Overview
The UK Government’s Cyber Security Longitudinal Survey (Wave Five, February 2026) delivers a clear message for medium and large organisations: cyber incidents are not exceptional events. They are routine.
Around four in five organisations in scope reported experiencing some form of cyber incident in the past year. Phishing remains dominant. Impersonation scams are persistent. Governance is improving in places. Budgets are rising for some, flat for many. Supply chain risk remains weak.
But the most important insight isn’t the volume of attacks; It’s behaviour.
The data suggests that while awareness is high, action is often reactive. Many organisations still meaningfully improve their cyber posture only after experiencing impact. In 2026, that gap between knowledge and execution is where risk lives.
The Myth of “We Haven’t Had an Incident”
A low incident count is no longer a reassuring metric.
The survey relies on self-reporting. Organisations can only report what they detect and recognise. In practical terms, this means incident prevalence is partially a reflection of monitoring maturity. High reporting can indicate visibility. Low reporting can indicate blind spots.
When an executive team says, “We’ve never had a cyber incident,” the correct follow-up question is not celebration — it’s curiosity. What telemetry do you have? What is logged? What is reviewed? How are suspicious events escalated? What constitutes an “incident” internally?
In today’s threat environment, silence rarely means safety. More often, it means limited visibility or informal classification.
The Reactive Cyber Economy
One of the most revealing themes in the survey is that organisations are more likely to strengthen controls after an incident with impact.
This creates a predictable cycle: underinvest, get hit, respond urgently, stabilise, drift, repeat.
Cyber becomes event-driven rather than risk-driven. Investment is triggered by pain, insurance requirements, or client pressure instead of structured enterprise risk assessment.
The operational consequence is expensive firefighting. The strategic consequence is that resilience is built under stress rather than designed deliberately.
The strongest organisations are not those that avoid being targeted. They are those that treat resilience as a standing capability — continuously funded, continuously reviewed — rather than as a post-incident procurement programme.
Governance: Progress, but Still Uneven
Board-level oversight appears to be improving. More businesses now report that a board member holds responsibility for cyber risk, and more organisations have a named cyber-responsible individual reporting directly to the board.
That is progress.
However, a significant minority of boards still receive no formal cyber training. In charities, governance maturity lags further behind. Oversight without literacy is fragile. If directors cannot interpret risk indicators, challenge management on control effectiveness, or understand supplier exposure, oversight becomes symbolic.
Cyber is no longer a technical line item. It is operational resilience, regulatory exposure, financial risk, and reputational protection rolled into one. Until boards treat it as enterprise risk — discussed alongside liquidity, compliance, and strategy — organisations will remain structurally exposed.
Flat Budgets in an Escalating Threat Landscape
While many organisations report increasing cyber budgets, a substantial proportion have held spending flat.
In an inflationary economy and amid rising attacker sophistication, flat spending is effectively a gradual capability reduction. Threat actors continue to professionalise. Business email compromise is refined. Social engineering is increasingly convincing. Automation and AI are lowering barriers to entry.
If spending remains static while complexity and threat velocity increase, the organisation is quietly losing ground.
Holding budget steady is a legitimate strategic decision — but it should be treated as a conscious acceptance of defined risk, not as a neutral stance.
Impersonation: The Quiet Financial Threat
Phishing remains the most common attack vector. But impersonation scams are the more commercially dangerous category.
Executive impersonation, supplier fraud, and payment diversion attacks exploit trust and process weaknesses rather than software vulnerabilities. They frequently result in direct financial loss and reputational damage.
This is where many organisations underestimate exposure. They invest in email filtering and awareness campaigns but neglect financial control design. If bank detail changes can be approved over email alone, or if urgent executive requests bypass normal verification, the vulnerability lies in process, not technology.
Out-of-band verification for high-risk financial changes, strict approval workflows, and documented supplier validation controls are no longer optional safeguards. They are baseline operational hygiene.
Certification Versus Capability
Adoption of Cyber Essentials appears to be increasing, which is encouraging. However, longitudinal data shows that organisations often gain and lose accreditation over time.
This suggests certification is sometimes treated as episodic rather than embedded. A badge is useful. Sustained discipline is essential.
The core controls underpinning baseline resilience remain consistent: timely patching, strong authentication, least privilege, secure configuration, and endpoint protection. Organisations often reinforce these only after experiencing impact.
The lesson is straightforward: resilience depends on operational habit, not annual renewal cycles.
The Supply Chain Blind Spot
Perhaps the most concerning theme is supplier risk management.
The survey highlights that formal cyber supply chain processes remain underdeveloped in many organisations. This is not a minor compliance gap. It is one of the most exploited pathways for compromise.
Attackers increasingly target weaker suppliers to reach stronger primary targets. Managed service providers, professional advisers, marketing agencies, payroll providers — any entity with access or trust relationships becomes a potential conduit.
If an organisation cannot clearly articulate which suppliers hold privileged access, process sensitive data, or could disrupt operations, it does not have full visibility of its risk profile.
Effective supplier risk management does not require blanket bureaucracy. It requires tiered assurance aligned to criticality, enforced through procurement standards, contractual clauses, and ongoing oversight.
Insurance Is Not a Strategy
Cyber insurance uptake is rising. That reflects market maturity and increased awareness.
However, insurance transfers some financial risk; it does not prevent incidents, preserve customer confidence, or eliminate regulatory scrutiny. It does not guarantee payout under every scenario.
Insurance should complement a robust resilience framework. It should not substitute for one.
The Real Message for 2026
The survey does not reveal ignorance. Most organisations understand cyber risk at a conceptual level. The issue is hesitation.
The gap between knowing what “good” looks like and implementing it consistently remains wide.
In today’s environment, the differentiator is not whether you are targeted. It is whether governance, controls, supplier oversight, and response capability were built deliberately before they were urgently required.
Resilience constructed calmly is always cheaper than resilience constructed under pressure.
The organisations that act early will experience incidents as manageable disruptions. The organisations that wait will experience them as defining events.
That is the real divide emerging in UK cyber security.
Read the full DSIT report here: https://www.gov.uk/government/publications/cyber-security-longitudinal-survey-wave-five-results/cyber-security-longitudinal-survey-wave-five-results