The UK government's Cyber Security Breaches Survey 2026, published today, shows breach rates and preparedness levels largely unchanged from prior years — a finding that security professionals say reflects systemic reluctance rather than a lack of awareness.
Phishing remains the dominant attack vector, and it is evolving. Advances in AI have made phishing campaigns more targeted and more convincing, yet the survey shows fewer than one in five organisations provide any form of security training to staff. The gap between threat sophistication and organisational response has not narrowed.
Supply chain risk shows a similar pattern. A year after Jaguar Land Rover suffered one of the UK’s most costly supply chain attacks — estimated losses of around £500 million — only 15% of companies report reviewing the cyber risks posed by their immediate suppliers. The figure for extended supply chains will be lower still.
“After years of headline‑grabbing cyber attacks, this survey feels depressingly familiar. Breach levels haven’t shifted, preparedness hasn’t improved, and despite all the noise around breaches causing some serious damage against major brands like Marks and Spencer and the Co-Op, too many organisations are still failing to act,” said Tom Kidwell, co-founder of Ecliptic Dynamics and a former British Army and UK Government intelligence specialist.
Small businesses represent the sharpest regression. Modest gains in basic cyber hygiene recorded in last year’s survey have been reversed: fewer risk assessments completed, fewer documented policies, and weaker continuity planning than twelve months ago.
Kidwell draws a distinction between awareness and action that runs through the survey’s findings. Government campaigns such as Cyber Aware are gaining more recognition among respondents — but recognition and resilience are not the same thing. “Until cyber risk is treated as a practical business issue, and not a compliance tick-box exercise, these numbers won’t change,” he said.
His broader point concerns the asymmetry of the current approach: organisations are being asked to defend better while the upstream economics of attack go largely unaddressed. “Defensive and preventative actions can only go so far, upstream disruption is required alongside this.” The survey’s consistency across years suggests the defensive posture alone is not moving the numbers.
