Full Report
Turns out the real problem is not AI but staff still clicking on dodgy emails from 'IT support' Nearly half of UK businesses are still getting breached, and in many cases, the attacker's big breakthrough is an employee clicking "sure, why not" on a fake login page.…
Analysis Summary
# Incident Report: UK National Cyber Security Breaches Survey (2025/2026)
## Executive Summary
According to the UK government's latest survey, 43% of UK businesses and 28% of charities—representing roughly 669,000 organizations—experienced a cyber incident in the past year. Phishing remains the primary attack vector, accounting for 85% of all reported breaches, driven largely by employee interaction with fraudulent links and fake login pages. Despite an uptick in formal response planning, many organizations still suffer from inconsistent security controls and poor supply chain risk management.
## Incident Details
- **Discovery Date:** Thursday, 30 April 2026 (Report Publication)
- **Incident Date:** 2025–2026 Reporting Year
- **Affected Organization:** Multiple (Estimated 612,000 businesses; 57,000 charities)
- **Sector:** Cross-Sector (UK Business and Voluntary Sector)
- **Geography:** United Kingdom
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing; approximately 25% of affected businesses report weekly incidents.
- **Vector:** Phishing (Social Engineering).
- **Details:** Attackers impersonate "IT Support" or other trusted entities via email to direct employees to fraudulent login portals or distribute malicious attachments.
### Lateral Movement
- **Details:** Not specifically detailed in the aggregate report, though it notes that attackers exploit "restricted admin access" gaps and lack of user monitoring in smaller firms.
### Data Exfiltration/Impact
- **Details:** 14% of businesses and 22% of charities report holding unencrypted personal data, leading to the compromise of sensitive information upon successful entry.
### Detection & Response
- **How it was discovered:** Internal monitoring and reporting; however, gaps remain in smaller organizations where risk assessments have decreased.
- **Response actions taken:** Increased adoption of formal cybersecurity policies, incident response planning, and cyber insurance among medium and large enterprises.
## Attack Methodology
- **Initial Access:** Phishing (Email-based impersonation).
- **Persistence:** Not specified (likely via stolen credentials).
- **Privilege Escalation:** Exploitation of weak admin access controls.
- **Defense Evasion:** Use of legitimate-looking "IT Support" branding to bypass human skepticism.
- **Credential Access:** Fake login pages designed to harvest employee credentials.
- **Discovery:** Identifying unprotected personal data and unencrypted databases.
- **Lateral Movement:** Not detailed.
- **Collection:** Gathering sensitive personal data and financial information.
- **Exfiltration:** Not detailed.
- **Impact:** Business disruption and data breach.
## Impact Assessment
- **Financial:** Significant (High volume of incidents; exact monetary value varies per organization).
- **Data Breach:** High volume of personal data; 14-22% of organizations store this data in plain text/unencrypted formats.
- **Operational:** High; roughly 25% of affected organizations face weekly operational interruptions.
- **Reputational:** Widespread public loss of trust in charity and small business digital security.
## Indicators of Compromise
- **Network indicators:** Emails originating from look-alike domains (e.g., support[.]it-dept-uk[.]com).
- **File indicators:** Malicious email attachments (PDFs, ZIPs, or DOCX) delivering malware/ransomware.
- **Behavioral indicators:** Unusual login activity on "fake" enterprise portals; staff clicking on links in unsolicited IT-themed emails.
## Response Actions
- **Containment:** Implementation of firewalls and password rules.
- **Eradication:** Use of updated malware protection.
- **Recovery:** Employment of cloud backups for data restoration.
## Lessons Learned
- **Human Element:** AI is often cited as a threat, but traditional human error (clicking links) remains the most exploited vulnerability.
- **Basic Hygiene Gaps:** Adoption of Multi-Factor Authentication (MFA) and VPNs is lagging despite the high prevalence of credential theft.
- **Small Business Vulnerability:** Cybersecurity risk assessments in small businesses have actually declined, creating a growing disparity between SME and large enterprise security postures.
## Recommendations
- **Implement Multi-Factor Authentication (MFA):** Essential to mitigate the impact of phishing-related credential theft.
- **Data Encryption:** Ensure all personal data is encrypted or anonymized to prevent data exposure following a breach.
- **Supply Chain Audits:** Increase scrutiny of third-party suppliers (currently only 15% of businesses do this).
- **Continuous Staff Training:** Move beyond annual training to frequent, simulated phishing exercises to combat "IT Support" impersonation.
- **Formalized IR Planning:** Small businesses and charities should adopt formal Incident Response (IR) plans to reduce recovery time.