The UK’s cyber threat landscape shifted noticeably in 2025. The attacks on Marks & Spencer, Co-op, and Harrods in April and May 2025 demonstrated that even household-name UK businesses with significant IT investment can be brought down by sophisticated attackers. For smaller businesses, the lessons are clear and urgent.
This guide covers the eight most significant cybersecurity threats facing UK businesses in 2026, with practical defensive actions for each. These are not hypothetical future risks — all of them are happening now.
1. AI-Powered Phishing
Phishing has always been the most common entry point for attackers, but AI has made it dramatically more effective. Traditionally, phishing emails were easy to spot — poor grammar, generic greetings, suspicious links. AI-generated phishing emails are now personalised, grammatically perfect, contextually plausible, and targeted at specific individuals based on scraped data from LinkedIn, company websites, and previous breaches.
AI can generate hundreds of variations of a phishing email automatically, test which versions are most likely to succeed, and adapt campaigns in real time. Voice phishing (vishing) using AI-cloned voices is also increasing — staff have received calls that sound exactly like their CEO or CFO instructing an urgent payment.
What to Do
- Run phishing simulation exercises at least twice a year — staff who have been tricked in a simulation are significantly less likely to fall for the real thing
- Establish a verbal confirmation process for any payment instruction received by email, regardless of who it appears to be from
- Deploy email filtering with AI-based threat detection (Microsoft Defender for Office 365, Proofpoint, or Mimecast)
2. Ransomware Targeting UK Businesses
The 2025 attacks on M&S and Co-op were ransomware-adjacent incidents attributed to the Scattered Spider group, causing weeks of operational disruption and hundreds of millions in losses. The M&S attack took down online ordering for weeks; Co-op’s internal systems were significantly compromised. These were not small businesses with poor security — they were large, well-resourced organisations.
Modern ransomware operations use a “double extortion” model: they encrypt your data and steal it, threatening to publish it publicly if you do not pay. Ransomware-as-a-Service (RaaS) platforms mean that technically unsophisticated criminals can now launch sophisticated attacks using rented tools and infrastructure.
The NCSC reported that ransomware remains the most significant cyber threat to UK organisations, with attacks increasingly targeting critical infrastructure, healthcare, and retail.
What to Do
- Follow the 3-2-1 backup rule: three copies of data, two different media types, one offsite or offline. Backups that are accessible from the network can also be encrypted by ransomware.
- Test your backups — many businesses discover their backups are broken only when they need them
- Segment your network so that a compromise in one area cannot spread to everything
- Ensure all systems are patched promptly — most ransomware exploits known vulnerabilities that have had patches available for months
3. Business Email Compromise (BEC)
Business Email Compromise is consistently the highest-value cyber crime category in the UK by financial loss, yet it receives less coverage than ransomware because individual incidents are smaller and less visible. BEC attacks involve an attacker either compromising a legitimate email account or impersonating a trusted contact to authorise fraudulent payments or divert salaries or supplier payments.
Common scenarios: a fraudster impersonates your CEO and emails your finance team asking for an urgent payment; a supplier’s email account is compromised and fake bank detail change instructions are sent to their customers; payroll is redirected by changing direct debit details through a spoofed HR request.
What to Do
- Implement a dual-authorisation process for any payment above a threshold — one person to initiate, a second to approve
- Verify bank detail changes by calling the supplier on a known number, not a number provided in the email
- Enable DMARC, DKIM, and SPF on your email domain to prevent impersonation of your own domain
- Enable multi-factor authentication on all email accounts — most BEC attacks begin with a compromised inbox
4. Deepfake Fraud
Deepfake technology — AI-generated synthetic audio and video — has moved from theoretical threat to active fraud tool. In early 2024, a Hong Kong finance worker was tricked into transferring £20 million after a video call with what appeared to be his company’s CFO and other colleagues — all of whom were deepfakes. UK businesses have reported receiving deepfake voice calls impersonating executives to authorise urgent wire transfers.
Creating a convincing voice clone requires only a few minutes of audio — easily sourced from company videos, podcasts, or social media. A deepfake video requires more, but is increasingly accessible with consumer AI tools.
