Half of UK Businesses Hit by Cyberattacks, Large Firms Top Targets

Eric Goldstein
Eric Goldstein Former Chief Editor
Published on: April 25, 2025
Eric Goldstein Eric Goldstein Former Chief Editor
Published on: April 25, 2025

Cyberattacks on UK businesses are escalating at an alarming rate.

In the last 12 months alone, 50 percent of businesses and more than 30 percent of all charities experienced some sort of data breach or cybersecurity threat. While worrisome, the numbers are even more staggering for larger organizations.

Nearly 75 percent of medium and large-sized businesses and 60 percent of charities whose income exceeds £500,000 per annum experienced similar threats.

The UK’s Cyber Security Breaches Survey, which happens annually, revealed a slight improvement. Compared to last year, only 43 percent of small businesses and 30 percent of charities reported these threats. Still, the numbers remain staggeringly high for larger organizations.

The financial impact of these breaches is also increasing. Over the past year, the average cost of the most disruptive attacks was estimated at £1,600 for businesses and £3,240 for charities. In response, the UK government plans to introduce the Cyber Security and Resilience Bill. The bill will mandate businesses to fortify their cybersecurity defenses.

It has also designated UK-based data centres as critical national infrastructure, meaning they’ll now receive the same support as essential utilities like power and water during a national emergency or cyber threat.

Meanwhile, small businesses have adopted much better “cyber hygiene” practices in the past 12 months. This includes cybersecurity risk assessments, cyber insurance, formal cybersecurity risk policies, and continuity plans.

However, fewer high-earning charities are performing appropriate risk assessments than before. The survey found this could be due to budget constraints. It also suggests that only 70 percent of large businesses and 57 percent of medium-sized ones have proper cybersecurity strategies in place.

“Time and again, we see that businesses and charities are under relentless attack, but those on the front line of our digital defences are working with one hand tied behind their back by outdated legislation,” says Simon Whittaker, head of IT firm Instil. “We urgently need a modern legal framework that protects the public and enables cybersecurity professionals to do their jobs.”

UK businesses are in trouble if they don’t start developing and implementing strong cyber defenses. The government can help — but only if it updates its policies.

One example of an outdated piece of policy is the Computer Misuse Act of 1990. It’s “outdated” and “no longer fit for purpose,” and it “risks criminalising the very professionals we rely on to detect, defend against and prevent these attacks,” according to Whittaker.

About the Author
Eric Goldstein
Eric Goldstein
Former Chief Editor
Published on: April 25, 2025

About the Author

Eric Goldstein is a former Chief Editor at SafetyDetectives. As an internet security researcher and IT journalist, he has over 2 years of experience writing and editing articles and blog posts about VPNs, antiviruses, password managers, parental controls, and identity protection products and tools. In addition, Eric wrote and edited news stories focused on cybersecurity issues for SafetyDetectives. He also spent 20+ years as a sportswriter for multiple media outlets and served in a communications role for a national corporation. When he's not working, he can be found spending time with his family, working out, and watching his favorite sports teams.