UK Small Businesses And Charities Reported Fewer Cyber Attacks in 2025. Why That’s Not Good News

At first glance, the UK’s latest cybersecurity figures appear reassuring. In 2025, 43% of businesses and 30% of charities reported experiencing a cybersecurity breach or attack in the previous 12 months. In real terms, that amounts to around 612,000 UK businesses and 61,000 charities identifying an incident during the year. This represents a decrease in prevalence among businesses compared to 2024 when 50% of businesses reported a breach or attack, equivalent to roughly 718,000 businesses.

But the drop does not mean there were fewer attacks. According to the Cyber security breaches survey 2025, the decline was driven almost entirely by micro businesses (0–9 employees) and small businesses (10–49 employees) identifying fewer phishing incidents. Among micro businesses, reported phishing fell to 35%, down from 40% in 2024. Among small businesses, it dropped to 42%, down from 49%.

By contrast, medium-sized businesses (67%) and large businesses (74%) continued to report breaches at similarly high levels to the previous year, with no meaningful change compared to 2024.

In other words, the decline is concentrated where visibility is lowest and resources are most limited. The attacks did not disappear, they simply became easier to miss.

Related: Most Small Business Owners Overestimate Their Ability to Spot AI Scams, Survey Shows

Phishing Has Become an Everyday Business Risk

Among organizations that experienced a cybersecurity breach or attack in the past year, phishing was involved in the vast majority of cases, affecting 85% of businesses and 86% of charities. When incidents were identified, phishing was not only the most common cause, but also the most disruptive.

The qualitative interviews highlighted that phishing attacks were described as the most time-consuming to address: large numbers of messages to assess, links to investigate, and staff to support or retrain. Many organizations also reported a growing awareness that more advanced techniques, including AI-based impersonation, are now being used routinely, making malicious messages harder to distinguish from everyday business communication.

Other types of cyber crime were: hacking, affecting 8% of businesses and 17% of charities that experienced some form of cyber crime and  ransomware reported by 7% of businesses that were victims of cyber crime.

In a smaller number of cases, attacks escalated further. Among businesses that experienced cyber crimes involving unauthorized access, account takeovers, or denial-of-service incidents, 5% reported some form of extortion, where attackers demanded payment to end the disruption or restore access.

Related:

10 Common Cyber Attacks Against Nonprofits (and How to Stop Them)

Keep Donors Safe: 8 Cybersecurity Steps Every Nonprofit Should Know

Cybercriminals Are Most Likely to Go After Your Business Data

Businesses in the information and communications sector were significantly more likely than average to report a cyber security breach or attack, with 69% experiencing an incident, compared to 43% of businesses overall. By contrast, organizations in administration and real estate were closer to the national average, with 48% reporting a breach or attack.

            In 2025, 7% of businesses reported experiencing a temporary loss of access to files or networks, up from 4% in 2024. Charities reported a different, but related, form of disruption: 5% lost access to third-party services, a sharp increase from 1% the year before.

When incidents did cause serious disruption, the financial impact added up quickly. Based on respondents’ own estimates, the average cost of the most disruptive breach over the past 12 months was £1,600 for businesses and £3,240 for charities. Among organizations that reported non-zero costs, the figures were significantly higher. In those cases, the average cost rose to £3,550 for businesses and £8,690 for charities.

It’s worth noting that these figures are self-reported and likely capture only part of the true impact. Downtime, delayed work, recovery efforts, and ongoing disruption are harder to quantify — and often felt long after systems are back online.

Related: 

Most Common Cyber Threats on Small Businesses and How to Prevent Them

How Hackers Use AI to Target Small Businesses.

You Don’t Need an IT Department to Reduce the Risk

In 2025, small businesses showed stronger adoption of basic cyber hygiene measures, a sign that everyday digital risk is being taken more seriously.

Nearly half now carry out cyber security risk assessments (48%), up from 41% in 2024. Cyber insurance uptake increased to 62%, compared to 49% the year before. More businesses also reported having a formal cybersecurity policy in place (59%, up from 51%), as well as business continuity plans that address cyber risks (53%, up from 44%).

In practice, risk tends to concentrate in a small number of places: email accounts, devices, accounting tools, and payment platforms. Protecting those core systems reduces exposure far more than spreading attention across dozens of tools or controls.

Related: Small Business Security Starter Kit: The Tools You Need and Why

Bitdefender Ultimate Small Business Security is designed around that reality. It supports very small businesses (3–25 employees) that don’t have in-house IT by focusing on the areas where attacks are most likely to cause damage. In practical terms, it helps by:

· Blocking phishing, impersonation, and AI-generated scam emails before they reach inboxes

· Flagging suspicious payment requests and scam patterns in real time with Scam Copilot

· Protecting business accounts with a secure password manager and account monitoring

· Stopping constantly evolving malware using behaviour-based detection

· Securing business devices against targeted, AI-driven attacks

· Monitoring for exposed credentials and digital identity risks

Everything is managed through a single, easy-to-use dashboard, without complex setup or ongoing maintenance, and plans starting at around $180 per year.

Try Bitdefender Ultimate Small Business Security free for 30 days.