Just over 4 in 10 UK businesses experienced a cyber security breach or attack in the 12 months covered by the UK Government’s Cyber Security Breaches Survey 2025/2026. Among businesses that identified a breach or attack, 88% experienced phishing, making it by far the most common attack type. Yet the same survey found that only 25% of businesses had a formal incident response plan in place.
That gap, between the likelihood of being attacked and the readiness to respond, is where the real risk lives for most London businesses.
If your organisation does not have an incident response plan and has not tested how it would handle a breach, this article explains what the survey’s findings mean in practical terms and what you should do about it. If you are already working with a managed IT support services London provider, this is a conversation you should be having with them today.
What the Survey Actually Tells Us
The Cyber Security Breaches Survey is published annually by the UK Government’s Department for Science, Innovation and Technology, in partnership with the Home Office. The latest 2025/2026 edition is based on fieldwork carried out between August and December 2025, including 2,112 UK businesses and 1,085 UK registered charities.
The findings matter directly to SMEs. Just over 4 in 10 businesses, 43%, reported experiencing some form of cyber security breach or attack in the preceding 12 months. For small businesses, the figure was 46%. For medium-sized businesses with 50 to 249 employees, it rose to 65%. For large businesses, it was 69%.
Phishing remains the most common attack vector by a significant margin. Among businesses that identified a breach or attack, 88% experienced phishing. Phishing was also named as the most disruptive type of breach or attack by 69% of businesses that had experienced one.
The survey also highlights gaps in governance. Only 31% of businesses had a board member or senior person with explicit responsibility for cyber security. Just 15% of businesses reviewed the cyber security risks posed by their immediate suppliers, and only 6% reviewed risks across their wider supply chain.
What the survey does not fully capture is the gap between businesses that have been attacked and those that knew about it. The report itself notes that the findings only include breaches or attacks organisations were able to identify and willing to report. In practice, some successful intrusions go undetected for weeks or months. By the time a business realises something is wrong, the attacker may already have achieved their objectives.
Our post on whether your business really needs to worry about cybersecurity addresses the fundamentals for any business still weighing up its exposure. And our post on the importance of secure IT defences against cyber criminals gives broader context to what the survey findings actually mean at ground level.
What the Incident Response Gap Looks Like in Practice
An incident response plan is a documented, tested process that defines exactly what your organisation will do when a security incident occurs. It covers who is responsible for what, how decisions get made, which systems need to be isolated, how communications are handled internally and externally, when to notify regulators, and how recovery is managed.
Most UK businesses still do not have one. The latest survey found that only 25% of businesses had a formal incident response plan. Among micro businesses, the figure was 21%. Among medium-sized businesses, it was 57%, and among large businesses, it was 76%. The survey also found that 45% of businesses had none of the listed incident response measures in place.
The practical consequence of having no incident response plan is that when a breach happens, decisions are made under pressure by people who are not prepared for them. Time is lost working out who is in charge. The wrong people are contacted in the wrong order. Systems that should be isolated are left running. Evidence that would help with any investigation is overwritten. Regulators who should have been notified within a legal timeframe are not.
Under the UK GDPR, organisations must report a personal data breach to the Information Commissioner’s Office without undue delay and, where feasible, within 72 hours of becoming aware of it, where the breach is likely to result in a risk to individuals’ rights and freedoms. If the breach is likely to result in a high risk to individuals, those affected must also be told without undue delay.
Without a prepared and practised process, meeting that deadline reliably is extremely difficult.
The reputational and financial cost of mishandling a breach is often significantly greater than the cost of the attack itself. Our post on the hidden costs of reactive IT explains why proactive preparation consistently pays off, and our post on why IT compliance matters covers the regulatory dimensions that make a structured response not just good practice but a legal expectation.
The Most Common Breaches SMEs Are Currently Facing
Understanding which attacks are most likely to affect your business helps you build an incident response plan focused on the right scenarios. Based on the latest Cyber Security Breaches Survey and current threat patterns affecting UK SMEs, the attacks most likely to affect small and medium-sized organisations include the following.
| Attack Type | What the Latest Survey Shows | Typical First Impact |
|---|---|---|
| Phishing emails | 88% of businesses that identified a breach or attack experienced phishing | Credential theft, malware delivery, or fraudulent payment activity |
| Business email compromise and impersonation | 28% of businesses that identified a breach or attack experienced impersonation of the organisation or staff | Fraudulent payment instructions or compromised supplier/customer communications |
| Malware | 16% of businesses that identified a breach or attack reported devices being targeted with viruses or spyware | System disruption, data exposure, or follow-on compromise |
| Ransomware | 3% of businesses that identified a breach or attack reported ransomware, with higher rates among larger businesses | System lockout, data encryption, operational disruption, and recovery pressure |
| Denial of service attacks | 6% of businesses that identified a breach or attack experienced denial of service attacks | Websites, applications, or online services becoming unavailable |
| Account takeover attempts | 5% of businesses that identified a breach or attack experienced takeovers or attempted takeovers of websites, social media accounts or email accounts | Loss of control over accounts, fraud, reputational damage, and further phishing |
| Supply chain compromise | Not measured as a single attack type in the survey, but only 15% of businesses reviewed immediate supplier cyber risks | Malware, data exposure, or disruption through a trusted third party |
| Insider or accidental access issues | Around 2% of businesses that identified a breach or attack reported unauthorised access by staff, including accidental access | Data exposure, operational disruption, or compliance risk |
Each attack type requires a different response. A well-constructed incident response plan addresses the most likely scenarios specifically, rather than attempting to write a single generic process that inadequately covers all of them.
