Cyber Risk Plateaus on the Surface While AI and Supply Chain Gaps Deepen, New UK Survey Finds

A new UK government study reveals a cybersecurity landscape that appears stable at first glance but is quietly becoming more complex and fragile beneath the surface. The latest findings from the UK Gov's Cyber Security Breaches Survey show that while the overall rate of reported cyber incidents has leveled off, structural weaknesses tied to third-party risk and rapid AI adoption are reshaping enterprise exposure.

The report, commissioned by the Department for Science, Innovation and Technology and the Home Office, paints a picture of widespread cyber risk across businesses and charities.

Breach Levels Stabilize, But Threat Volume Remains High

According to the survey, 43 percent of UK businesses and 28 percent of charities experienced a cyber breach or attack in the past year. That figure remains consistent with the previous reporting cycle, following a drop from earlier highs.

Phishing continues to dominate the threat landscape, impacting 38 percent of businesses and representing the vast majority of cyber crime incidents. The data suggests that attackers are scaling operations efficiently, relying on low-cost, high-volume tactics rather than more complex intrusions.

At the same time, ransomware incidents have declined, pointing to a shift in attacker behavior rather than a reduction in overall risk.

AI Adoption Outpaces Security Controls

One of the most notable shifts in this year’s report is the rise of artificial intelligence inside organizations without corresponding security safeguards.

Roughly one-third of businesses are already using or considering AI technologies, yet only about a quarter of those have implemented specific security controls to manage associated risks.

Chris Brown, SVP UK Market Leader at NCC Group, said:

"The breaches survey shows that cyber risk remains widespread and increasingly complex. While headline breach levels may have stabilized, the underlying picture is being driven by persistent weaknesses in supply chain assurance and the rapid adoption of AI without adequate security and governance."

His comments reflect a growing industry concern that AI is being deployed faster than organizations can secure it, introducing new attack surfaces tied to data exposure, model manipulation, and automation risks.

Supply Chain Security Emerges as a Critical Weak Point

Despite increasing reliance on vendors and partners, only 15 percent of businesses formally assess the cybersecurity risks of their immediate suppliers, and fewer than one in ten evaluate their broader supply chain.

This gap creates a cascading risk environment where a single compromised vendor can expose multiple organizations.

"Organizations are more interconnected than ever, which means resilience can no longer stop at the edge of the business," Brown said.

The data reinforces a long-standing issue in cybersecurity. Enterprises often invest heavily in internal defenses while overlooking third-party vulnerabilities that can be just as impactful.

Boardroom Awareness Is Rising, But Execution Lags

The survey shows that cyber risk is increasingly visible at the executive level. Around 72 percent of businesses now consider cybersecurity a high priority for senior leadership, and board-level accountability is trending upward.

However, operational maturity is not keeping pace.

Only 30 percent of businesses conduct regular cyber risk assessments, and just a quarter have formal incident response plans in place.

Brown emphasized the disconnect:

"Boards are starting to engage more seriously with cyber risk, but the priority now must be closing the gap between awareness and action, strengthening oversight of third parties, embedding AI security by design, and ensuring incident response plans are tested, not theoretical."

The Hidden Cost of “Low-Cost” Attacks

While many incidents report minimal direct financial impact, the report highlights a growing tail risk. A small percentage of breaches result in significant financial losses, reputational damage, or operational disruption.

Notably, the proportion of businesses reporting revenue loss or reputational harm from attacks has increased year over year.

This suggests that while most attacks are inexpensive to remediate, the most severe incidents are becoming more damaging.

A Market at an Inflection Point

The findings underscore a cybersecurity market entering a new phase. Traditional metrics like breach frequency no longer capture the full scope of risk. Instead, exposure is being driven by ecosystem complexity, AI integration, and uneven governance practices.

For security leaders, the takeaway is clear. The challenge is no longer just preventing attacks. It is managing interconnected risk across systems, partners, and emerging technologies.

As organizations accelerate digital transformation, the gap between innovation and security discipline is becoming one of the defining risks of the modern enterprise.