Reaction: UK Cyber Breach Survey 2025 – Time to kick start your cyber maturity journey!

The UK’s annual Cyber Breach Survey* has been published since 2017, and is the result of approx. 2000 organisations being surveyed as a barometer of the UK’s cyber maturity, and a measure of the impact cyber breaches are having on businesses and charities.  

What did we learn 

From the release of the report at 9:30am today (Thursday, April 10 2025), we discovered: 

• The prevalence of cyberattacks remains high 

43% of organisations surveyed encountered a breach, with a large number being identified via phishing attacks. While this figure is slightly down on last year (50%), we also see that attacks continue to disproportionately impact medium and larger businesses – 67% and 74% respectively. 

• Essential controls are still lacking 

Only 40% of businesses and 35% of charities have implemented Multifactor Authentication, a critical control required by the Cyber Essential standard. This control is often considered one of the key defences in the fight against phishing emails and remains worryingly low. 

• Board engagement is slipping 

While a significant number of organisations see cyber as a high priority (72%), this is down on last year’s figure and, worryingly, there is a significant dip in the number of organisations with board level responsibility for cyber security. This figure now stands at only 27%, compared to 38% in 2021.  

Where do we go from here 

The NCSC has long championed ‘Cyber security is a board room responsibility’, and has released some excellent guidance to support this – it’s even been added to in recent weeks. If we want to ensure that organisations can protect sensitive data and wider reputation for a cyber attack, we need to be proactive in maturing the cyber posture of UK businesses.  

Take action 

Action needs to start from the top, and we would recommend the following core activities to accelerate the journey towards cyber maturity. 

• Start from the Top 

The government has just released the ‘Cyber Governance Code of Practice’, in addition to updates to the wider board level cyber toolkit. This is an excellent body of knowledge to ensure that cyber can be discussed and embraced at the highest level. The code of practice outlines five critical areas: 

1. Risk management 

2. Strategy 

3. People 

4. Response planning 

5. Assurance and oversight 

If you based your cyber strategy around these core areas, you won’t be going far wrong.  

Interestingly these topics are not super technical in nature – they start with a plain English discussion around where the risk domains are, what we can do about them, who is well placed to support, what the plan is when things go wrong, and how do we measure that we’re doing a good job. It’s not rocket science, but many businesses don’t reflect on these basic questions… until it’s too late. 

• Establish trusted partnerships 

We believe that, in the cyber space, we’re stronger together, and highly recommend that all organisations identify internal and external stakeholders to support the cyber maturity journey.  

Like any journey, you need to know where you are, where you’re going, and how you’ll get there.  

At Waterstons, we work with our clients as a trusted cyber advisor to support this journey as much as required to ensure our clients can have confidence that their cyber approach is robust, and can serve as both a competitive advantage as well as mitigating a risk of becoming another statistic. 

* The Cyber Breach Survey 2025 can be found here: https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2025