Cybercrime Statistics in UK for 2025 – How to Protect Your Business

Padlock resting on a laptop keyboard, lit by red and green neon lighting

I’ve spent a lot of time looking at spreadsheets and security reports over the last few years, and if there is one thing I have learned, it is that numbers rarely tell the whole story. However, the data coming out of the UK for 2025 is hard to ignore.

43% of businesses experienced a cyber-breach or cyber-attack during 2025.

So that’s about 612k businesses. The phishing scam accounted for about 38% of all businesses scammed and that far exceeds all other types of violence.

And the SMEs are the primary targets with some studies suggesting that up to 81% of all cybercrime occurs at SMEs.

If you are running an SME, your must-have programs in place to defend against these types of attacks on your business’s digital infrastructure and enhance your overall digital threat landscape resilience:

  •         Implement MFA;
  •         Train your employees on a regular basis; and
  •         Use a well-established trusted password manager.

These are all required to execute a comprehensive cyber mitigation strategy.

The Raw Data Speak for Themselves

Let’s review the hard facts from the government, according to the Cyber Security Breaches Survey 2025/26, 43% of businesses had experienced a breach of some sort in the past year.

Of those cases, phishing attacks were the most commonplace. Trust me; phishing scams account for 38% of attempted phishing scams against all businesses and a greater percentage among the breached organizations.

Action Fraud reported a total of 299,046 offences under fraud and computer misuse for the 12 months ending March 2025 but we need to remember, however, that over 95% of crimes do not get reported to the police.

There is also the possibility for ransomware attacks as they are still very common. Although fewer businesses encounter this type of incident than with phishing attacks, when they do occur they often cause tremendous damage.

By just examining the most recent stats on British businesses impacted by ransomware, that percentage doubled between 2024 (2%) and 2025 (4%).

This accounts for approximately 19,000 businesses in total, which means that the median ransom demand was approximately $5.4 million in GBP (or £3.9 million) which is more than 2x what it was in the previous year.

Although you may not pay a ransom, the cost to recover (downtime, legal fees, loss of business) from such incidents will often destroy SMEs as a result of their inherent vulnerabilities and lack of data breach prevention protocols.

Why Are SMEs Ideal Targets for Cyber Criminals?

If you are an SME, do not assume that you are too small to be attacked.

Cyber criminals are also aware that many of the smaller businesses do not have dedicated IT infrastructure or practices in place to protect themselves.

As stated in the Cyber Security Breaches Survey mentioned above, small businesses accounted for 42% of all breaches in 2025, while 67% of medium-sized enterprises experienced similar incidents.

There is a belief that larger companies are more likely to have protective measures in place than smaller companies, hence why there are more attacks on smaller businesses.

One compromised email can give cyber criminals access to any payroll system, customer database, or financial institution. Furthermore, it takes only a matter of minutes.

Just 39% of SMEs provide cyber security training to their employees, therefore human error is the greatest risk within the information security environment.

Phishing

Phishing attacks are both common and frequent. Among the businesses surveyed, 84% knew that they were the result of a phishing attack.

Phishing scams can often be so realistic, it is scary. Emails may appear as if they came from one of your corporate executives and in the correct business tone and branding.

Just one click can confer full access to the criminal. The UK Information Commissioner’s Office conducted a study and found that 79% of surveyed businesses detected phishing attempts last year.

This represents both a 7% increase over the prior survey (72% in 2017) and confirms that it is no longer random junk mail from Nigeria, but rather targeted social engineering threats directed at your staff in an effort to create a deadline and/or urgency bias.

What Works: Tactical Steps

A large security budget is not required to combat cyber threats; however, discipline and proper cyber posture are.

Practical health and safety measures will help insulate your organization against data breaches and fortify your threat mitigation strategies.

  1.     Turn on MFA for all systems; as MFA blocks over 99% of attempted account takeovers.
  2.     Use a reputable password manager; as weak, stolen or reused passwords account for the majority of data breaches.
  3.     Implement weekly software patches; as unpatched software represents low-hanging targets for cyber criminals; hence automated patch management is a technology best-practice and must be deployed.
  4.     Back-up data daily; and remember to test your data recovery process on a monthly basis. If you are victimized by ransomware, a current data backup will allow you to recover.
  5.     Run phishing simulation tests on staff quarterly; reward employees who can identify phishing tests; re-train employees who fall victim to phishing tests.

Visit the UK Government Cyber Security Homepage for free, authoritative references regarding cyber security best practises; by leveraging these resources you should be able to gain some level of comfort that your organization is not as exposed as others given the current state of the cybersecurity landscape.

Get Ready for the Inevitable

Regardless of how you view your risk of suffering a cyber-attack, be assured that you will have your chance.

The UK NCSC received 204 reports of ”nationally significant” attacks during the 12 months ending August 2025, more than double the 89 national reports in 2024.

Build and practice a one-page incident response plan that identifies who within your organization is responsible for contacting the authorities, gives information to your customers, and isolates any infected systems; then run through this plan every six months to keep chaos at bay.

Act Now!

Cybercrime is not something that is going to happen at some time in the future; cybercrime is now present in the marketplace today.

In 2025, some businesses (nearly half) will have experienced a cyber-breach. Hoping that you will be one of the few; you will ultimately pay a price for that optimism.

Concentrate on those things that you can control (strong access controls, vigilant employees, and resilient systems) to mitigate your exposure and maintain information security protocols.

The cost of prevention is insignificant when compared to the cost of being compromised. Act now; you must for the survival of your company.