Our posts on how ransomware attacks unfold and how to protect your business and our small business ransomware guide cover the ransomware scenario in practical detail. Our post on business email compromise explained addresses that specific attack type, and our anti-phishing basics guide is a solid primer on the attack vector that features in the majority of UK breaches.
What a Basic Incident Response Plan Should Include
An effective incident response plan does not need to be a lengthy corporate framework. For most SMEs, a clear and practical document of 10 to 15 pages is considerably more useful than an exhaustive reference that nobody reads or remembers under pressure.
An incident classification system
Not all security incidents carry the same urgency or risk. Your plan should define what constitutes a low, medium, high, and critical incident, with worked examples of each. This allows whoever first notices something wrong to make a sensible decision about how urgently to escalate and which parts of the plan to activate.
Clearly defined roles and responsibilities
Who is in charge during an incident? Who communicates with staff, customers, and suppliers? Who contacts the ICO if required? Who engages your legal team? Who handles press enquiries if the incident becomes public? These decisions need to be made before an incident occurs, not during one.
A contact list that is maintained and tested
Your incident response contact list should be kept current, stored somewhere accessible offline, and verified regularly. If the list lives only in a system that could itself be compromised or unavailable during an attack, it may not be accessible when you need it most.
Containment and isolation procedures
Your plan should include clear, step-by-step procedures for containing a breach once it is identified. This typically covers isolating affected systems from the network, revoking active user sessions, changing credentials for compromised accounts, and preserving logs and evidence before taking any recovery actions.
Pre-drafted communication templates
Having templates ready for staff notifications, customer communications, regulatory reports, and if necessary press statements saves critical time when an incident is actively unfolding. Drafting a customer notification email from scratch while managing a live breach is not a position any business should be in.
A regulatory notification process
Your plan should include a clear process for assessing whether a breach requires ICO notification, what information needs to be included, and who is responsible for submitting it. The 72-hour window starts from the point you become aware of the breach, not from the point your investigation concludes.
A recovery and post-incident review process
Recovery is not the end of the response. Every incident should lead to a structured review that examines what happened, how the attacker gained access, what was missed, and what needs to change to prevent recurrence. Without this step, the same gaps that enabled the first attack may allow the next one.
The Role of Backup in Incident Response
One of the most frequently overlooked elements of incident response planning is backup readiness. In the event of a ransomware attack, destructive malware, accidental deletion, or compromised cloud account, your ability to recover depends heavily on whether you have clean, current, and tested backups in place before the incident occurs.
Our posts on Microsoft 365 backup, cloud-to-cloud backup explained, and backing up your vital business data cover what a solid backup strategy looks like for businesses at different levels of cloud adoption. Your cloud backup company should be able to demonstrate your current backup coverage, your recovery time objectives, and the last date your backups were successfully tested, not simply confirm that backups are running.
Detection: Finding Out You Have Been Breached
You cannot respond to a breach you are not aware of. Some successful attacks go undetected for long periods, giving attackers time to move through your systems, exfiltrate data, and establish persistence before triggering any visible impact.
A dark web monitoring company that alerts you when your credentials appear on criminal forums or breach datasets can give you early warning that an account may be at risk. It does not prove that your systems have been breached, but it can give you a valuable prompt to reset passwords, review access, and investigate suspicious activity before the issue escalates.
Our posts on dark web monitoring explained and dark web monitoring vs breach monitoring explain how these different monitoring approaches work in practice.
Our posts on what to do if your company credentials appear on the dark web, the crucial role of dark web monitoring for stolen login credentials, and employee credentials on the dark web show how credential theft connects to broader breach risk, and what an appropriate response looks like at each stage.
Combining dark web monitoring with endpoint detection and response gives you a stronger chance of identifying an attack at an earlier point. Our posts on EDR vs antivirus vs XDR and why EDR matters more than ever explain how modern endpoint tools contribute to early detection in environments where traditional antivirus may miss the signs of a more sophisticated intrusion.
Prevention Reduces the Demands on Your Response Plan
A strong incident response plan does not replace strong preventive controls. The 2 work alongside each other, and every breach you prevent is one you never have to respond to.
Working with an anti phishing testing new york or London-based anti-phishing service to run realistic simulations and structured training can reduce the likelihood of a phishing attack succeeding in the first place. Our posts on anti-phishing controls, how to run phishing simulations effectively, how to create an anti-phishing policy, and how to spot a phishing email cover both the technical controls and the staff awareness side of phishing prevention in depth.
