UK Cyber Security Breaches Survey 2026: What the Official Government Data Reveals About Business Risk
Every year the Department for Science, Innovation and Technology and the Home Office publish the UK's official cyber security breaches survey. It is the most authoritative picture available of how UK businesses actually think about and manage cyber risk. The 2025/2026 edition, published in April 2026, contains a finding that should stop every IT director, CISO and board member mid-coffee on a Monday morning.
The proportion of businesses and charities experiencing any negative outcome following a breach or attack has remained consistent with previous years, while there has been a notable increase in businesses reporting that breaches led to loss of revenue or share value, rising from 2% to 5%, and an increase in those reporting reputational damage, rising from 1% to 3%.
Those percentages sound small. They are not. They represent thousands of UK businesses in a single year for whom a cyber incident translated directly into money leaving the business and reputation leaving the room. And they are rising, not falling.
Key takeaways
58% of UK business leaders ranked cyber-related breaches as their top risk for 2026, with three-quarters doubting their ability to manage them.
Only around a third of businesses conducted a risk assessment covering cyber security.
Staff security training remained stable at 19% of businesses, showing no meaningful improvement.
The median perceived cost of the most disruptive breach was zero, suggesting widespread underreporting and miscalculation of true breach costs.
The survey measures active infrastructure risk. It does not measure end-of-life IT disposal risk, which remains the largest unmeasured gap in most organisations' security posture.
The gap that defines the 2026 picture
The single most striking data point in the survey is not a breach statistic. It is the distance between two numbers.
Over half of UK business leaders ranked cyber-related breaches as their top risk, with three-quarters doubting their ability to manage them. That is 58% of business leaders at organisations with meaningful turnover saying cyber is their biggest concern. And only 30% of businesses conducted a cyber security risk assessment.
Those two figures cannot both be true without a significant explanation. The explanation is that risk awareness and risk action are disconnected. Businesses feel the threat but have not translated that feeling into the processes, documentation and testing that would actually reduce it. Qualitative insights highlighted that recent high-profile cyber attacks in the media had moved the perception of risk from cyber attacks and breaches up the agenda within organisations. Despite this, staff training and awareness raising activities remained stable across businesses.
Awareness is up. Action is flat. That is the defining characteristic of UK business cyber security in 2026.
What the survey numbers actually show
The survey covers businesses across all sizes and sectors. The findings are not flattering, but they are honest.
The proportion of businesses experiencing any negative outcome following a breach has remained consistent, with 19% for businesses and 11% for charities. These are the organisations that noticed and reported a negative consequence. Given that the median perceived cost of the most disruptive breach was zero, a substantial additional population either experienced breaches they did not attribute to a cost, did not detect the breach at all, or chose not to report it.
The revenue and reputational damage numbers deserve attention because they represent the breaches organisations can no longer explain away. There has been an increase in businesses reporting that the breach or attack led to loss of revenue or share value from 2% in the previous year to 5%, and an increase in those reporting reputational damage from 1% to 3%. These are the incidents that reached the board, reached the press, or reached the customer. Their frequency is rising.
A quarter of business leaders cited reputational damage as one of their top three biggest concerns for 2026, with over two-fifths worrying about the reputational impact of a data breach. Concern is high. Prevention activity is not matching it.

Why the median cost of a breach is zero
The survey reports that the median perceived cost of the most disruptive breach or attack was zero for businesses. This is not because breaches are free. It is because most organisations are not measuring breach costs accurately.
The direct costs of a breach, incident response, forensic investigation, regulatory notification, system remediation, are often absorbed into existing IT and operations budgets without being isolated. The indirect costs, lost contracts, staff time diverted, customer churn, insurance premium increases, are almost never attributed to the breach. And the longer-tail costs, regulatory enforcement, litigation, reputational damage with suppliers and partners, may not materialise for months or years.
The ICO has issued over £65M in fines across 16 penalty notices since 2019. The ICO's enforcement strategy shifted in 2025, culminating in its largest-ever fine of £14 million against Capita for cybersecurity failures exposing the data of millions of people, sitting alongside a growing list of high-profile enforcement actions. When the regulator finds you, the cost stops being zero immediately. The median perceived cost being zero is not evidence that breaches are cheap. It is evidence that most businesses are not counting correctly.
What the survey does not measure
The Cyber Security Breaches Survey focuses on active infrastructure: the systems organisations are using right now, the breaches affecting those systems, and the controls in place to protect them. It does not ask about what happens to IT equipment when it is retired.
This is the largest unmeasured gap in the UK's official picture of cyber security risk. Every device your organisation retires carries the same data it held when it was active. Customer records. Employee files. Financial data. Credentials. If that device leaves your organisation without certified data destruction and a serial-level Certificate of Destruction, the data on it is accessible, recoverable and your ongoing legal responsibility under UK GDPR.
The survey tells us 58% of businesses consider cyber their top risk but only 30% have conducted a risk assessment. It is reasonable to assume that the percentage of businesses with a documented, certified end-of-life IT disposal process is considerably lower than 30%. That gap does not appear in the survey. It appears in ICO enforcement cases, in breach notifications, and in the career of the IT director who signed off on a disposal process that turned out not to be one.
What the data demands from organisations right now
The ICO has signalled that organisations will now not only be expected to comply, but to demonstrate compliance through formalised, carefully thought-through and considered governance and documentation. The survey confirms that most organisations are not there yet. Three actions address the most critical gaps directly.
Conduct a cyber security risk assessment if you have not done so. Only 30% of businesses have. A risk assessment is the foundation of every other security decision. Without it, you are making security investments based on intuition rather than evidence. The NCSC provides free guidance for businesses of all sizes.
Extend your asset management to cover end-of-life devices. Every device that enters your infrastructure should have a documented disposal pathway before it is purchased. Asset management that stops at decommissioning and does not extend to certified destruction is incomplete by definition.
Treat end-of-life IT disposal as a compliance event, not a facilities task. The moment a device is retired, it enters a data protection obligation that does not end until the data on it is certified destroyed. A skip, a skip collection, a donation or a factory reset is not the end of that obligation. A Certificate of Data Destruction from a certified ITAD partner, naming every device by serial number and confirming the destruction standard applied, is.
Retire your IT. Recover its value. Prove it is gone.
NanoSoft provides certified IT asset disposal for UK and EU organisations. Every job applies NIST SP 800-88 Rev. 2 certified data destruction, produces serial-level Certificates of Destruction, and is completed under ISO 27001 certification and ADISA Standard 8.0 assurance. We fill the gap the survey does not measure and your asset register does not track.
Contact NanoSoft: services@nanosoftltd.com | 0800 677 1344 | Unit 8 & 9 Maldon Trade Park, Heybridge, Maldon CM9 4LJ, UK
NanoSoft Team
Writer at Nanosoft - covering ITAD, data security, and sustainable technology lifecycle management.
Found this useful? Share it.
