The UK Government’s Cyber Security Breaches Survey for 2025/26 came out on 30 April. It is the same survey, run the same way, for the eleventh year running. The numbers move slightly. The shape never does.

This year, 43% of UK businesses reported a cyber security breach or attack in the last twelve months. That is approximately 612,000 organisations. Phishing remained the most common attack vector by a long margin. The proportion of breaches resulting in loss of revenue or share value more than doubled, from 2% to 5%. Reputational damage tripled, from 1% to 3%.

Familiar reading, in other words. But there is one finding in the survey that is more interesting than the headline numbers, and it is the one I want to talk about.

The board-level number

Just 31% of UK businesses have a board member or trustee with explicit responsibility for cyber security. In micro businesses that figure is 29%. In small businesses it is 37%. Cyber security is sitting somewhere in the organisation, but for two-thirds of UK companies it is not sitting at the top table.

Why the board number matters more than the breach number

Whenever the breaches survey comes out, the industry reaches for the dramatic figure. 612,000 businesses, 5.19 million cyber crimes, attacks up, costs up. All of that is true. None of it is new.

What is interesting is that the same survey tells you, in plain English, why those numbers do not move. 31% board-level responsibility is the cause, not just another statistic alongside the breaches. When cyber security has no owner at the top of the organisation:

  • Budgets are made by IT or operations on the basis of what feels affordable, not on the basis of what risk the business is carrying.
  • Decisions about which systems are in scope, which suppliers can be trusted with data, and which controls are non-negotiable get made informally.
  • Incidents get triaged by whoever happens to be in the room, because there is no agreed playbook and no agreed authority to make calls.
  • After the incident, people move on. There is no formal review and nothing changes for next time.

The 2025/26 survey backs this up directly. Only 25% of UK businesses have a formal incident response plan. 81% inform their directors after a breach has happened, but only 40% report the breach externally to anyone (regulator, customer, supplier). Most businesses that experienced a breach reacted to it without a defined strategy, and most of those breaches stayed inside the four walls.

That is what no board ownership looks like in practice. It is not negligence. It is just the absence of any structured place where someone, with authority, gets to ask: what are we protecting, from whom, and with what?

The small business reversal

There is one other finding from this year’s survey that should worry any SME director.

Last year, small businesses (10 to 49 employees) showed real improvement on the basics. More of them had cyber security risk assessments, formal policies, business continuity plans. It looked like a corner had been turned.

This year, that progress went into reverse:

  • Small businesses doing cyber security risk assessments: down from 48% to 41%.
  • Small businesses with a formal policy covering cyber security: down from 59% to 52%.
  • Small businesses with a business continuity plan covering cyber security: down from 53% to 44%.

The survey does not explain why. The qualitative interviews suggest economic pressure played a part. “Everything that’s going on economically in the country has put a lot of strain on the company in general. Which means we can’t just say okay well here’s eighteen grand, go and buy new computer systems.” That was a small business in health and social care, talking to the survey team.

I have heard that exact sentiment from clients. When budgets get squeezed, the controls that come off first are the ones nobody at board level is championing. If cyber security has no owner upstairs, it becomes a discretionary spend. If it has an owner upstairs, it becomes a non-negotiable.

The Cyber Essentials gap

Here is the other number worth holding up against board responsibility. The survey found that:

That is a five-times gap between businesses that are doing the controls and businesses that have proven they are doing the controls. Five businesses in twenty have done the work. One has the certificate to show for it.

Why does that matter? Because certification is the bit that forces the board conversation.

To pass Cyber Essentials, somebody has to sign the declaration. The named director or trustee signing it has to confirm that what is described in the answers is true. They have to know what was in scope. They have to know what was excluded and why. They have to know which cloud services hold company data, which suppliers have access, and what the rules around personal devices actually are. They cannot delegate any of that to IT and then sign blind.

Doing the work without the certificate gives you the technical posture. Doing the certificate gives you the technical posture and the governance moment. The second one is what the 2025/26 survey is telling us is missing.

The supply chain blind spot

One more finding from the same survey, because it is the one nobody talks about and it matters for SMEs.

Only 15% of UK businesses formally review the cyber security risks of their immediate suppliers. Just 6% look at their wider supply chain. Among micro businesses, the immediate-suppliers figure drops to 12%.

This is a problem on its own, but it is also a problem in the other direction. If you are a small business selling into larger organisations, you are somebody’s supplier. The trend among medium and large buyers is to require supplier accreditations as a condition of doing business. Cyber Essentials is increasingly the lowest bar.

The survey found that 41% of large businesses now require their suppliers to be certified with some kind of cyber accreditation. That is up significantly from last year. The direction of travel is clear: if you sell business-to-business, the question is no longer whether your customers will ask for proof, it is when.

What this looks like in practice

If you are a director reading this and recognising your own organisation, the things to do are not complicated. They are the things the 2025/26 survey tells you most UK businesses still are not doing:

  • Name a director or board member as the owner of cyber security. Put it in the minutes. Review it at every board meeting alongside finance and operations, not as an annex to the IT update.
  • Get a current cyber security risk assessment in front of the board. Not a vendor pitch. A document that says, in plain English, what we are protecting, from what, and how confident we are in the controls.
  • Confirm scope. Every cloud service. Every device. Every supplier with access. The scope question is the one most organisations get wrong, and it is the one that quietly undermines everything else.
  • Make Cyber Essentials a decision, not a maybe. Either certify, or document why you have chosen not to. If you want to know why first attempts fail, we have written up the five most common mistakes. The "we'd probably pass" answer is the worst of all options.
  • Write an incident response plan. One page is fine. Who decides, who calls who, when do we tell customers, when do we tell the Information Commissioner. Print it. Keep a copy off the network.
  • Review supplier risk at least annually. Start with the suppliers who hold your data, then the ones with network access. If you cannot answer "what would happen if their systems were compromised tomorrow," that is the gap to close first.

None of that requires a big budget. It requires somebody with authority caring enough to make it happen.

The reason we exist

Malwise was started to do this kind of work, in plain language, for UK SMEs. As a licensed Cyber Essentials and Cyber Essentials Plus Certification Body, the certification process is the moment we get to ask boards the questions the breaches survey is telling us nobody is asking. That is by design, not by accident.

The 2025/26 survey is the most useful single document a UK SME director will read this year, even though most of them will not read it. It tells you exactly what the gap is, where the gap is, and which side of it your business is on. The number that decides which side you are on is not 612,000, or 43%, or £30, or 5.19 million.

It is 31%.


If you are working towards Cyber Essentials or thinking about where the board responsibility for cyber security should sit in your business, get in touch. We will tell you what we see and what to do next, with no expectation of becoming your provider afterwards.

Sources: Cyber Security Breaches Survey 2025/2026, Department for Science, Innovation and Technology and the Home Office, published 30 April 2026.