-year changes in SME breach reporting are strongly linked to:

• Recognition of phishing
• Awareness campaigns
• Survey interpretation

For example:

• The drop from 50% to 43% is driven primarily by micro and small businesses identifying fewer attacks

This creates a structural distortion:

SME cyber risk is not decreasing.
It is being measured differently over time.

Which means that one of the largest components of the UK cyber ecosystem remains persistently under-observed.

6. Governance Trends: Rising, But Lagging Reality

There has been a long-term push to move cyber security out of IT and into the boardroom.

That shift is happening, but slowly, and unevenly.

Across survey iterations:

• Board-level responsibility has gradually increased
• Adoption of frameworks (Cyber Essentials, etc.) has improved
• Awareness of cyber as a strategic risk has risen

But the trend line is shallow.

Even in recent data:

• Only ~31% of organisations have board-level cyber ownership
• Only ~25% have formal incident response plans
• Only ~20% provide regular staff training

So the trend is real, but insufficient.

Governance is improving linearly.
Risk is scaling exponentially.

And over time, that divergence becomes more dangerous, not less.

7. Incident Impact: Increasing Visibility, Not Necessarily Severity

Another apparent trend is the growing reporting of impact, more organisations acknowledging disruption, downtime, and operational consequences.

At first glance, this looks like escalation.

But it may actually be something else.

More organisations now report:

• Temporary loss of access
• Service disruption
• Third-party dependency failures

For example:

• Loss of access and service disruption metrics have increased compared to prior years

But this doesn’t necessarily mean attacks are getting worse.

Organisations are becoming better at recognising, and admitting, the consequences of breaches.

So what we are seeing is less a rise in impact, and more a rise in observability of impact.

8. Ransomware and “Advanced” Threats: Less Dominant Than Expected

The public narrative around cyber threats is dominated by advanced attacks, ransomware, nation-state actors, and highly sophisticated campaigns.

But the survey data consistently tells a more grounded story.

Across years:

• Ransomware remains low-volume in prevalence data (~1%)
• Advanced attacks are not the dominant reported experience
• Commodity attacks still dominate

This consistency is striking.

The UK cyber problem is not driven by cutting-edge threats.
It is driven by persistent, scalable, low-complexity attacks.

And that has not meaningfully changed over time.

9. The Long-Term Trend: Awareness vs Action

If there is one area where clear progress has been made, it is awareness.

Cyber is now widely recognised as a business risk. Frameworks exist. Guidance is widespread. The language of cyber has entered mainstream management thinking.

But action has not kept pace.

We see:

• More recognition of cyber as a business risk
• More policy frameworks
• More guidance and campaigns

But still:

• Low training uptake (~20%)
• Limited incident preparedness (~25%)
• Continued high breach prevalence

So over time, the system has become:

More informed,
but not proportionally more secure.

This gap, between knowing and doing, is now one of the defining features of the UK cyber landscape.

10. The Meta-Trend: Cyber is Becoming “Normal”

Perhaps the most significant shift over the life of the survey is not in the data itself, but in how that data is interpreted.

What was once alarming has become expected.

Cyber incidents are now:

• Routine
• Anticipated
• Embedded in operations

Recent estimates suggest:

• ~612,000 UK businesses experience breaches annually

And that number has remained broadly consistent.

Cyber security has transitioned from a risk event
to a continuous operating condition.

This is not just a statistical trend, it is a cultural and economic one.

11. Conclusion: What Actually Changed?

When you pull all of these trends together, a clear picture emerges.

Yes, things have moved.
But they have not fundamentally shifted.

• Breach prevalence remains high
• Attack types remain consistent
• Human factors remain dominant
• SMEs remain structurally vulnerable

Over the same period, there has been a sustained policy effort to improve cyber security through governance, guidance, and standardised frameworks. The gradual increase in board-level ownership, adoption of controls, and awareness initiatives reflects this direction of travel.

And yet, the persistence of high breach prevalence suggests these interventions are interacting with a system that is structurally resistant to incremental change. The result is not failure, but stabilisation: a system that adapts just enough to cope, without fundamentally reducing its exposure.

So the real trend is not transformation: it is convergence.

The UK cyber ecosystem has converged on a steady state:
widely exposed, partially defended, and structurally misaligned.

12. Closing Thought: Trends Don’t Lie, But They Do Mislead

Year-on-year comparisons can create the illusion of progress.

Small improvements, slight declines, new initiatives, all of it suggests motion.

But when you zoom out:

The system isn’t moving forward.
It’s settling into equilibrium.

And that equilibrium is not secure.