The latest released UK Government Cyber Security Breaches Survey 2025/2026 highlights a sophisticated threat landscape. The proportion of organisations identifying a cyber security breach or attack in the past 12 months has held steady at 43% for UK businesses and 28% for charities, in line with last year's findings. But beneath that headline consistency, the nature of the threats organisations face is evolving, shifting the focus from reactive IT fixes to proactive testing across more advanced technologies.
One of the most notable findings in this year's survey concerns Artificial Intelligence (AI). Around a third of UK businesses (31%) and a quarter of charities (25%) are either using AI, in the process of adopting it, or actively considering its use. Governance has not kept pace with this adoption. Of that group, only 24% of businesses and 27% of charities reported having cyber security practices or processes in place to manage the specific risks associated with AI.
Phishing attacks remain the most prevalent threat vector, experienced by 38% of businesses and 25% of charities. Furthermore, it continues to be designated as the single most disruptive type of incident, named by 69% of affected businesses and charities alike. Despite this rise in automated and volume-driven phishing campaigns, only 47% of UK businesses have deployed technical controls like two-factor authentication for networks or applications to help reduce the impact of credential theft and just 36% use a VPN for staff connecting remotely.
The survey also points to a significant blind spot around external vendors and partners. Relatively few businesses or charities are taking steps to formally review the risks posed by their immediate suppliers and the wider supply chain. Nationally, just 15% of UK businesses review the cyber security risks posed by their immediate suppliers, and only 6% look further down the line at their wider supply chain. For charities, the equivalent figures are lower still, at 9% and 4% respectively. 48% of larger organisations review the security posture of their immediate suppliers, compared with 30% of medium businesses, 22% of small businesses and 12% of micro businesses. Even among large businesses, formal review of the wider supply chain sits at only 24%.
As organisations navigate these gaps and accelerate their adoption of AI, offensive security testing, including penetration testing and red teaming, becomes a crucial mechanism for exposing the weaknesses the data suggests continue to be overlooked, alongside an ongoing need for robust security assurance and governance. Only 13% of businesses and 7% of charities currently carry out penetration testing, despite it being one of the more direct ways to validate whether technical controls, processes and supplier assurances actually hold up under attack.
Intertek supports businesses and government bodies validate the security of emerging technologies through threat-led penetration testing and consultancy services. Whether assessing AI implementations, conducting Red Team exercises that simulate real-world attack scenarios, or securing IoT and OT environments within manufacturing sectors, our experts help identify weaknesses before they can be exploited. The result is a stronger security posture that enables innovation without introducing unnecessary risk - https://www.intertek.com/cybersecurity/

/Passle/5e4a7839abdfeb03584d01f6/MediaLibrary/Images/2026-03-31-21-45-54-751-69cc4092bd1f61a396ba5dbf.png)
/Passle/5e4a7839abdfeb03584d01f6/SearchServiceImages/2026-06-16-21-37-39-787-6a31c2232736ef604e1e4437.jpg)
/Passle/5e4a7839abdfeb03584d01f6/SearchServiceImages/2026-05-20-17-59-02-206-6a0df666c43bb1b7aa9cdc37.jpg)
/Passle/5e4a7839abdfeb03584d01f6/SearchServiceImages/2026-05-25-13-00-36-825-6a1447f42632fc5c4982c77d.jpg)