What “likelihood” means in UK government reporting
“Breach or attack” vs “cyber crime”
The Cyber Security Breaches Survey reports on organisations that identify a “cyber security breach or attack” within the last 12 months. That umbrella includes a range of incident types—from attempted phishing through to more serious compromise—based on what the organisation has noticed and recognised.
The survey also reports cyber crime separately. This is useful because it distinguishes between “something happened” and incidents that organisations classify as crimes (for example, fraud or extortion). In 2025, the survey reports 20% of businesses identifying cyber crime, with variation by size.
The practical point for owner-managed SMEs: “likelihood” in this context is not a prediction of targeted attack. It is a measure of how commonly organisations identify incidents across routine exposure, attempted compromise, and—sometimes—successful compromise.
Identified incidents vs undetected incidents
Survey results reflect what organisations detect and label. Two organisations can experience similar levels of hostile activity but report different outcomes depending on:
Whether they have monitoring and alerting in place
Whether staff recognise and report suspicious activity
Whether incidents are logged centrally
Whether cloud account activity is reviewed meaningfully
This matters because “we haven’t noticed anything” is not the same as “nothing happened”. It often means detection and reporting are informal.
The 2025 prevalence numbers (UK)
Businesses overall
In the 2025 survey, 43% of businesses reported identifying breaches or attacks in the last 12 months.
This is the baseline context: incidents are common enough that UK organisations should treat them as routine operational risk, not a rare edge case.
Small businesses
For small businesses, the 2025 survey reports 50% identifying breaches or attacks in the last 12 months. (For context: micro businesses are reported at 41%, medium at 67%, and large at 74%.)
Two cautions for interpretation:
This is about incidents organisations identify, not everything that occurs.
These are population survey results; they help you understand typical exposure patterns, not guarantee what will happen to a specific firm.
Size differences and interpretation cautions
The size gradient (micro < small < medium < large) can be read two ways:
Larger firms often have more complex attack surface (more systems, more accounts, more suppliers).
Larger firms also tend to have better detection, so they identify and record more.
This is why the SME takeaway is not “we are doomed” or “we are safe”. It is: routine exposure is common, and your controllable variable is whether your baseline controls reduce exposure and make detection credible.
This is where several misconceptions fail in practice:
“We’re too small to be targeted, so risk is low.” The survey’s small-business prevalence does not support that comfort blanket.
“Cyber attack = ransomware.” The survey treats a broad range of incident types under breaches/attacks; focusing only on worst-case scenarios hides the day-to-day reality.
Common incident types (high-level)
Phishing and impersonation
For most SMEs, the most persistent exposure is human-facing: phishing, impersonation, and attempts to trick staff into handing over credentials or money.
This is not “advanced hacking”. It is high-volume, repeatable attack patterns that succeed when baseline controls and reporting pathways are weak.
Account compromise and online service access
The next practical category is account access—especially where cloud services are involved. If an attacker obtains credentials (or abuses weak authentication and access control), they may gain access to email, files, or business systems without needing to “break into” a device.
This is why CE-style baseline thinking treats identity, access control, and secure configuration as foundational rather than optional.
Why smaller firms are exposed
Online footprint and routine attack volume
Small firms often have a broad online footprint relative to their capacity: email, cloud services, remote work, and multiple third-party tools—without dedicated security oversight.
So “likelihood” is less about being singled out and more about being reachable through common channels: email, exposed services, reused passwords, weak authentication, unmanaged devices, and inconsistent configuration.
Supplier/customer access and third-party accounts
SMEs also sit inside supply chains: shared folders, shared platforms, guest access, contractor accounts, and delegated admin relationships.
That creates two practical risks:
Your own accounts and permissions become the entry point.
Third-party access arrangements can become unclear over time.
A baseline approach treats these as scope questions: what access exists, who approved it, and how it is reviewed.
What a CE-style baseline changes
Reducing common exposure points
A CE-style baseline does not promise prevention. What it does is reduce routine exposure by ensuring baseline controls are operating consistently across the environment.
The business benefit is not “perfect security”. It is fewer easy paths into your systems and fewer avoidable failures in basic hygiene.
Making control coverage auditable and repeatable
The second benefit is governance: you can show what is in place and why, and you can re-check after change.
That is what turns security from a vague belief (“I think we’re fine”) into a defensible position (“we know what’s in scope, and we can evidence baseline coverage”).
What to do next (governance-first)
Establish current-state baseline and scope
Start with clarity, not tools:
What systems, users, devices, and services are in scope?
Who owns decisions for each baseline area?
Where are exceptions—and are they intentional?
If you cannot answer those cleanly, your baseline is not stable yet.
Identify gaps against CE themes
Once scope is clear, map your current state against the CE-style themes at concept level. The objective is to identify incomplete coverage and inconsistency—not to launch a large programme.