Our post on password best practices covers authentication security, and our guide on endpoint security for remote teams addresses the device security considerations that are particularly relevant for businesses with hybrid or dispersed workforces.
For businesses looking for a structured framework to work from, our post on why your business should become Cyber Essentials accredited explains how the scheme maps to 5 key technical control areas: firewalls, secure configuration, user access control, malware protection, and security update management. When properly implemented, these controls help protect against many of the most common cyber attacks and demonstrate a baseline of security competence to clients, insurers, and regulators.
The Role of Your Managed IT Provider in Incident Response
One of the most valuable things a managed IT provider can offer SMEs is not just day-to-day support, but an active role in your incident response capability. That means helping you write and maintain your plan, running tabletop exercises to test it, monitoring your environment for early indicators of compromise, and being immediately available to respond when something goes wrong.
Many SMEs find that having a dedicated managed service provider as a defined part of their incident response team is the most practical way to fill the capability gap without hiring specialist in-house staff. Our posts on the benefits of outsourcing your IT to an MSP, why businesses should consider an MSP for their IT needs, and unlocking the power of outsourced IT support all address this from different angles and business contexts.
Our security services overview covers the full range of protections available, and our IT consulting team can help you build or review an incident response plan that reflects your current environment, your risk profile, and your specific regulatory obligations.
Our comparison of penetration testing vs vulnerability scanning and our network penetration testing service can identify the vulnerabilities most likely to be exploited in an attack on your organisation, which provides practical input for building realistic incident response scenarios that your team can actually practise against.
Our post on IT service management explained covers how structured IT management underpins effective incident response, and our post on why your business needs a business continuity plan explains how your incident response plan connects to your wider business continuity framework.
International Operations and Incident Response
For businesses with offices in multiple countries, incident response complexity increases significantly. A breach affecting systems in different jurisdictions may trigger different legal notification requirements, involve different data types, and require coordination across teams working in different time zones.
A provider offering it services global can ensure that if an incident affects multiple offices simultaneously, there is a single coordinated response rather than separate local reactions that may conflict with one another or leave regulatory obligations unmet. For businesses with European offices, a provider experienced in european it services understands GDPR notification obligations, local data protection authority requirements, and cross-border data handling rules that apply when a breach occurs.
If your business has recently grown, changed platforms, or expanded through acquisition, a platform migration company that documents changes to your environment properly makes it significantly easier to understand the scope of a breach when one occurs, because you have an accurate baseline to work from.
Frequently Asked Questions
What is the difference between an incident response plan and a business continuity plan?
An incident response plan focuses specifically on how your organisation detects, contains, and recovers from a security incident. A business continuity plan is broader, covering how your organisation continues operating during any major disruption. The 2 should complement each other, with your incident response plan feeding into your wider business continuity framework where a security incident causes operational disruption.
Are SMEs legally required to have an incident response plan?
There is no UK law that explicitly mandates an incident response plan for every business. However, the UK GDPR requires organisations to have appropriate technical and organisational measures in place to protect personal data and to report personal data breaches within the required timeframe where the reporting threshold is met. Having a tested incident response plan is one of the most practical ways to demonstrate that appropriate measures exist if the ICO investigates.
How often should we test our incident response plan?
At minimum, once a year. Most security frameworks recommend a tabletop exercise in which your incident response team works through a simulated breach scenario without touching live systems. Major changes to your IT environment, such as a cloud migration, office move, acquisition, platform change, or significant staff changes, should also trigger a review and re-test.
What should we do in the first hour after discovering a potential breach?
The first hour is about containment and assessment, not rushing into recovery. Isolate affected systems from the network where appropriate, preserve logs and evidence that might otherwise be overwritten, activate your incident response team, and start documenting everything from the moment you become aware. Do not rush to restore systems before you understand what happened and how the attacker got in.
Does having cyber insurance replace the need for an incident response plan?
No. Cyber insurance may cover some of the financial costs associated with a breach, but it does not prevent damage during an incident or remove your legal notification obligations. Many cyber insurers now require evidence of basic security controls and an incident response capability as a condition of cover or as a factor in premium calculation. Having a plan is increasingly part of getting meaningful cover, not an alternative to it.
Build Your Incident Response Capability Today
The latest Cyber Security Breaches Survey makes clear that attacks on UK SMEs remain a live and practical risk. The businesses that recover fastest and at the lowest cost are those that have prepared in advance, with documented plans, tested processes, and the right support ready to act.
Northern Star provides managed IT support services London businesses can depend on, including incident response planning, security monitoring, phishing simulation, dark web monitoring, and rapid response support when something goes wrong.
Get in touch with our team today or call us on 0800 319 6032 to discuss your current incident response capability and where we can strengthen it. You can also visit our Why Us page to learn more about how we work with London SMEs to build security that is practical, proportionate, and built around how your business actually operates.
