The UK Government's Cyber Security Breaches Survey 2025/2026 landed last month. The headline figure — 43% of UK businesses suffered a cyber attack or breach in the past 12 months — sounds alarming. But the detail behind it is more alarming still.

We've broken it down in plain English, without the jargon, so you can understand what it actually means for your business.

The numbers you need to know

43% of UK businesses experienced a cyber breach or attack in the past year. That's roughly 612,000 businesses. For context, that's not 43% of large enterprises with dedicated security teams — that's businesses of all sizes, including yours.

50% of small businesses (10–49 employees) reported at least one breach or attack. If your business has fewer than 50 people, you're statistically more likely than not to have been targeted.

Phishing is still the dominant attack method, accounting for the vast majority of incidents. An employee receives an email that looks legitimate, clicks a link, enters their credentials — and that's it. Game over.

The average cost of a cyber attack for a small UK business is now £3,398. That's the direct cost. Add downtime, lost productivity, reputational damage and the cost of fixing the problem, and the real figure is considerably higher.

28% of UK SMEs say a single attack could put them out of business entirely.

The M&S, Co-op and Harrods wake-up call

If you need a more vivid illustration, look no further than what happened to three of the UK's best-known retailers this spring. Marks & Spencer, Co-op and Harrods all suffered significant ransomware incidents within weeks of each other. M&S alone reported disruption to online orders and systems that cost them tens of millions.

These aren't businesses that skimped on IT. They have dedicated security teams, enterprise budgets and years of experience.

If it can happen to them, it can happen to a ten-person professional services firm in Nottingham.

The difference is that large organisations can absorb the blow. Most small businesses cannot.

Why small businesses are the target

There's a common misconception that cyber criminals are only interested in large, high-value targets. The reality is the opposite.

Automated tools scan thousands of businesses simultaneously looking for the path of least resistance. Small businesses consistently represent that path — fewer security controls, less staff training, and often no dedicated IT support at all.

96% of UK businesses that suffer a cyber attack are small or medium-sized. Not because attackers specifically want them — but because they're easier to breach.

Criminals aren't after your data specifically. They're after access, credentials, and the ability to encrypt your systems and demand a ransom. A small business is just as valuable a target for ransomware as a large one, if its backups aren't working and its owner is desperate to get their files back.

The new compliance pressure: 19 June 2026

Here's a date your business needs in the diary: 19 June 2026.

Under the Data (Use and Access) Act 2025 — the UK's updated data protection framework which received Royal Assent last year — all UK businesses must have a formal internal process for handling data protection complaints in place by this date.

The Act also significantly increases the maximum fines for serious data breaches under PECR (the rules governing electronic communications and marketing), bringing them in line with UK GDPR levels — up to £17.5 million or 4% of global turnover.

This isn't theoretical. The Information Commission (the successor to the ICO under the new Act) has expanded powers and is actively enforcing. A data breach that previously might have resulted in a warning could now result in a substantial fine.

What actually works

The good news is that the vast majority of successful cyber attacks exploit basic, fixable weaknesses. The NCSC's own research suggests that 97% of successful attacks could have been prevented with modern, properly configured security controls.

Here's what makes the biggest difference:

Multi-factor authentication (MFA) — Requiring a second form of verification to log in blocks the majority of credential-based attacks. If someone steals your password, MFA means they still can't get in. This is the single highest-impact control you can put in place and it costs almost nothing.

Staff awareness — Most breaches start with a human click. Regular, practical training on how to spot phishing emails dramatically reduces the risk. This doesn't need to be expensive or time-consuming — even a 30-minute session once a quarter makes a measurable difference.

Patching and updates — Unpatched software is one of the most common attack vectors. Keeping operating systems and applications up to date closes the doors that attackers rely on. Managed IT support handles this automatically.

Working backups — If the worst happens and your systems are encrypted by ransomware, a recent, tested backup is the difference between a bad day and a business-ending one. The key word is tested — backups that haven't been verified don't count.

Endpoint protection — Basic antivirus is no longer sufficient. Modern Endpoint Detection and Response (EDR) tools monitor device behaviour in real time and can catch threats that traditional antivirus misses.

Where Cyber Essentials fits in

Cyber Essentials is the UK Government-backed certification scheme that covers the five most important technical controls — secure configuration, access control, software updates, malware protection and firewalls. It's been shown to prevent around 80% of common cyber attacks.

It's also increasingly required by clients and public sector procurement — particularly if you're tendering for government contracts or working with regulated industries like legal, financial services or healthcare.

At Foxcube IT, we guide businesses through the Cyber Essentials process as part of our managed IT support — helping you understand what's required, get the controls in place, and work towards certification.

The honest reality for small businesses in Nottingham

We work with small businesses across Nottingham, and the pattern we see is consistent: most businesses know they should be doing more on cyber security, but it keeps getting deprioritised because there are always more urgent things to deal with.

That's completely understandable. It's also exactly why 43% of businesses got hit last year.

The businesses that don't get hit aren't necessarily more technically sophisticated. They're the ones that have taken a handful of basic, consistent steps — MFA, patching, backups, training — and maintained them. That's it.

If you're not sure where your business stands, or you want an honest view of what your current setup is missing, we offer a free IT assessment. No pressure, no obligation — just a straightforward conversation about what you've got and what, if anything, needs attention.

What to do next

1. Check whether MFA is enabled on your Microsoft 365 accounts, email and any cloud services your team uses. If it's not, switch it on today.

2. Check your backups — when were they last tested? Do you actually know you could restore from them?

3. Talk to your team about phishing. Show them what a suspicious email looks like. It takes ten minutes and it works.

4. Get a free assessment from Foxcube IT — we'll tell you honestly where your gaps are and what they'd cost to fix.

Get a free IT assessment →

Foxcube IT provides managed IT support for small businesses across Nottingham, Nottinghamshire and the UK. We offer flat-rate plans with no contracts, onsite visits where needed, and a team that genuinely knows your setup.

Sources: UK Government Cyber Security Breaches Survey 2025/2026 (DSIT & Home Office); StationX Small Business Cybersecurity Statistics 2026; NCSC Small Business Guide; Data (Use and Access) Act 2025.