The government released its annual Cyber Breaches Survey in late April, gathering data from UK cyber security professionals about what they witnessed in 2025. A year has passed since the last report, but the same issues still dominate the cyber security landscape. Amid the in-depth statistics, there are a few that really stood out.
Last year’s survey reported a seven-point drop in the proportion of businesses identifying a breach, raising hopes across the profession that UK organisations were beginning to see a decline in incidents. The latest findings suggest that optimism may have been premature. The proportion of companies identifying a breach has remained unchanged at 43%, rising to 69% among larger businesses. Phishing remains the most common type of breach or attack by a significant margin, affecting 38% of businesses.
These stats paint a stark picture for the profession, and the phishing figure is the most alarming. With so many breaches coming from a single attack vector – which often targets staff – employee education should be high up the agenda for organisations and revisited constantly to ensure it keeps pace with the evolving threat landscape. Particularly as cyber security awareness initiatives help employees build resilience against a wide range of threats, not just phishing. But fewer than a fifth (19%) of businesses conducted staff security training last year, and almost half (42%) don’t even have an agreed process for employees to follow when they come across fraudulent emails or websites.
Plugging these education and awareness gaps feels like the lowest rung of the cyber security 101 ladder. The good news is that engagement does not have to rely on the same tired formats. While the profession continues to debate the effectiveness of traditional security awareness training – which often takes the form of mandatory annual questionnaires – there are plenty of alternative approaches available.
Informal training and awareness programmes are things every organisation should be doing. Whether this comes as a workshop or a regular email on the latest threats seen in the wild, constant reinforcement of the security message can permeate into colleagues’ psyches and into company culture over time. A simple conversation over a coffee between a member of the security team and a less security-aware employee can also help to spread knowledge. More structured internal communications campaigns are another tool in the profession’s arsenal. And external initiatives that highlight new cybercrime tactics or best practice to customers can help to spread information that is applicable to both personal and work lives.
The common thread between these options is a cyber security tool which costs almost nothing to deploy – communication. The profession often prioritises specialist, technical training, which there is certainly a place for. But today’s cyber professional needs to develop both hard and soft skills, and communication is as important as sector-specific training.
To make companies safer and tell a more positive story in next year’s Cyber Breaches Survey, communication must be viewed as central to professional development. These skills should be nurtured constantly, much in the same way that good professionals are always expanding their knowledge of the latest attack and defence techniques.
CIISec LIVE’s theme this year is People Powered: Resilience built on human insight. It will be the perfect opportunity to discuss how organisations are using education and communication to fight back against phishing.
