Responsibility declines as attacks continue: UK cybersecurity survey

The annual Cyber Security Breaches Survey, released by the UK Government, has highlighted a concerning decline in board-level responsibility for cybersecurity within businesses, while cyber attacks, particularly phishing, continue to threaten companies at an unprecedented scale.

According to the 2025 survey, only 27% of UK businesses now have a board member with responsibility for cybersecurity, a significant drop from 38% in 2021. The trend points to an erosion of direct oversight and strategic prioritisation of cybersecurity at the very top levels of business leadership.

Matt Cooke, Cybersecurity Strategist EMEA at Proofpoint, described the development as "particularly worrying." Cooke emphasised the critical role of boards in shaping priorities and resource allocation, stating, "Cyber security can't be treated as an after-thought by anyone in an organisation—particularly those at board level, who control the purse strings and business priorities." He further highlighted the gap between awareness and action: "Previous research has found that both CISOs (70%) and board members (73%) were aligned in the feeling that a material cyber attack is likely to impact their organisation in the next 12 months, which highlights an alarming issue if cyber security is not adequately prioritised."

The decline in board-level responsibility comes at a time when the threat landscape remains volatile and fast-moving. The same government survey revealed that phishing has continued to dominate as the leading method of cybercrime, affecting 93% of businesses that experienced a breach in the last year. This high prevalence underscores the ongoing challenges organisations face in defending against social engineering tactics that exploit human vulnerabilities.

Brian Soby, CTO and co-founder at cybersecurity company AppOmni, said the persistence of phishing attacks should not come as a surprise. "It's no surprise to see phishing remaining the most prevalent type of cybercrime. It works and it's an easy vector for attackers, plain and simple. We've seen organisations pour money into centralized identity management and zero trust solutions that ignore the reality of the risk landscape. SaaS and other applications hold an organisation's data. Far more often than not, we see these applications not being configured securely and not being covered by an organisation's security architecture."

Soby's observations draw attention to the limitations of certain security investments when foundational issues remain unaddressed. "If attackers can simply sidestep these security investments by taking phished credentials directly to the apps and stealing data, it should be obvious that this is the weakest link and is going to be exploited. Whether it's phishing, infostealers, or session hijacking, organisations should expect little ROI on their security programmes with such glaring holes and lack of protection against the most common attack vectors."

The survey results raise urgent questions for both policymakers and corporate leaders. As cyber attacks become more sophisticated, the need for cohesive leadership and comprehensive organisational strategies is increasingly paramount. Experts maintain that cybersecurity should be embedded throughout corporate governance, involving board members directly in strategy and scrutiny, rather than being relegated to a back-office function.

With a majority of both CISOs and board members expecting a significant cyber incident within the next year, the stakes for action have never been higher. As the threat landscape evolves, organisations are being called upon to fortify not just their technical defences, but also their strategic leadership—and to ensure that accountability for cybersecurity starts at the very top.