43% of UK Businesses Hit by Cyber Attacks – What You Need to Do Now

If you’re running a business in 2025, here’s a sobering fact: you have nearly a 50/50 chance of being hit by a cyber attack this year.

The latest UK Cyber Security Breaches Survey shows that 43% of UK businesses experienced a cyber security breach or attack in the past 12 months – and for medium and large businesses, those figures jump to 70% and 74%.

But here’s what should really keep you awake at night: the average business now faces 30 cyber crimes in a single year. That’s more than two attacks every month.

Richard Horne, CEO of the National Cyber Security Centre (NCSC), recently warned that cyber risks facing the UK are “widely underestimated.” His message was clear: the defence and resilience of our critical infrastructure, supply chains, and wider economy need to improve urgently.

Your Essential Security Checklist

The NCSC has issued specific guidance for heightened threat periods. Here’s what you need to do right now:

1. Update Everything – Today

When did you last check for software updates? If you can’t remember, you’re already vulnerable. Install all pending updates across your entire infrastructure. Yes, it might mean a few minutes of downtime, but that’s nothing compared to weeks of recovery after an attack.

2. Lock Down Access Like Your Business Depends on It (Because It Does)

Who has access to your critical systems? If you’re not sure, you have a problem. Every user should have:

• Unique login credentials (no more shared passwords!)
• Access limited to what they actually need
• Immediate removal when they leave your company

Think of it like your office keys – you wouldn’t let ex-employees keep them, would you?

3. Activate Multi-Factor Authentication (MFA) Now

If you do nothing else today, enable MFA on all sensitive accounts. This single step blocks the vast majority of unauthorised access attempts, even if passwords are compromised. It takes minutes to set up but could save your business.

4. Test Your Defences – Don’t Assume They Work

When did you last verify your antivirus is actually running? Or check if your firewall is configured correctly? Schedule monthly tests of all security tools. Better to find problems during a test than during an attack.

5. Check Your Backups Can Actually Restore

Protect your data with multi-layered security that includes immutable backups, hardened appliances, end-to-end data encryption, geographically-distributed cloud storage, ransomware detection, forced two-factor authentication, role-based access control.

6. Monitor Everything

Enable comprehensive logging across your systems. You can’t defend against threats you can’t see. The NCSC offers a free Early Warning Service that alerts you to potential threats – over 8,500 UK organisations already use it.

7. Know Your Incident Response Plan

Who do you call if you’re hit tomorrow morning? What’s their phone number? Who handles what? If you’re scrambling for answers, you need an incident response plan. The NCSC provides free resources like Exercise in a Box to help you prepare.

8. Train Your Human Firewall

Your employees are your first line of defence – or your biggest vulnerability. With 90% of cyber incidents resulting from human error, regular training isn’t optional. Show them real examples of current phishing attempts. Make security part of your culture, not just policy.

9. Review What’s Visible Online

Attackers research targets before striking. Google your company – what can they learn? Review your online presence and limit publicly available information about your infrastructure, key personnel, and operations.

10. Secure Your Supply Chain

Here’s a chilling statistic: 54% of large organisations cite supply chain challenges as their biggest barrier to cyber resilience. Know who has access to your systems. Audit third-party connections regularly. Your security is only as strong as your weakest supplier.

For Larger Organisations

Running a bigger operation? You need additional measures:

• Accelerate planned security upgrades – Don’t wait for the “right time”
• Postpone non-critical system changes – Reduce your attack surface during high-risk periods
• Consider 24/7 security monitoring – Attacks don’t follow business hours
• Implement advanced threat detection – Stay ahead of sophisticated attackers

Free Resources You’re Probably Not Using

The UK government provides extensive free cyber security resources that many businesses overlook:

• Cyber Essentials certification – A government-backed scheme showing you meet baseline security standards
• NCSC’s 10 Steps to Cyber Security – Comprehensive guidance framework
• Action Fraud reporting – Official channel for reporting cyber crime
• Information Commissioner’s Office guidance – GDPR compliance and data protection

Stay ahead of cyber threats with regular security insights from PDQ. Follow us for updates that matter to UK businesses.

Got questions? Or would like a cyber security consultation and audit? Get in touch with the PDQ Cyber Security team today.