On this page
Current security landscape in the UK
Cybercrime is accelerating globally, but in the United Kingdom, the trajectory is particularly alarming. The country now ranks as the fifth most targeted nation worldwide, accounting for 25% of all cyber incidents in Europe, ahead of Germany and the rest of the region. According to the government's Cyber security breaches survey 2025, 43% of UK businesses (approximately 612,000 organizations) reported a cyberattack or a breach in the last 12 months. Large enterprises accounted for 74% of those breaches.
The threat landscape is also intensifying in impact. According to the same survey, the percentage of businesses that experienced ransomware attacks increased from less than 0.5% in 2024 to 1% in 2025, affecting approximately 19,000 additional businesses. While phishing remains the dominant entry vector, contributing to 93% of breaches, ransomware continues to drive the most severe operational disruption and data loss. Certain sectors such as education are disproportionately targeted, with 91% of UK universities reporting a breach in 2025.
The economic implications are staggering. Cybercrime is estimated to cost the UK £27 billion annually. Although the reported average direct cost of a breach stands at £1,970, this figure masks the greater damage of customer attrition, reputational harm, and long-term business consequences that rarely appear in financial statements.
What drives this trend, and where are UK enterprises falling short? In the following section, we examine the top five cyberattacks faced by the UK in 2025 to extract critical lessons for future resilience.
Recap of major cyberattacks in the UK in 2025
| Targeted enterprise | Point of exploitation | After effects |
|---|---|---|
| Jaguar Land Rover (JLR) | Attackers deployed infostealer malware through spearphishing emails and malicious downloads, leading to compromised data. | £1.9 billion estimated cost (the most economically damaging in UK history); five-week production halt; 27% slump in total UK car production for September. |
| Marks & Spencer (M&S) | Attackers used social engineering to impersonate internal IT staff, tricking the help desk into resetting credentials and gaining unauthorized access to the network. | £300 million estimated profit hit; theft of customer personal data (names, DOB, order hist ory); massive disruption to online orders and in-store stock. |
| Co-op group | Attackers deployed a sophisticated phishing campaign targeting help desk staff to gain insider administrative access. | £206 million lost in revenue; 6.5 million members' data stolen. |
| Heathrow Airport | Ransomware hit a software provider responsible for check-in and baggage handling systems. | Massive travel delays across the UK and Europe; 651 departures disrupted. |
| His Majesty's Revenue and Customs (HMRC ) | Attackers coordinated a campaign using AI-generated "tax refund" emails to harvest thousands of citizen login credentials. | £47 million stolen in fraudulent tax repayments; 100,000 UK taxpayer accounts affected. |
Where UK enterprises remain vulnerable
The most alarming finding from 2025's wave of attacks is not their scale—it's their familiarity. Behind each breach lies a set of systemic vulnerabilities that UK organizations have repeatedly failed to close.
The identity crisis: Human error and access control
In nearly every major incident of 2025, the initial breach did not begin with a sophisticated technical exploit but with a person. Whether through spearphishing, help desk impersonation, or AI-generated credential harvesting, attackers consistently found it easier and more effective to manipulate employees than to break through technical defenses.
Yet security awareness training remains inconsistently applied across UK businesses. The paradox is striking: phishing is the documented cause of 93% of successful business attacks, yet only 17% of UK firms provide any formal cybersecurity training to their staff. Many organizations treat awareness programs as a compliance check box rather than a continuous discipline. As attackers incorporate generative AI to produce more convincing and personalized lures such as emails indistinguishable from genuine internal communications or voice calls mimicking senior executives, the gap between attacker capability and employee awareness is widening faster than most organizations can respond.
The Co-op and M&S attacks revealed vulnerabilities in identity management. Help desk staff were deceived into resetting credentials without proper authentication, allowing attackers network access. Alarmingly, only 40% of UK businesses use two-factor authentication, and privileged access management practices are underdeveloped. The inconsistent application of the principle of least privilege aggravates the situation, highlighting that in an era of frequent credential compromises, identity remains a poorly protected perimeter.
The supply chain trap: Vulnerability through partnerships
The Heathrow disruption did not originate within the airport—it entered through a software vendor. The M&S breach followed a similar path: rather than confront M&S's defenses directly, attackers social engineered their way through a third-party IT partner, using it as a side-door into M&S's core systems. JLR's incident exploited the weakness of its third-party vendor's VPN login credentials. This pattern has increasingly become a strategy, because attacking a well-resourced enterprise directly is far harder than compromising one of the vendors that has privileged access to its systems.
However, only 14% of UK businesses formally review the cybersecurity risks posed by their immediate suppliers. Fewer still conduct ongoing monitoring once a vendor relationship is established. UK businesses have dramatically expanded their digital supply chains over the past decade, yet procurement and vendor risk management processes have not kept up. A business may invest heavily in its own defenses while remaining entirely exposed through partners that it has no direct control over and, often, no meaningful visibility into.
The consequences extend far beyond the breached organization. The JLR attack illustrates how a single compromise at a critical industrial hub can cascade through an entire sector. With over 100,000 supply chain jobs connected to JLR's manufacturing operations, the five-week production halt was not a corporate problem, it was an economic one. As UK supply chains grow more digitally integrated, the potential blast radius of a single well-placed attack continues to expand.
