Ransomware attacks among businesses have declined compared with the previous two years (1% this year down from 3% in both 2024/2025 and 2023/2024)

Impersonation breaches or attacks were significantly down among charities compared with the previous two years (7% this year down from 11% in 2024/2025 and 12% in 2023/2024).

There has been an increase in businesses reporting that the breach or attack led to loss of revenue or share value (2% in 2024/2025 to 5% in 2025/2026) and an increase in those reporting it resulted in reputational damage (1% in 2024/2025 to 3% in 2025/2026).

Adoption of more advanced controls like two-factor authentication (47% businesses and 38% charities), a virtual private network for staff connecting remotely (36% businesses and 17% charities) and user monitoring (30% businesses and 31% charities) remain lower than other measures.

A formal cyber security strategy was in place for almost six in ten medium businesses (57%), rising to seven in ten large businesses.

Around one in seven businesses (14%) and one in five charities (22%) said they held personal data that was not protected by techniques such as anonymisation or encryption, suggesting that the majority do protect personal data (77% of businesses and 69% of charities).

Around a third of businesses (30%) conducted a risk assessment covering cyber security, in line with last year (29%).

Cyber security was considered a high priority for senior management in around seven in ten businesses (72%) and six in ten charities (60%).

Seeking external information or guidance on cyber security was reported by 44% of businesses and 31% of charities.

The most commonly cited individual source of information remained external cyber security or IT consultants/providers (27% of businesses and 13% of charities).

Small businesses incured at least $131 billion in losses from fraud, scams, and ransomware last year.

Average losses for small businesses ranged from nearly $60,000 for payment fraud to more than $90,000 for email compromise.

51% of small business owners say business owners themselves are "very responsible" for preventing and protecting against fraud.

47% of organisations concentrate responsibility for managing digital resilience within a single function rather than sharing it across the C-suite

25% of organisations across surveyed markets say their responses to digital disruption largely go to plan

77% of organisations experienced a cybersecurity incident in the past year.

34% say AI has created new security blind spots.

37% of CIOs deploy AI bias processes.

44% of CIOs are turning to managed services to fill critical security gaps.

Over a quarter of CIOs report AI as a significant source of risk, placing it on par with malware, ransomware and phishing.