Cyber Breaches Hit 43% of UK Businesses: Why Compliance Can No Longer Be Treated as “IT’s Problem”
The latest UK Government Cyber Security Breaches Survey 2025/2026 gives business leaders, contractors and public-sector suppliers a clear warning: cyber risk is now a mainstream operational risk.
According to the survey, 43% of UK businesses experienced a cyber security breach or attack in the last 12 months. That is around 612,000 UK businesses affected. The risk increases sharply with business size: 65% of medium businesses and 69% of large businesses reported a breach or attack.
This matters because cyber security is no longer just about firewalls and passwords. It now affects tenders, insurance, supplier approval, business continuity, client trust and board accountability.
What happened?
The UK Government’s latest survey shows that cyber breaches and attacks remain common across the UK economy. The report also makes an important point: these figures only include breaches and attacks that organisations were able to identify and were willing to report, so the true level of exposure may be higher.
For business owners, procurement teams and compliance leaders, this should trigger one simple question:
If a client, insurer or auditor asked for evidence of your cyber controls today, could you provide it quickly and confidently?
If the answer is no, the issue is not only cyber security. It is governance.
Why this matters for small businesses
Small businesses often assume they are too small to be targeted. That is a dangerous assumption.
Cyber criminals do not only target large organisations. They look for weak passwords, unpatched devices, poor access controls, missing backups, weak email security and staff who have not been trained to spot phishing.
For SMEs, one cyber incident can mean lost files, delayed payments, damaged customer trust and cancelled contracts. The practical response is not panic. It is getting the basics right.
That means checking:
Your devices are updated.
Your users only have the access they need.
Your passwords and multi-factor authentication are controlled.
Your backups are tested.
Your staff know how to spot suspicious emails.
Your cyber policies are current and understood.
This is where Cyber Essentials readiness becomes valuable. Cyber Essentials is a UK Government-backed scheme designed to help organisations protect themselves against common online threats.
Why this matters for medium businesses and growing contractors
Medium-sized organisations are often in the highest-pressure position. They are big enough to be targeted, but not always mature enough to have fully embedded cyber governance.
The Government survey shows 65% of medium businesses experienced a cyber breach or attack.
For contractors and suppliers, the risk is even more commercial. If you cannot show cyber readiness, you may lose access to frameworks, public-sector contracts, large clients and supply-chain opportunities.
Cyber Essentials, Cyber Essentials Plus and ISO 27001 are no longer “nice to have” badges. They increasingly act as trust signals. They tell buyers that you take security, continuity and governance seriously.
Why this matters for large organisations and multinationals
For larger organisations, the challenge is not only protecting their own systems. It is protecting the whole supply chain.
A major organisation can have strong internal controls but still be exposed by weaker suppliers, contractors, software providers or outsourced partners.
That is why supplier cyber assurance should be treated as part of contractor management, not separate from it. Large organisations should be asking:
Which suppliers access our systems or data?
Which suppliers hold Cyber Essentials, Cyber Essentials Plus or ISO 27001?
When were supplier controls last checked?
Do we have evidence, or are we relying on declarations?
Do we know what happens if a supplier suffers a breach?
The organisations that manage this well do not wait for an incident. They build structured assurance into procurement, onboarding and supplier reviews.
Why this matters for public-sector bodies
Public-sector bodies carry a unique burden: public accountability.
A cyber incident can affect service delivery, resident data, supplier payments, operational continuity and public confidence. Public-sector buyers are also under pressure to make procurement more transparent, risk-aware and evidence-led.
This means suppliers increasingly need to prove that cyber security is under control. Not with vague statements, but with certificates, policies, audit trails and practical evidence.
For councils, LEPs, public bodies and government-linked organisations, the key question is:
Do our suppliers have enough cyber control to safely support public services and public projects?
If not, that risk sits too close to the authority.
What organisations should check now
Every organisation should complete a simple cyber readiness review.
Start with these checks:
Do we know all devices, users and systems in scope?
Are all devices patched and supported?
Is multi-factor authentication active for key accounts?
Are backups tested and protected?
Are staff trained on phishing and impersonation risks?
Do we have a cyber incident response plan?
Do suppliers have minimum cyber standards?
Can we prove our controls to clients, insurers or auditors?
If you cannot evidence these points, you are not yet cyber-ready.
How TPMG can help
TPMG helps organisations move from uncertainty to control.
We support clients, contractors and public-sector bodies with:
Cyber Essentials readiness audits.
Cyber Essentials Plus readiness support.
ISO 27001 internal audits.
Supplier cyber assurance.
Business continuity reviews.
Internal audit and risk assurance.
Policy and evidence pack preparation.
Contractor and supply-chain compliance support.
Our role is simple: we help you identify the gaps, prioritise the fixes, and build evidence that stands up to clients, insurers, procurement teams and auditors.
Final thought
The Government’s latest cyber statistics show that cyber breaches are not rare events. They are part of the modern risk landscape.
For businesses, contractors and public-sector bodies, the winning position is not to wait until something goes wrong.
It is to get ready now.
Speak to TPMG about Cyber Essentials readiness, ISO 27001 internal audits or supplier cyber assurance.
