82% of UK Businesses Hit by Cyber Incidents. Locking the Door Is Not Enough.

Locking the Door is a Good Start, but...

On 17 February 2026, the UK Government published the fifth wave of its Cyber Security Longitudinal Survey. The findings are striking:

• 82% of medium and large UK businesses experienced at least one cyber incident in the past year.
• Phishing remains the dominant attack type.
• Supply chain oversight is deteriorating.
• And for more than half of all organisations, the same pattern of incidents repeats year after year.

The government's response, a public awareness campaign encouraging businesses to adopt Cyber Essentials, patch software, and tighten access controls, is a sensible starting point.

But for senior leaders operating across multiple regulatory jurisdictions, managing complex supply chains, and reporting to boards, it does not go nearly far enough.

Here is what the survey found, and what it means for organisations that need to go beyond 'locking the door'.

Five Problems the Survey Exposes

1. Cyber incidents are the norm, not the exception

82% of businesses and 77% of charities experienced a cyber incident in the past twelve months. More telling is the longitudinal data: 54% of organisations experienced the same pattern of incidents across both measurement points. For large businesses, two-thirds of those who suffered a tangible impact incident at first interview experienced the same again at their second. Their risk profile is not improving; it is self-reinforcing.

2. Baseline standards adoption remains stubbornly low

Only 30% of businesses and 28% of charities adhere to Cyber Essentials. Roughly seven in ten medium and large organisations do not follow what the government calls the digital equivalent of locking the front door. Beneath the surface, the picture is fragile: organisations are gaining and losing accreditations in roughly equal measure.

3. Supply chain oversight is a systemic blind spot

Fewer than a third of organisations formally assessed their suppliers' cybersecurity risks in the past year. The longitudinal data shows a strong negative trend: 42% of organisations lost supplier cyber engagement over time, compared with just 12% who gained it. Organisations openly admitted they lacked awareness of incidents within their supply chains, and suspected that some suppliers were concealing breaches.

4. Most organisations are reactive, not proactive

The survey is unambiguous: meaningful improvements only followed an incident with a tangible impact on the organisation. Without a shock to the system, there was no significant pattern of positive change. Organisations that assessed their systems after high-profile industry incidents and concluded they were 'secure enough' typically took no further action.

5. Board engagement is improving for large firms, but stalling elsewhere

67% of large businesses now have board-level cyber oversight, up from 61% in the previous wave. But 38% of charity boards and 23% of business boards received zero cyber training. The widening gap between large organisations and the rest is a governance challenge that awareness campaigns alone cannot close.

Why 'Locking the Door' Isn't Enough

A More Complete Response

Argus Pro's Cybersecurity and Digital Operational Resilience (CDOR) Framework is designed specifically to address the kind of systemic weaknesses the survey identifies. Based on a systematic analysis of 194 legislative, regulatory, and supervisory instruments across 29 national jurisdictions and the EU, it harmonises overlapping requirements into a coherent, single, structured assessment that measures both the existence of controls and their effectiveness.

The CDOR Framework does not replace Cyber Essentials, ISO 27001, or NIST. It provides a unified lens through which all of them, and the specific regulatory obligations that apply to your organisation, can be assessed, managed, and communicated to the people who need to act on them.

Delivered through Aegis Compass, our online assessment platform, it produces board-ready outputs that translate technical findings into the language of risk, governance, and investment.

Two further capabilities extend this response. NexEdge (in development) will monitor the regulatory landscape in real time, flagging changes to legislation and guidance across jurisdictions so that organisations stay ahead of requirements rather than chasing them. Argus Pro Assess (coming soon) will test whether people can actually apply policy in practice, closing the gap between what an organisation says it does and what its people do under pressure.

Three Actions for Senior Leaders

1. Assess both maturity and effectiveness, not just whether controls exist, but whether they are consistently working in practice.
2. Address supply chain risk before regulators force you to. DORA, NIS2, and the forthcoming UK Cyber Security and Resilience Bill are all moving towards mandatory third-party risk oversight.
3. Give your board structured intelligence, not compliance theatre. Scored, prioritised reporting that translates cyber risk into business language is what drives better decisions.