Next Event: Review and Republish Data Security and Protection Toolkit for Social Care

View Event

Search Digital Care Hub

Cyber Security Breaches Survey 2025: what it means for social care

Cyber Security Breaches Survey 2025: what it means for social care

April 15th 2025

The UK government has published its latest Cyber Security Breaches Survey (April 2025), which shows that cyber threats remain a serious risk for all types of organisations – including those in health and social care.

The number of organisations reporting cyber security breaches or attacks has stayed fairly stable: 43% of UK businesses and 30% of charities – including 41% of health or care organisations. There has been a rise in the number of cyber attacks that disrupt the way organisations work.

For care providers, this highlights the importance of continuing to strengthen your cyber security, and making sure you regularly check your risks and defences using tools like the Data Security and Protection Toolkit (DSPT).

More disruption to systems and services

One of the most important findings in this year’s survey is the rise in breaches that stop organisations from working properly – such as losing access to files, systems or third-party services.

These kinds of incidents have increased over the past year. For example:

  • 7% of businesses said they temporarily lost access to files or networks because of a breach, up from 4% last year
  • 5% of charities reported losing access to third-party services, up from 1% the year before

In adult social care, even a short period of downtime could seriously affect the delivery of care. Losing access to a digital care record or scheduling system, for example, could lead to delays or mistakes in the care being provided. That’s why cyber security needs to be seen as a core part of business continuity and care quality.

Phishing remains the most common threat

Phishing – where attackers trick staff into clicking on fake links or revealing sensitive information – is still the most common type of cyber attack. It affected 85% of businesses and 86% of charities that reported breaches in the survey.

This type of attack can lead to much more serious breaches, especially if attackers gain access to staff emails or systems. The survey findings highlight the need for care providers to invest in simple steps like email security filters and staff training to spot and report suspicious messages.

The cost of breaches

According to the survey:

  • The average cost of the most disruptive breach was £1,600 for businesses and £3,240 for charities
  • For those that did have costs, the average was £3,550 for businesses and £8,690 for charities

These costs cover things like lost time, recovery of data, damage to reputation and legal or regulatory advice. For care providers operating on tight budgets, even a single incident could have a big impact.

Some improvements in cyber awareness – but more to do

The good news is that some small businesses have improved their basic cyber defences. Compared with last year, more organisations are now:

  • Carrying out cyber risk assessments
  • Using cyber insurance
  • Having formal policies on cyber security
  • Including cyber risks in their business continuity plans

However, the survey also shows that some larger charities – which are often more similar in size to medium or large care providers – are slipping backwards. For example, fewer reported having a cyber security strategy or checking the security risks of their suppliers.

It’s a timely reminder that cyber security needs ongoing attention. It’s not a one-off task – it needs to be reviewed and updated regularly.

Health and social care leads the way on incident response

One of the more encouraging findings from the survey is that the health and social care sector is one of the best prepared when it comes to responding to cyber incidents.

66% of health and social care organisations have an incident response plan in place. That compares to just 23% of businesses overall. This shows that many care providers are taking cyber security seriously. But it also means there’s still room for improvement – especially for the one in three health and care providers that do not yet have a plan.

Keep improving your cyber security

Daniel O’Shaughnessy, Programme Director at Better Security, Better Care, said:

“The 2025 Cyber Security Breaches Survey shows that cyber threats are constantly changing – and they’re not going away.

“That’s why social care providers need to keep reviewing and improving their cyber security.

“We strongly encourage all care providers to use our free Cyber Security guidance, training and the Data Security and Protection Toolkit (DSPT). It gives organisations a clear picture of where they are now, and what steps they need to take to keep people’s information safe and their services running.”

What to do next

If you haven’t completed the DSPT for your organisation – or if you haven’t reviewed it in the last year – now is a good time to do so. You can also find free help and support from the Better Security, Better Care programme.

Related links

Cyber Security Breaches Survey 2025 – GOV.UK

Cyber Security Guidance for care providers

Free elearning and Cyber Game for social care

Early Warning alerts from National Cyber Security Centre

 

View all News

Next Event

View all Events
April

29

May

6

View all Events