Rethinking cybersecurity: Why it's not just IT's responsibility
In too many UK organizations, cybersecurity continues to be treated as a function of the IT department rather than a strategic business risk requiring board-level ownership and accountability. The data tells a troubling story: Board responsibility for cybersecurity has steadily declined, falling from 38% of UK businesses in 2021 to 27% in 2025. Just when the threat landscape is intensifying, senior leadership is stepping back.
This governance retreat reflects a posture that's reactive rather than anticipatory. Many organizations still treat cyber risk as a low-probability contingency—a "what if" scenario to be managed after the fact rather than an operational reality that demands proactive investment. Incident response plans, where they exist, often remain as untested documents. As the breaches of 2025 repeatedly demonstrated, a plan that has never been exercised is a plan that will fail under pressure.
The governance gap is also a resourcing gap. Larger enterprises have accelerated cybersecurity investment, but the UK's small and medium-sized businesses, which account for 99.9% of the total business population, are increasingly being left behind. Budget constraints leave them operating with minimal or no dedicated security resources, even as the threats they face become more refined and automated. This widening digital divide creates fragility, as attackers use smaller, less-defended organizations as stepping stones to larger targets.
Technical obsolescence: When innovation outpaces security
The speed of digital adoption across UK businesses has consistently outpaced the implementation of basic security fundamentals, creating an environment in which vulnerabilities persist long after solutions are available. Patch management is a case in point: In 2025, only 32% of UK businesses had a policy to apply vulnerability patches within 14 days, meaning the majority left known vulnerabilities unaddressed for weeks or months at a time. Exploit tools routinely scan the internet for exactly these windows of exposure, turning delayed patching into an open invitation.
Legacy infrastructure compounds the problem. Outdated systems, particularly prevalent in healthcare, manufacturing, and parts of the public sector, often cannot support modern security tooling. This leaves operational environments without adequate protection.
Finally, the arrival of AI-powered attack capabilities is accelerating cyber risks. Attackers are now using AI to automate vulnerability discovery, generate deepfake audio and video for CEO fraud, and craft phishing content at scale and with a level of personalization that previously required significant manual effort. Against this backdrop, 34% of UK businesses report feeling unprepared to manage AI-driven cyber risks, reflecting an incapability to keep pace with the speed at which threats are evolving.
Several of the UK's breaches from 2025 involved attackers dwelling inside target networks for extended periods before detection. Attackers' dwell time (the window between initial compromise and discovery) is where the most severe damage happens. Yet businesses frequently lack the basic monitoring capabilities needed to identify intrusions early. SIEM, endpoint detection, and proactive threat hunting capacity remain primitive across much of the market. As a result, many organizations only discover they have been breached once the attacker has already achieved their objective.
Outdated framework: A structural reset
The vulnerabilities described in Table 1 are not unknown. The National Cyber Security Centre (NCSC) has documented vulnerabilities, government frameworks have prescribed responses, and organizations such as The MITRE Corporation have provided guidance and tools for attack detection and response. And yet the same weaknesses recur, and the economic and operational damage accumulates. This shows that the UK's prevailing approach of voluntary guidance, self-regulation, and market-driven adoption has reached its limits.
Organizations like the Royal United Services Institute have argued that self-regulated market forces have failed to reduce cyber harm at scale. Businesses rationally under-invest in security when reputational damage is manageable, regulatory penalties are modest, and the probability of any individual incident feels low enough to defer action.
Additionally, the skills crisis makes the challenge more acute. Even where will to improve security exists, the capacity to act is constrained. With 95% of security leaders reporting conditions that make them likely to leave their roles, the pipeline of skilled professionals available to implement the very guidance that the NCSC provides is draining faster than ever. An estimated gap of over 11,000 cybersecurity professionals across the UK means that strategy, however well-designed, cannot be executed without enough workforce development.
Closing the UK's systemic cyber vulnerabilities will require moving beyond the current security model. This means mandatory baseline standards and enforcement, structured investment in the SME and public sector, and a sustained national commitment to building the professional workforce in step with demand.
Turning vulnerability into vigilance
The UK's threat landscape has outpaced the frameworks designed to contain it. Closing these gaps requires a shift in how organizations think about security, and that shift demands investments, better governance, and stronger regulation. It also demands better tools that provide the visibility, speed, and intelligence needed to detect threats before they become breaches.
This is where SIEM becomes critical. Many of the UK's 2025 incidents involved dwell times of days or weeks, with attackers moving laterally and escalating privileges while defenders remained unaware. A modern SIEM platform addresses this risk directly by aggregating and correlating data across an organization's entire environment in real time. Rather than discovering a breach after the damage is done, organizations with effective SIEM capabilities can identify anomalous behavior, flag credential misuse, and detect supply chain intrusions at the earliest possible stage when intervention still matters. In an environment where cyber risk is inseparable from business risk, resilience will define which enterprises can operate, grow, and compete with confidence.
Related solutions
ManageEngine AD360 is a unified IAM solution that provides SSO, adaptive MFA, UBA-driven analytics, and RBAC. Manage employees' digital identities and implement the principle of least privilege with AD360.
To learn more,
Sign up for a personalized demoManageEngine Log360 is a unified SIEM solution with UEBA, DLP, CASB, and dark web monitoring capabilities. Detect compromised credentials, reduce breach impact, and lower compliance risk exposure with Log360.
To learn more,
Sign up for a personalized demoThis content has been reviewed and approved by Ram Vaidyanathan, IT security and technology consultant at ManageEngine.