Ransomware crims hammering UK more than ever as British techies complain the board just doesn’t get it

“[The board is] very involved, they don’t give full autonomy to us to do whatever we want. We need to have a constant dialogue of this is what we’re doing, this is why we’re doing it,” one IT and digital services manager told the survey, while an unnamed cyber architect commented: “Nothing gets approval without first going to them [the board] and saying, this is exactly what it will do, what it will mean, what it is, how the money will be spent.”

Compared to the previous year, in which the survey showed less than 0.5 percent of organizations reported ransomware events, the proportion has risen to 1 percent of all organizations – an estimated 19,000 in total.

[The board is] very involved, they don’t give full autonomy to us to do whatever we want. We need to have a constant dialogue of this is what we’re doing, this is why we’re doing it…

The survey split the data between businesses and charities, revealing the former to be far more susceptible to ransomware. The data showed that 7 percent of businesses (micro, small, medium, and large) that were victims of some kind of cybercrime were hit by ransomware in the past 12 months, although this represents 1 percent of businesses overall.

The proportion of charities that were victims of ransomware stood at fewer than 0.5 percent, which perhaps reflects the nature of the crime. Cybercriminals understand that big payouts aren’t likely to come from organizations that lack the bigger cash reserves of a large business.

And that point is reflected in the breakdown of organization types that experienced any kind of cybercrime in the past 12 months, with larger businesses reporting being victimized the most compared to smaller organizations. The smaller the business, the fewer the cybercrimes experienced. The data on that is consistent year on year.

Although ransomware attacks increased significantly this year for UK organizations, with just 4 percent of businesses reporting them in the previous year, the overall prevalence of cybercrime has remained broadly consistent. 

In the previous reporting year, 2024, 22 percent of businesses reported being victimized by some kind of cybercrime, whereas in the current reporting year, 2025, this dropped slightly to 20 percent. 14 percent of charities reported cybercrime issues in both years.

The survey makes it clear that cybercrime is different from cyberattacks and data breaches. A data breach also be a cybercrime, but isn’t always. For clarity, in the context of the survey, cybercrimes are categorized as ransomware, denial of service, malware, phishing, or hacking – unauthorized access of systems, files, or accounts.

Boards lacking

What experts have said was more concerning, however, was the overall decline of boards assuming responsibility for cybersecurity outcomes.

Despite cyber remaining a priority for the majority of organizations, the survey showed that board-level responsibility for cybersecurity has been in decline since 2021. 38 percent of businesses had a cyber specialist on the board four years ago compared to just 27 percent now.

Etay Maor, chief security strategist at Cato Networks, said: “While the survey noted a concerning trend of declining board-level responsibility for cybersecurity, it’s essential that leadership recognizes cyber risk as a core business concern. Boards should ensure that robust security strategies are in place, including incident response plans that specifically address ransomware scenarios.”

With the disconnect between cybersecurity and the organization being a known problem for such a long time, one that especially pervades the NHS, insiders say, the continued decline in board participation will be seen as one of the more concerning findings of the report for defenders.

Repeat offenders

Where an organization experienced one type of cybercrime in a calendar year, in most cases there were multiple cases, although depending on how you look at the data the degree of revictimization varies wildly.

For example, the mean data showed that if at least one cybercrime was experienced by a business, on average that business would have been hit by 30 crimes in that year. For charities, the number was 16 for the year.

However, median data showed businesses hit by at least one crime on average suffered a total of four in a year, with the number also staying at four for charities. The survey stated the median data was probably more reflective of a typical organization.

All in all, the UK government estimates that 8.58 million cybercrimes of all types in the past 12 months, most of which are related to phishing. Only 680,000 of these were not categorized as such.

Small businesses improve, charities regress

While phishing remains the most common form of cybercrime in the UK, there has been a notable drop – so notable, in fact, that it was highlighted as the primary reason for the drop in security breaches or attacks at smaller businesses across the year. 

The survey showed a drop from 50 percent to 43 percent in 2025, adding that a drop in phishing attacks on micro and small businesses was to thank. The overall prevalence of breaches and attacks for medium and large businesses, 67 percent and 74 percent respectively, remained consistent year on year.

Small businesses in general demonstrated improved cyber hygiene on multiple metrics, with increasing numbers investing in security risk assessments, cyber insurance, formal cyber policies, and business continuity plans.

High-income charities, meanwhile, showed varying levels of decline in multiple areas such as activities to identify cyber security risks, reviewing immediate supplier risks, and having formal cyber strategies in place.

Most organizations had the basic technical controls in place, although a detail that is perhaps illustrative of where cybersecurity is at in the UK – two-factor authentication being considered an advanced control – showed concerningly low levels of adoption. Less than half of businesses (40 percent) and barely more than a third of charities (35 percent) had 2FA enabled.

Cyber Security Minister Feryal Clark said: “These figures show why we’ve put such a focus on making sure the UK has robust cyber security defences in place.

“Cyber attacks are disrupting our citizens, businesses and economy, and this year’s survey puts the risks we face into sharp focus. While we are making progress there’s still more to do, and we all have a role to play.”

®