Nearly half of UK businesses pwned last year as phishing keeps doing the job like it's 2005
- Reference: 1777548910
- News link: https://www.theregister.co.uk/2026/04/30/almost_half_of_uk_firms/
- Source link:
The [1]UK government's latest Cyber Security Breaches Survey , released on Thursday, puts the hit rate at 43 percent of businesses and 28 percent of charities reporting a cyber incident in the past year, equating to approximately 612,000 UK businesses and 57,000 UK charities, numbers that have barely budged since the last time it asked.
Most of these breaches do not start with anything especially cutting-edge. Phishing leads "by far," usually via impersonation emails that send staff to fake login pages or get them to click links, open attachments, or hand over sensitive information.
[2]
Everything else barely gets a look-in. Around 85 percent of businesses that reported a breach or attack said it involved phishing, leaving malware, ransomware, and unauthorized access trailing some distance behind.
[3]
[4]
Among businesses that report break-ins, about a quarter say they occur at least once a week, with a smaller share reporting daily occurrences. Charities are seeing attacks land more often, with the share reporting weekly incidents rising from 18 percent to 26 percent over the past 12 months.
Against that backdrop, there are signs that organizations are trying to get a grip of the problem. Around six in ten medium and large businesses report having a formal cybersecurity policy in place, and incident response planning and cyber insurance have both ticked up year on year. Larger organizations are consistently more likely to have these measures in place than smaller ones.
[5]
Policies on ransomware are still a bit of a mixed bag. Around half of businesses (49 percent) and a third of charities (34 percent) say they have a rule not to pay up, about the same as last year. Plenty are still in the dark, with roughly a quarter of businesses and a fifth of charities saying they do not know what their policy is.
Most are covering the basics – at least two-thirds of organizations say they have things like updated malware protection, cloud backups, password rules, firewalls, and restricted admin access in place – but after that, it starts to tail off. Fewer report using measures such as two-factor authentication, formal data backup rules, policies on personal data storage, VPNs, or user monitoring.
What's more, among small businesses, some of the basics have slipped compared with last year. The proportion carrying out cyber security risk assessments has dropped to around four in ten, reversing earlier gains and suggesting those improvements have not stuck.
[6]Pass the key, passwords have passed their sell-by date
[7]UK govt dept sent a document 'in error.' Now it's being used in a £370M contract lawsuit
[8]Dev targeted by sophisticated job scam: 'I let my guard down, and ran the freaking code'
[9]Medical data of 500k Biobank volunteers listed for sale on Alibaba, UK minister reveals
Supply chains remain another weak spot. Only around one in seven businesses say they review the risks posed by their immediate suppliers, and fewer go any further. The survey puts it at 15 percent checking direct suppliers and just 6 percent looking at the wider chain. Charities are lower again, at 9 percent and 4 percent, respectively.
Then there is the data itself. Around 14 percent of businesses and 22 percent of charities say they hold personal data that is not protected by measures like encryption or anonymization, which means if someone does get in, there is a decent chance they will find something useful.
[10]
Overall, breach rates remain high, and phishing continues to do most of the work. The basics exist, they're just not applied everywhere they should be. ®
Get our [11]Tech Resources
[1] https://www.gov.uk/government/statistics/cyber-security-breaches-survey-20252026/cyber-security-breaches-survey-20252026#chapter-6-cyber-crime
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2afN8qABGbh4UptlhzaikGwAAA1I&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44afN8qABGbh4UptlhzaikGwAAA1I&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33afN8qABGbh4UptlhzaikGwAAA1I&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44afN8qABGbh4UptlhzaikGwAAA1I&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2026/04/23/ncsc_passkey_tech_now_reliable/
[7] https://www.theregister.com/2026/04/28/dwp_sent_document_in_error/
[8] https://www.theregister.com/2026/04/23/job_scam_targeted_developer/
[9] https://www.theregister.com/2026/04/23/500k_biobank_volunteers_data_listed/
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33afN8qABGbh4UptlhzaikGwAAA1I&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[11] https://whitepapers.theregister.com/
Re: Part of this is inadequacies on the part of the business
"I can't help but feel that networks set up the 1990s way where any machine has access to everything is a large part of the problem."
Never mind small and medium business, somebody had better tell JLR and their IT "experts" at Tata. Or Marks & Spencer, and their IT "experts" at Tata.
Go back to text based email
would likely solve much of it. Make some friction to clicking a link. And one help to that is you see the link goes to pornme.com instead bankname.com. Also force the text based email client to show full headers by default. Seeing the email originated from .kr domain is an easy clue. I use alpine, it is laughable some of the phishing attempts I've seen. A few are quite well structured text and could maybe trick me, but that domain source is a dead giveaway. I never even get to the stage of look at the link. Now conversely, I've had a few legitimate emails that I think thrice before clicking the link. I have even called a few to verify as the link does not look all that sanitary. Call me crazy, but in decades, never been porned.
I predict
"training" where you sign everyone up to a new outsourced online service facilitator who send everyone a shortened bitly link to a site where they have to enter all their corporate account details to watch a PowerPoint video about security
If an E-mail App that turned all e-mails into plaintext was corporate mandate things would be different.
You can still copy and paste urls if needed after all.
Email signing should be a bigger part of the solution
The lack of support (in software and people) for email signing is just mindboggling. Fake emails remain a huge phishing vector, yet few organizations deploy one of the most powerful tools for stopping it. Even a purely internal deployment has tremendous value and doesn't require everybody to adopt a new standard or piece of software all at once. External email relationships can be secured on an as-appropriate basis, where there's both long-term persistence and high value, like the frequent communications between a company's accounting department and a major supplier.
When organizations email among themselves, every employee needs to be able to be certain that the email came from a co-worker. That requires both the signing infrastructure as well as MUAs which display a clear visual indicator when internal email is authentic . The number of breaches because an employee failed to check the originating address or domain is staggering.
Admittedly, software options aren't great. The PGP ecosystem has usability/support issues and has been significantly hurt by the internal schism over the two new competing standards. S/MIME sucks. This needs to be fixed. It's more than a software wishlist. It should be a national/international cybersecurity priority.
I'm not sure what will motivate organizations to change their perspective, short of governments starting to issue fines for instances of gross cybersecurity negligence, especially in cases where simple mitigations would have prevented customer data from being pwned. It's not going to stop as long as the pwned companies can tell their customers "It's your problem now."
Part of this is inadequacies on the part of the business
The GDPR states that one must implement appropriate technical and organisational measures to protect against unauthorised or unlawful processing.
I can't help but feel that networks set up the 1990s way where any machine has access to everything is a large part of the problem.
An employee should have access to the data that is strictly necessary for their job, and nothing more. A line manager doesn't need access to employee profiles or payroll.
If things are properly sectioned off like this, being pwned doesn't mean handing over everything.
Stricter companies should also run a whitelist of allowed sites and block (and record) everything else.
Technology exists to deal with hapless meatsacks clicking without neurons firing, so use it.