612,000 UK businesses were breached last year — most attacks start the same way
The government's 2026 breaches survey puts the number of affected businesses at around 612,000. The most common way in hasn't changed: a convincing email.
The government's annual Cyber Security Breaches Survey for 2025/2026 is out, and the headline is steady rather than dramatic, which is rather the point. Just over four in ten UK businesses (43%) reported a cyber breach or attack in the previous 12 months. Scaled across the country, that's roughly 612,000 businesses. Charities aren't spared either, with around 28% reporting an incident.
The way in is almost always the same
Phishing remains the dominant attack, hitting 38% of businesses. Among businesses that were breached, the share where phishing was the only type of attack rose to around half. The pattern repeats year after year: most incidents don't start with a clever technical break-in, they start with someone being persuaded to click a link, hand over a password or pay an invoice. That matters, because it tells you where to spend your effort.
Smaller doesn't mean safer, but it changes the odds
Larger organisations get hit more often, with around 65% of medium and 69% of large businesses reporting a breach, against roughly 42% of micro and 46% of small firms. Bigger firms are a bigger target with more people to fool. Smaller businesses are attacked less in raw percentage terms, but they also tend to have less monitoring and less to fall back on, so a single successful attack can hurt more.
What it costs, and the catch in that number
For most organisations the recorded cost of a breach is low, often nil, because plenty of attacks are caught or cause no direct loss. But the survey's worst-case figures tell the real story, with costs running into thousands for smaller firms and more for medium and large ones. The average hides the bad days. A single business email compromise that reroutes a payment can cost far more than any of these figures.
The basics still do the heavy lifting
None of this calls for exotic kit. Multi-factor authentication so a stolen password isn't enough on its own. Staff who can spot a phishing email and feel safe flagging it. A tested backup so ransomware doesn't end the business. A firm rule to verify any change of payment details on a separate channel. These are the controls behind Cyber Essentials, and they map almost exactly onto how real attacks unfold.
What this means for your business
The survey is a useful nudge: the threat is steady, common and mostly preventable with the basics done properly. We help South West businesses put those basics in place, through Cyber Essentials, staff awareness training and tested backups, so a single convincing email doesn't turn into a very bad week.
#WEARECOBALT
Ready when you are.
Tell us what's slowing your business down. We'll tell you exactly how we'd fix it — plainly, with no obligation.