The UK government’s Cyber Security Longitudinal Survey, published in February 2026, found that 82% of businesses covered by the study experienced at least one cyber security incident in the past 12 months. The survey covers medium businesses (50 to 249 employees) and large enterprises (250 employees and above), and the headline figure includes phishing attacks, which remain by far the most commonly reported incident type.
That is not a fringe statistic. It means the vast majority of UK firms with at least 50 employees were hit in some way last year, and many of them were hit more than once.
It is worth asking what is actually driving that number, because the answer matters for how businesses respond. Read ahead to find out what the data tells us and why so many companies are still struggling to stay ahead.
What the Survey Actually Found
The 82% figure comes from Wave 5 of the government’s longitudinal study, which tracks the same organisations over time to understand how their security posture changes. The fact that it is tracking the same firms makes the findings harder to dismiss.
Very large businesses had the highest incident rates, with 74% experiencing a cyber incident when phishing is excluded, compared to 62% of medium-sized businesses. That gap reflects the greater complexity and attack surface that comes with scale. Medium-sized businesses face a different challenge: they encounter many of the same threats but typically lack the dedicated security teams and budgets to match.
Phishing remained the most common type of attack, affecting around three-quarters of all businesses in the survey, with email impersonation scams also featuring heavily at 56% of businesses.
One finding that stands out: organisations with stronger monitoring controls were more likely to report incidents. That might sound counterintuitive, but it suggests a significant number of firms simply are not detecting what is happening on their networks.
Why Phishing Keeps Working
Phishing is not a new problem, but it is still the most reliable way into a business. The reason it keeps working is not that people are careless. It is that the attacks have become harder to spot. AI-generated phishing emails can now be personalised, grammatically flawless, and timed to look like they are coming from a trusted colleague or supplier.
Business email compromise follows a similar pattern. An attacker monitors an inbox for weeks before sending a carefully crafted request, often at a moment when someone is under pressure, such as end of month, a busy payroll run, or a supplier payment deadline. The social engineering aspect is sophisticated precisely because it is designed around how real organisations operate.
Staff training helps, but it is never enough on its own. The volume and quality of attacks now means that even well-trained employees will occasionally click something they should not.
Supply Chains as an Entry Point
The survey flagged supply chain risk as an area where many firms are falling short. The longitudinal data suggests that a majority of organisations have not carried out formal work to assess the cyber security risks posed by their suppliers in the preceding twelve months, and this appears to be a structural weakness rather than an improving trend.
Attackers understand this. Gaining access to a smaller supplier with weaker defences is often easier than attacking a larger target directly. From there, they can use trusted communication channels, legitimate-looking invoices, or compromised credentials to get further into the supply chain.
This means a business can do everything right internally and still be compromised through a third party. It is a structural problem, not just a technical one.
What Proactive Security Actually Looks Like
Businesses that fared better in the survey tended to share a few things in common. They had monitoring in place that gave them visibility. They had carried out some form of formal risk assessment. And they had incident response plans that had been tested, not just written.
Working with pen testing companies UK is one of the more effective ways to find out where the real gaps are before someone else does. A CREST-certified penetration test involves qualified testers actively trying to exploit weaknesses using real-world techniques. It goes further than automated scanning and will surface the kind of chained vulnerabilities that tools alone will not catch.
Knowing you have a plan is not the same as knowing whether it will work. Regular testing, whether through tabletop exercises, simulated attacks, or full red team engagements, is what turns a theoretical plan into a practical one.
A few practical steps that make a measurable difference:
- Implement multi-factor authentication across all accounts, not just for admins
- Set up centralised logging so that unusual activity is flagged early
- Carry out formal supplier assessments, even basic ones, rather than relying on trust
- Test your incident response process at least once a year
- Commission penetration testing that reflects how your environment has actually changed, not just an annual repeat of the same scope
None of these are new ideas. But the survey data suggests that plenty of businesses are still not doing them consistently.
Why So Many Firms Still Miss Threats Early
Detection remains one of the biggest gaps. A large proportion of the incidents in the survey were only identified because they had an obvious impact, such as ransomware locking files or a payment being redirected. The more subtle attacks; credential theft, slow data exfiltration, misconfigured cloud storage, often go unnoticed for weeks or months.
Part of this comes down to how security testing is traditionally done. A once-a-year audit or vulnerability scan gives a snapshot, but it will not tell you what a determined attacker could do if they spent six weeks probing your systems. That detection gap is one of the main reasons so many incidents go unnoticed until significant damage has already been done.
The Big Picture
Four in five UK businesses experienced a cyber incident last year. For very large firms, the combination of scale and complexity creates significant exposure. For medium-sized businesses, limited internal resource and increasing attack sophistication present their own challenges.
The data suggests the answer is not more investment in technology alone. It is more consistent testing, better monitoring, and a clearer understanding of where the real vulnerabilities sit.
The businesses that come out of this better will not necessarily be the ones that spend the most. They will be the ones that know where they are exposed before someone else finds out.
