Understanding the Cyber Security Longitudinal Survey
The Cyber Security Longitudinal Survey (CSLS), conducted by the UK Department for Science, Innovation and Technology (DSIT), provides critical insights into how medium and large businesses, as well as high-income charities, manage cyber risks over time. Wave Five, published on February 17, 2026, builds on previous waves to track evolving practices and their relationship to cyber incidents. This ongoing research helps policymakers and organisations identify effective strategies amid a landscape of persistent threats.
Unlike the broader Cyber Security Breaches Survey, which covers all business sizes, the CSLS focuses on organisations with greater resources: private sector businesses with 50 or more employees and charities with annual turnover of £1 million or more. By following the same panel of organisations across waves, it reveals whether cyber security investments translate into reduced incident impacts.
Methodology and Scope of Wave Five
Fieldwork for Wave Five occurred between June 2 and August 29, 2025, using a multimode approach: computer-assisted telephone interviews (CATI) and online surveys. Ipsos surveyed 521 businesses and 273 charities, with 70% from the Wave Four panel for longitudinal analysis and 30% fresh sample to address attrition. Response rates were adjusted for representativeness, with weights applied to match population distributions by size and sector.
Eligibility excluded public sector entities, small businesses under 50 employees, low-income charities, and those without IT presence. Qualitative depth interviews with 24 organisations provided nuanced views using the COM-B framework (Capability, Opportunity, Motivation-Behaviour). This rigorous design ensures reliable tracking of changes since Wave One in 2022.
- Panel retention: 53% from Wave Four.
- Business weighting: By region, size, sector using DBT estimates.
- Analysis tools: SPSS for significance testing (p<0.05).
Limitations include self-reported incidents potentially underestimating undetected breaches and attrition bias, mitigated through weighting and high retention efforts.
High Prevalence of Cyber Incidents Persists
In Wave Five, cyber incidents remain alarmingly common: 82% of businesses and 77% of charities reported at least one in the past 12 months. This stability underscores that even resource-rich organisations face relentless attacks, primarily phishing (76% businesses, 73% charities) and email impersonation scams (56% businesses, 46% charities).
Less common but disruptive were website/social media takeovers (11% businesses vs. 6% charities) and denial-of-service attacks (8% vs. 3%). Large businesses experienced higher rates across categories, reflecting greater visibility to attackers. These figures align with the broader Cyber Security Breaches Survey but highlight medium/large segment vulnerabilities.
Impacts and Outcomes of Incidents
While incidents are frequent, negative outcomes affected 22% of businesses and 15% of charities, including website downtime (6% vs. 4%) and loss of file/network access (5% vs. 4%). Large businesses saw 30% outcome rates vs. 20% for medium-sized. Broader effects like extra staff time (35% large businesses) and work disruption (15%) were common.
Financial costs average £195,000 per significant incident, contributing to £14.7 billion annual losses for UK firms. Qualitative accounts describe daily phishing floods and sophisticated multi-channel attacks via WhatsApp, prompting immediate responses like multi-factor authentication (MFA) rollout and staff retraining.
These disruptions emphasise cyber risks as operational threats comparable to fire or theft, affecting productivity and reputation.
Longitudinal Trends: Stability and Slight Improvements
Over time points, 54% of organisations maintained incident levels, with 34% showing improved resilience (impacts reduced to minor/none). However, 57% of charities without prior incidents gained them, indicating vulnerability persistence. Large businesses had 66% persistent high-impact cases.
Positive shifts in practices post-incident suggest learning, but proactive changes without events were rare. Across waves, board oversight and standards adoption have risen, yet incident rates plateau high.
Board Governance and Resource Allocation
Board involvement strengthened: 67% of businesses have members overseeing cyber risks (up from 61% in Wave Four), with 71% designating reporting staff. Charities lag at 51% oversight. Discussions are more frequent in large businesses (65% quarterly+).
Budgets increased for 37% businesses and 36% charities, though charities deem them insufficient more often (10% vs. 5%). Training remains a gap: 38% charities report no board training. Incidents drive positive governance changes, like more frequent updates via risk scores.Enhance your cyber security expertise with career advice for leadership roles.
Photo by Muhammad Nishfu on Unsplash
- Quarterly board discussions: 65% large businesses.
- Training frequency: 21% businesses several times/year.
Rising Adoption of Cyber Security Standards
Cyber Essentials adherence climbed to 30% for businesses (from 23%) and 28% for charities (from 19%), with overall standards gaining (31% vs. 20% loss). Organisations with impactful incidents were 2.5 times more likely to adopt all five Cyber Essentials controls.
Cyber insurance rose to 35% businesses and 40% charities, correlating with 92% fewer claims. Incident response plans cover 69% businesses (tested by 50%). Risk registries are prevalent in charities (78%). These trends signal maturation, though gaps persist.Explore the full CSLS Wave Five report.
Core Protection Practices in Place
Threat intelligence use grew to 44% businesses (from 36%) and 33% charities. Vulnerability audits (60% businesses), risk assessments (71%), and monitoring tools (67%) are standard. Basics like firewalls (97%) and VPNs (80% businesses) are near-universal, but backups lag at 69% businesses.
Cloud adoption is high (83% businesses), reducing physical servers. Longitudinal gains in risk processes (2.59 rate) and monitoring (40% positive change) are notable post-incident.
Challenges in Supplier Risk Management
Only 28% businesses and 26% charities formally assessed suppliers last year, with large businesses at 40%. Many rely on informal lists or guidance. Longitudinal losses outpace gains (37% vs. 16%), though incidents curb declines. Supply chain blind spots amplify risks.
Qualitative notes highlight underreported tiered risks, urging formal processes.
Drivers of Cyber Security Improvements
Direct incidents motivate 41% businesses (29% charities), sector reports 51% vs. 41%. External influencers include consultants (60%), insurers (43%), and regulators (36%). Reactive postures dominate, with incidents catalysing standards and training.
- NCSC tools like Exercise in a Box.
- Phishing simulations and mandatory modules.
- Board buy-in for budget justification.
Explore research jobs advancing cyber defences.
Emerging Threats and Qualitative Perspectives
AI-enhanced phishing and impersonation complicate detection, per qualitative insights. Staff vigilance improves post-incident, but complacency risks persist without events. Charities face resource constraints, favouring free NCSC aids.
COM-B analysis stresses capability building via training, opportunities from guidelines, and motivation from leadership/reputation.
Government Response and Actionable Steps
DSIT launched the "Lock the Door" campaign promoting Cyber Essentials' five controls: firewalls, configurations, updates, access control, malware protection. Free tools include readiness checks and NCSC consultations.
Minister Liz Lloyd emphasised accessibility for SMEs. NCSC's Richard Horne urged basics over complexity. Businesses should prioritise supplier audits and board training.
Future Outlook and Implications
Wave Five reveals progress in standards and governance but entrenched high incident rates, especially supply chain weaknesses. Proactive shifts, leveraging AI defensively and mandatory assessments, are essential. For research-oriented sectors, robust cyber posture safeguards intellectual property—vital for innovation.Find higher ed jobs in cyber security, rate professors in computing fields, or access career advice.
UK organisations must treat cyber as core business risk, integrating it via sustained investments. Future waves will track AI impacts and resilience gains.Read ComputerWeekly analysis.