
Cyber attacks continue to hit UK organisations, despite growing awareness driven by high-profile incidents at major brands.
According to the government’s 2025/26 Cyber Security Breaches Survey, nearly half of businesses experienced a cyber attack in the past year, figures that have remained broadly unchanged since the previous year. This stagnation suggests a deeper issue: while awareness is improving, resilience is not keeping pace.
Experts from leading MGA rrelentless and its embedded legal services partner rradar warn that many organisations are still not meaningfully prepared, leaving potentially critical gaps in their ability to respond.
The resilience gap persists
Duane Folkard, Lead Cyber Underwriter at rrelentless, says the Cyber Security Breaches Survey data highlights a disconnect between awareness and action.
“Over four in ten businesses (43%) and around three in ten charities (28%) fell victim in the last year, and yet, only 25% of businesses have a formal incident plan. Response capability still isn’t embedded in day-to-day operations for many businesses.”
He points to a worrying decline in basic risk management practices among SMEs, including risk assessments, cyber policies and business continuity planning.
“Anyone with data worth stealing or operations worth disrupting is a potential target. But the real pressure lands on organisations that can’t afford prolonged downtime, like hospitals, councils, charities, schools and SMEs. Small businesses are slipping on the basics, with 41% conducting risk assessments (down from 48%), cyber policies at 52% (down from 59%), and business continuity plans at 44% (down froom 53%).”
Why businesses are still exposed
Despite increased media coverage of cyber threats, many organisations continue to underestimate their exposure.
Folkard explains that risk is often misunderstood.
“We continue to see a misconception that losses will result from technical failure. In reality, cyber losses are more often subtle and process-based, beginning with people and a lack of governance.”
This can lead to a false sense of security, where businesses assume they would recognise a breach immediately.
“In practice, we see assumptions like ‘we would know if data was stolen’ or ‘we have not noticed any problems,’ but by the time an insurance claim arises, the damage is done. Many businesses are reacting, rather than managing risk.”
Structural challenges, including skills shortages, legacy systems and budget constraints, continue to compound the issue, particularly in the SME market. Folkard also points to AI as a tool that enables bad actors to hack more quickly by lowering the difficulty bar.
Regulation shifts the focus to resilience
Alongside evolving threats, the regulatory landscape is also changing, placing greater emphasis on preparedness and accountability.
Eleanor Coleman, Associate Solicitor at rradar, notes that proposals such as mandatory ransomware reporting could reshape how organisations approach cyber risk.
“Mandatory ransomware reporting has the potential to improve the UK’s overall cyber resilience by providing clearer visibility into the scale and nature of attacks. This kind of data is critical for threat intelligence, resource allocation and national-level response planning.”
However, she cautions that implementation will be critical.
“A fixed reporting deadline could pull resources away from containment and investigation. Public disclosure may carry commercial risks, particularly for SMEs who fear reputational damage, loss of clients or increased scrutiny from insurers and regulators.”
The challenge for policymakers, she adds, will be balancing transparency with a practical, effective response.
Key takeaways for businesses
For businesses looking to close the resilience gap, the fundamentals remain essential.
Joshua Walsh, Information Security Practitioner at rradar, emphasises that
“good defence starts with getting the basics right and ensuring that your foundations are watertight.”
Best practice includes:
- Using strong multifactor authentication (with legacy auth disabled), timely patching, segmented networks and reliable offline/immutable backups
- Regularly testing response capabilities to ensure businesses know how their controls work under pressure, including how quickly they can detect and contain a breach
- Ensure staff training is up to date and useful. It only takes one individual to click on a link that can compromise the business
Ultimately, the goal is to ensure that when – not if – a breach occurs, it is caught early and stopped before it can escalate and spread damage.




















