UK Survey Shows Gap Between Perceived Security, Operational Resilience

The latest Cyber Security Breaches Survey, commissioned by the United Kingdom's Department for Science, Innovation and Technology (DSIT) and the Home Office, provides a comprehensive baseline for the UK's digital health. While the data reflects a UK-specific landscape, the trends identified—ranging from cyber hygiene fatigue to the rising cost of recovery—serve as a global bellwether for cybersecurity professionals.

The report reveals a sobering reality: while awareness is at an all-time high, the gap between perceived security and operational resilience is widening. 

The survey highlights a significant "awareness paradox." A vast majority of UK businesses (more than 70%) now identify cybersecurity as a high priority for their senior management. However, this high-level support is not always translating into technical rigor.

• Approaches to risk management: There is a growing reliance on "checkbox" compliance. While more firms are seeking certifications like Cyber Essentials, many are failing to implement continuous monitoring.

• The AI factor: Much like the trends seen in the recent NASCIO and Fortinet reports, UK organizations are grappling with the dual nature of AI. Awareness of AI-driven phishing is high, but the implementation of AI-powered defensive tools is concentrated primarily in larger, high-revenue enterprises.

The frequency of identified breaches has stabilized, but the impact per incident is rising.

• Phishing dominance: Phishing remains the most common entry point, accounting for more than 80% of identified breaches. However, the survey notes an increase in the sophistication of these attacks, moving toward hyper-personalized "vibe coding" and deepfake impersonation.

• The financial toll: The average cost of a breach has surged, driven not by the direct theft of funds but by Business Interruption. In line with findings from Fenix24, the "tail" of a breach—rebuilding infrastructure and lost productivity—now represents the bulk of the financial burden.

Perhaps the most concerning trend in the DSIT report is the state of incident response (IR).

• The plan versus the reality: While a higher percentage of businesses now claim to have an incident response plan, only a fraction actually test those plans through tabletop exercises or simulations.

• Communication gaps: During an active breach, many UK firms still struggle with internal handoffs. As identified in the Trackforce manufacturing report, convergence between technical teams and executive leadership remains a friction point, often delaying recovery by days.

The survey notes a transition in the "identity" of cybercrime. We are moving away from opportunistic, broad-scale attacks toward targeted, politically or ideologically motivated campaigns.

• Supply chain vulnerability: Attackers are increasingly targeting the "managed service provider" (MSP) layer to gain access to multiple downstream targets.

• Identity as the perimeter: Mirroring recent BeyondTrust and Sysdig reports, the DSIT data shows that "Elevation of Privilege" and "Identity Spoofing" are now the primary methods for lateral movement within UK networks.

For cybersecurity professionals: focus on validation

Stop reporting on "awareness" and start reporting on validation. If your organization has a response plan, test it under "Mythos-speed" conditions. Use automated attack path validation to prove that your controls actually stop an adversary from reaching a path to privilege.

For businesses: resilience over insurance

As the cost of business interruption rises, insurance alone is no longer a viable strategy. Follow the "whole-of-state" mindset: build resilience into your core operations so that a breach of your digital identity doesn't lead to a total physical shutdown.

For governments: the 'cyber hygiene' floor

The DSIT report confirms that government mandates (like Cyber Essentials) are working to raise the baseline, but they are not enough to stop sophisticated state-sponsored actors. Governments must continue to push for "Secure-by-Design" standards and provide more direct support for the "Workforce Identity Gap" in critical infrastructure.

Some snippets from the survey results:

• Cybersecurity was considered a high priority for senior management in around seven in 10 businesses (72%) and six in 10 charities (60%). While this was broadly consistent with recent years for businesses, charities saw a significant decline compared with 2024/2025 (down from 68% to 60%), driven by low-income charities. Board-level responsibility for cybersecurity sat at 31% of businesses and 30% of charities and continued to be higher in larger businesses (68% of large businesses). Compared with 2024/2025, the proportion of businesses with board level responsibility for cybersecurity increased (from 27%), reversing the longer-term downward pattern seen earlier in the decade. 

• Seeking external information or guidance was reported by 44% of businesses and 31% of charities. This was most common among medium businesses (71%) and small businesses (58%), compared with 41% of micro businesses. For charities, this also reflects a decline compared with 2024/2025, aligning with the wider picture of reduced prioritization in this wave mentioned above.

• The most common individual source of advice was external cybersecurity/IT consultants or providers (27% of businesses and 13% of charities). This was higher among medium (51%) and small businesses (39%) than micro businesses (24%).

• Awareness of government initiatives increased compared with last year, reversing the longer-term decline seen previously: Cyber Aware was recognized by 30% of businesses and 30% of charities, while awareness of 10 Steps was 17% (businesses) and 19% (charities), and Cyber Essentials was 17% (businesses) and 16% (charities).

• The Cyber Governance Code of Practice (launched in April 2025), had been heard of by 16% of charities and businesses. Launched in May 2025, the Software Security Code of Practice was recognized by 22% of businesses and 19% of charities.

• Internal reporting remained the most common response following a breach or attack. Around eight in 10 businesses (81%) and charities (84%) said they informed directors or trustees, and 62% of businesses and 73% of charities said they kept an internal record of the incident. External reporting was less common: among those identifying breaches or attacks, 40% of businesses and 36% of charities reported their most disruptive breach outside their organization.