Full Report
Turns out the real problem is not AI but staff still clicking on dodgy emails from 'IT support'
Analysis Summary
# Incident Report: UK Cybersecurity Breaches Survey 2025/2026 Analysis
## Executive Summary
A comprehensive government study reveals that 43% of UK businesses and 28% of charities experienced cyber incidents in the past year, levels that have remained stagnant despite increased awareness. The vast majority of these breaches (85%) are driven by social engineering and phishing rather than advanced AI-driven attacks or zero-day exploits. The report highlights a critical disconnect where basic security measures are present, but consistent implementation and supply chain oversight are lacking.
## Incident Details
- **Discovery Date:** April 30, 2026 (Report Publication)
- **Incident Date:** Fiscal Year 2025-2026
- **Affected Organization:** Approximately 612,000 UK Businesses and 57,000 Charities
- **Sector:** Cross-sector (UK Private and Non-Profit)
- **Geography:** United Kingdom
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing; approximately 25% of affected firms report weekly occurrences.
- **Vector:** Phishing (Email-based impersonation).
- **Details:** Attackers impersonate "IT Support" or internal departments to lure staff into interacting with malicious content.
### Lateral Movement
- **Movement:** Unauthorized access via compromised credentials obtained through fake login pages.
### Data Exfiltration/Impact
- **Impact:** 14% of businesses and 22% of charities report that unencrypted or non-anonymized personal data was exposed during breaches.
### Detection & Response
- **Detection:** Primarily through user reporting or internal monitoring; however, smaller organizations show a decline in regular risk assessments.
- **Response:** Increased uptake in cyber insurance and formal incident response planning among medium and large enterprises.
## Attack Methodology
- **Initial Access:** Phishing (85% of incidents).
- **Persistence:** Not explicitly detailed; likely via compromised user accounts.
- **Privilege Escalation:** Not detailed; implies exploitation of restricted admin access where controls are weak.
- **Defense Evasion:** Use of legitimate-looking "IT Support" lures to bypass human psychological defenses.
- **Credential Access:** Credential harvesting via fake login landing pages.
- **Discovery:** Not specified in survey data.
- **Lateral Movement:** Unauthorized access following credential theft.
- **Collection:** Gathering of unencrypted personal data.
- **Exfiltration:** Not specified (generally via standard web protocols).
- **Impact:** Operational disruption and data privacy breaches.
## Impact Assessment
- **Financial:** Extensive, though specific GBP figures were not cited; 49% of businesses maintain a "no-ransom" policy to mitigate extortion costs.
- **Data Breach:** Exposure of personal data held without encryption.
- **Operational:** High frequency of attacks (weekly/daily) causes perpetual disruption.
- **Reputational:** High risk for the 14-22% of organizations holding unprotected sensitive data.
## Indicators of Compromise
- **Network indicators:** Traffic to fraudulent login domains (e.g., `outlook-support[.]cm`, `it-helpdesk-verification[.]net`).
- **File indicators:** Malicious email attachments (PDF/DOCX) containing macro-malware or links.
- **Behavioral indicators:** Sudden increase in failed login attempts followed by a successful login from an unusual IP; unauthorized changes to mailbox forwarding rules.
## Response Actions
- **Containment:** Implementation of Firewalls and restricted admin access.
- **Eradication:** Use of updated malware protection and password resets.
- **Recovery:** Employment of cloud backups for data restoration.
## Lessons Learned
- **The "Human Element" persists:** Despite technical advancements in AI, simple social engineering remains the primary threat vector.
- **Small Business Vulnerability:** Risk assessments in small businesses are declining, reversing previous years' security gains.
- **Supply Chain Blindness:** 85% of businesses do not review the risks posed by their immediate suppliers.
## Recommendations
- **Multi-Factor Authentication (MFA):** Implementation of MFA is currently inconsistent; it should be mandated across all accounts to negate the impact of phishing.
- **Data Encryption:** Ensure all personal data is encrypted or anonymized at rest to prevent "useful" data snapshots during a breach.
- **Supply Chain Audits:** Expand security reviews beyond the internal perimeter to include immediate and wide-chain suppliers.
- **Continuous Awareness Training:** Move beyond annual training to frequent, simulated phishing exercises to combat "IT Support" impersonation.