The UK Government published its Cyber Security Breaches Survey 2025/2026 on 30 April 2026. The headline figure is uncomfortable: 43% of UK businesses experienced a cyber breach or attack in the last twelve months. That translates to approximately 612,000 businesses. This article draws directly from that report to explain what is actually happening, where the real exposure sits, and what North East SME leadership teams should focus on first.
What the data actually shows
The survey draws from interviews with 2,112 UK businesses and 1,085 charities conducted between August and December 2025. It is the most reliable annual benchmark available on UK cyber resilience. The headline breach rate matters less than the patterns sitting underneath it.
Ransomware fell from 3% to 1% of businesses as a headline figure. That number needs careful reading alongside the M&S, Co-op and Harrods Easter 2026 attacks, which collectively cost an estimated £440 million and happened after the survey fieldwork closed. For the organisations that are hit by ransomware, the financial and operational consequences have grown, even as the raw incidence rate has fallen. The median cost across all incidents in the survey was £0 — because most attacks produce no material outcome. The tail is long for those that do.
Why UK SMEs are still being hit at the same rate
Each year the survey produces a version of the same question: why does the number not fall? Businesses are spending more on security tools, awareness training has become more common, and Cyber Essentials uptake is growing. Yet 43% of UK businesses were still hit last year. Three trends from the 2025/2026 data explain this.
The threats actually causing breaches in 2026
The survey confirms what we see in practice working with North East manufacturers, professional services firms, healthcare providers, and charities. Understanding where attacks are actually coming from is the starting point for spending time and money in the right places.
Phishing — still the primary entry point, now more convincing
Phishing was involved in 85% of all breaches experienced by UK businesses in the past twelve months. Of all breach victims, 69% cited it as the most disruptive type of incident. The nature of these attacks has changed significantly. The most effective current approaches are:
The advice to look for poor spelling and suspicious formatting is now outdated. These attacks are designed by tools that produce flawless prose. The defence needs to move earlier — to verification habits, clear payment approval processes, and a culture where staff feel able to question requests that seem urgent or unusual.
Credential theft and account takeover
Weak or reused passwords remain one of the simplest attack paths. Once an attacker has access to one account — particularly a Microsoft 365 account — the lateral movement is rapid. Email access reveals ongoing conversations. SharePoint gives access to files. Admin account compromise expands the exposure significantly. This is why MFA on all cloud services is now mandatory under Cyber Essentials v3.3. An attacker with valid credentials is stopped at MFA. Without it, access is immediate.
Ransomware — rarer but more consequential for those affected
Approximately 19,000 UK businesses experienced a ransomware incident where a financial demand was made in the past year. Modern ransomware operations now typically exfiltrate data before encrypting it, creating a compliance and reputational exposure that persists even when backups allow system recovery. For North East organisations, the Redcar and Cleveland Borough Council incident — examined in the BBC documentary Cyber Siege: From Russia to Redcar — illustrated what happens when recovery from an underprepared environment takes weeks rather than days. The financial figures in the national survey reflect a wide distribution. For the organisations at the severe end, the cost is existential.
AI tools as an unmanaged attack surface
The fastest-growing governance gap we see across North East businesses in 2026. Staff are using Microsoft Copilot, ChatGPT, and AI-powered features within CRM and productivity platforms without leadership visibility of which tools are in use, what data is being entered, or how outputs are being relied upon. Under Cyber Essentials v3.3, this has moved from a governance consideration to a compliance requirement. AI tools that process organisational data are cloud services under the scheme’s definition and cannot be excluded from scope. A business whose staff are using any AI tool that accesses business data needs those tools in its assessment scope, with MFA enabled and usage governed.
What UK SMEs should focus on in 2026
Cyber security is still treated in many SMEs as primarily an IT purchasing decision. The survey data from 2025/2026, and the pattern we see in practice, suggest this framing is the root of the problem rather than the solution. Most breaches do not occur because a business lacked a particular tool. They occur because decisions were made — about credentials, about approvals, about what to click, about who to trust — without sufficient structure around them. The shift required is from reactive IT support to operational governance.
A practical example
This is a composite based on patterns we have seen across multiple North East client engagements rather than a single named incident. It illustrates why tools alone do not prevent breaches.
No security tool failed. The process failed. There was no requirement to verify bank detail changes by phone to a known number before processing. There was no ownership of that process.
When that structure was introduced — alongside training on exactly this type of attack — similar attempts in the following months were caught before any money moved. The tools did not change. The process did.
What Cyber Essentials v3.3 means for UK SMEs
The survey fieldwork closed in December 2025, before Cyber Essentials v3.3 went live on 27 April 2026. The new requirements directly address the attack patterns the survey documents.
| Change in v3.3 | What it means in practice |
|---|---|
| MFA mandatory on all cloud services | No exceptions for platforms where MFA is available. Assessment fails automatically if MFA is not enforced. Addresses the credential theft pattern behind most account takeovers. |
| Cloud services cannot be excluded from scope | Microsoft 365, CRM, SaaS tools, AI applications, and social media accounts used for business are all in scope. Previously you could shift liability to the provider. That is no longer possible. |
| AI tools now in scope | If an AI tool processes organisational data, it meets the definition of a cloud service and cannot be excluded. Tools described as “in development” or “being trialled” are not exempt. |
| 14-day patching with CVSS threshold | Any update addressing a vulnerability with a CVSS v3 base score of 7 or above must be applied within 14 days — not just updates the vendor labels critical. |
| Director sign-off required | A board-level representative, business owner or equivalent must approve and sign off the assessment answers. Certification cannot be awarded without this. |
For businesses certifying or renewing after 27 April 2026, these are the requirements against which they will be assessed. The gap analysis and remediation work required before assessment can begin is often more substantial than businesses expect — particularly around cloud services scope and MFA enforcement across all platforms. Bondgate IT holds Cyber Essentials Plus certification itself and supports North East businesses through the full certification process.