Nearly Half of UK Businesses Experiencing Cyber Security Breaches: Experts Reveal How to Avoid Becoming a Victim – HR News
Summary
Almost 43% of UK businesses reported a cyber breach in the last year — roughly 612,000 organisations — yet many still lack basic defences such as two-factor authentication. The UK Government’s Cyber Security Breaches Survey 2025 shows high financial impacts (average losses ranging from £990 to £10,000 depending on case details) and rising threats like ransomware and impersonation attacks.
Cybersecurity expert Andy Pickett, CTO at The Business Hub, outlines clear warning signs and sensible steps firms can take: staff training on phishing, checking email domains, monitoring invoices and social media, and establishing board-level accountability. The Business Hub also offers an SME Cyber Risk Checklist to help prepare businesses.
Key Points
- 43% of UK businesses experienced a cyber breach in the past year — around 612,000 organisations.
- Average costs: £990 per cyber crime (excl. phishing), £5,900 per cyber-facilitated fraud, £10,000 when excluding zero-loss cases.
- Most affected sectors: Information & communication (69%), professional/scientific/technical (55%), administration/real estate (48%), finance/insurance (48%), utilities/production (48%).
- Phishing drives 54% of cyber-facilitated fraud and is increasingly frequent; 29% of businesses see phishing attacks weekly or more.
- Impersonation attacks affected 34% of breached businesses (51% among small firms) and often follow phishing attempts.
- Larger businesses are more often targeted (52% hit) and face more ransomware, malware and unauthorised access; ransomware cases have doubled year-on-year.
- Basic controls remain underused: only 40% use two-factor authentication, 31% use a VPN for remote staff and 30% monitor user activity.
- Board-level responsibility for cyber security has fallen from 38% in 2021 to 27% in 2025 — a risky trend as cyber risk rises.
Content Summary
The article reports findings from the UK Cyber Security Breaches Survey 2025 and quotes Andy Pickett from The Business Hub on spotting and preventing attacks. It highlights sector differences, the dominance of phishing as an entry vector, and the growing problem of impersonation. Practical advice includes staff training to spot urgency and unusual requests, checking email domains and prior correspondence, scrutinising invoices, monitoring social media for fake profiles, and implementing basic technical controls like 2FA, VPNs and user activity monitoring. The piece stresses the need for senior leadership to take responsibility and points readers to an SME Cyber Risk Checklist at The Business Hub.
Context and Relevance
This is timely for HR teams, IT leads and business owners: as hybrid working and interconnected supply chains grow, attackers increasingly exploit human error and weak basic controls. The data shows the problem is widespread across sectors and sizes, and that many breaches could be mitigated with low-cost, practical steps. The decline in board-level cyber accountability is especially notable — a structural risk that amplifies the impact of technical vulnerabilities.
Why should I read this?
Short and blunt: nearly half of UK firms were hit last year, and it’s probably cheaper and easier to stop most of these than you think. If you look after people, payroll, suppliers or compliance, the pointers here (train staff, lock down logins, spot dodgy domains and fake invoices) are the quick wins that stop nasty, costly headaches. Read this if you want to avoid being the next business on the headlines — and save time by getting the practical takeaways laid out for you.