What to Do
- Establish a “safe word” or out-of-band verification process for sensitive financial requests received by phone or video call
- Brief senior staff and finance teams specifically on this threat — awareness is the primary defence at present
- Be sceptical of any urgent request that bypasses normal processes, regardless of who appears to be asking
5. Supply Chain Attacks
Rather than attacking a target directly, supply chain attackers compromise software or services that the target uses — and gain access to all of that supplier’s customers simultaneously. The 2020 SolarWinds attack affected 18,000 organisations via a single software update. The MOVEit vulnerability in 2023 exposed data from hundreds of UK organisations, including the NHS and British Airways, through a single file transfer tool.
For UK SMBs, the supply chain risk is most acute through managed service providers (MSPs) and SaaS tools. If your IT provider is compromised, attackers may have access to all their clients’ systems.
What to Do
- Ask your IT provider what their own security certifications are — Cyber Essentials Plus is a reasonable minimum
- Apply the principle of least privilege to all third-party access — suppliers should only be able to access the systems they need for their specific role
- Keep software and SaaS tools updated promptly — supply chain vulnerabilities are patched by vendors but only effective if you apply the update
- Maintain a list of the software and services your business uses, and review it periodically for any that are no longer needed
6. MFA Bypass and Session Hijacking
Multi-factor authentication (MFA) is now widely adopted and genuinely reduces account compromise — but attackers have adapted. The two main bypass methods in widespread use are:
- MFA fatigue (push bombing) — the attacker has your username and password, and sends repeated MFA push notifications until you approve one by accident or out of frustration. Several high-profile breaches, including Uber in 2022 and elements of the 2025 UK retail attacks, used this method.
- Session token theft — rather than defeating MFA during login, attackers steal the browser session cookie after login, bypassing MFA entirely. This is done via infostealer malware or real-time phishing proxies.
What to Do
- Switch from push-based MFA (approve/deny notifications) to number-matching MFA or passkeys — these are resistant to push bombing
- For high-value accounts, use hardware security keys (YubiKey) — these are fully phishing-resistant and cannot be bypassed by session hijacking
- Train staff that they should never approve an MFA request they did not initiate, and that receiving unexpected MFA prompts should be reported immediately
7. Cloud Misconfiguration
The majority of cloud security incidents are not caused by sophisticated attacks on cloud providers’ infrastructure — they are caused by misconfiguration of the services customers set up themselves. Publicly accessible storage buckets containing sensitive data, overly permissive access controls, and exposed admin interfaces are among the most common issues.
As more UK businesses move to cloud-based systems — Microsoft 365, Google Workspace, AWS, Azure — the misconfiguration attack surface grows. A single incorrectly configured setting can expose customer data, internal documents, or access credentials.
What to Do
- Use the free Microsoft Secure Score (in the Microsoft 365 admin centre) to identify configuration weaknesses in your Microsoft 365 environment — it provides prioritised, actionable recommendations
- Review sharing settings in SharePoint, OneDrive, and Google Drive — “anyone with the link” sharing should be disabled by default
- Enable audit logging on all cloud services so that access and changes are recorded
- Conduct a cloud security review annually — many IT providers offer this as a one-off service
8. IoT and Operational Technology Vulnerabilities
Smart devices — IP cameras, building management systems, smart printers, network-connected machinery — are now common in UK business premises. Many were designed with functionality as the priority, with security as an afterthought. Default passwords that are never changed, firmware that is never updated, and no monitoring make them easy footholds for attackers looking to get onto a network.
Compromised IoT devices are used both as entry points into business networks and as components of botnets used for DDoS attacks. For manufacturers and industrial businesses, attacks on operational technology (OT) can cause physical disruption as well as data loss.
What to Do
- Conduct an inventory of all devices connected to your network, including smart TVs, printers, CCTV systems, and building management systems
- Change default passwords on all devices immediately — factory defaults are published online and attackers scan for them
- Put IoT devices on a separate network segment (VLAN) so that a compromised camera cannot access your file servers
- Check manufacturers’ websites for firmware updates, especially for security cameras and network equipment
The Overarching Lesson from 2025
The M&S, Co-op, and Harrods attacks were a wake-up call for UK business. All three companies had IT security teams and significant security investment. All three were still severely disrupted. The common thread in many of the most successful 2025 attacks was not technical sophistication — it was social engineering: convincing a human to do something they should not have done.
The most cost-effective investment for most UK businesses in 2026 is not more technology — it is staff awareness training, clear procedures for handling payment requests and access changes, and ensuring the basics (MFA, patching, backups) are in place and actually working.
