A new study from Vodafone Business has revealed a troubling reality for UK organizations: despite growing awareness of cyber threats, many businesses remain dangerously unprepared for a serious cyber incident. The research suggests that a significant number of companies doubt their ability to survive a major attack, at a time when digital threats are accelerating in frequency, sophistication, and impact.
The study surveyed 1,000 senior leaders across UK businesses of all sizes, spanning multiple sectors. More than 10% of respondents said their organization would be unlikely to survive a major cyber incident, similar to the attacks that disrupted large retailers such as Marks & Spencer and automotive manufacturer Jaguar Land Rover last year. These findings point to a persistent gap between awareness of cyber risk and meaningful preparation.
As cyberattacks increasingly disrupt operations, compromise sensitive data, and damage brand trust, the question facing many UK organizations is no longer if they will be targeted, but how prepared they are for a breach.
Human Error Remains a Leading Cause of Cyber Risk
One of the most consistent findings in the Vodafone Business study is the ongoing role of human error as a primary driver of cyber incidents. Despite years of investment in technology and security tools, people remain one of the most exploited attack vectors.
More than 71% of business leaders believe that at least one employee in their organization would fall for a convincing phishing email. Respondents cited several contributing factors, including limited security awareness, insufficient training, heavy workloads, and unclear processes for reporting suspicious messages.
Phishing remains one of the most effective techniques used by attackers because it requires minimal technical sophistication and relies instead on trust, urgency, and distraction. A single compromised user can provide attackers with a foothold that leads to credential theft, lateral movement, and, in some cases, full organizational compromise.
Awareness is Rising, but Security Follow-Through is Inconsistent
The study shows that awareness of cyber risk has increased significantly, particularly following a series of high-profile attacks against well-known brands in 2024. Nearly 89% of leaders reported that these incidents made them more alert to online threats.
However, awareness does not always translate into action. Fewer than half of respondents (just 45%) reported that all staff within their organization had completed basic cyber awareness training. This gap highlights a common issue: cybersecurity is widely recognized as important, but often struggles to compete with other business priorities.
Without consistent training and reinforcement, employees are left unprepared to recognize modern threats, especially as phishing emails and impersonation attempts become more targeted and harder to detect.
Weak Password Practices Continue to Expose Businesses
Poor password hygiene remains another major weakness across UK organizations. According to the study, 63% of leaders believe their organization’s cyber risk increased over the past year, with password reuse playing a significant role.
Employers estimate that staff reuse their work passwords across an average of 11 personal accounts, including social media platforms and dating apps. This practice dramatically increases the likelihood of credential-stuffing attacks, where compromised passwords from unrelated breaches are reused to gain access to corporate systems.
When combined with phishing or malware, weak password practices can allow attackers to bypass perimeter defenses and access sensitive systems without triggering immediate alarms.
AI-Powered Threats Add a New Layer of Complexity
The rise of artificial intelligence is also reshaping the cyber threat landscape. Around 7 in 10 respondents said the emergence of deepfake AI videos has made them more cautious about video calls that appear to come from senior colleagues or executives.
AI-driven impersonation scams, including voice cloning and synthetic video, are increasingly being used to authorize fraudulent payments, extract sensitive information, or manipulate employees into bypassing controls. These attacks blur the line between legitimate communication and fraud, making traditional verification processes less reliable.
As AI tools become more accessible, organizations must adapt their security awareness programs and verification procedures to account for this evolving threat.
Supply Chain and Partner Risk Remains a Critical Blind Spot
The Vodafone study also highlights growing concern around third-party and supply chain risk. Even organizations with strong internal controls can be exposed through weaknesses in partner or supplier systems.
Threat actors that target indirect access routes (such as vendors, managed service providers, or shared platforms) continue to rise in frequency. Once attackers gain access through a trusted third party, they can often move laterally into core systems with little resistance.
This reinforces the need for organizations to assess not only their own security posture, but also the resilience of the wider ecosystem they depend on.
Government and Industry Response
In response to escalating cyber threats, the UK Government is taking steps to strengthen coordination between industry and policymakers. A second Telecommunications Fraud Charter is set to launch later this year, aimed at improving collaboration to reduce fraud and service disruption. A broader national fraud strategy is also expected to follow next year.
Nick Gliddon, Business Director at VodafoneThree, described the findings as deeply concerning:
“Some of these findings are truly alarming. The revelation that one in ten business leaders believe their company would not survive a cyber-attack highlights the scale of vulnerability facing UK firms today.”
He added that renewed government focus underscores the seriousness of the threat and the importance of a united approach.
Statistics to Know From the Vodafone Business Study
1 in 10 UK business leaders believe their company would not survive a major cyberattack
71% believe at least one employee would fall for a phishing email
89% say high-profile attacks increased their awareness of cyber risk
Only 45% report that all staff have completed basic cyber awareness training
63% say their organization’s cyber risk increased in the past year
Employees reuse work passwords across an average of 11 personal accounts
70% are more cautious of video calls due to deepfake AI threats
Conclusion
The Vodafone Business study paints a clear picture: while concern about cyber risk is now widespread across UK businesses, preparation often lags behind awareness. Inadequate training, weak password practices, insufficient incident planning, and growing AI-enabled threats continue to leave many organizations exposed.
As cyberattacks become harder to detect and faster to execute, closing these foundational gaps will be critical. For many UK businesses, resilience will depend not on advanced tools alone, but on consistent training, strong identity controls, and a realistic understanding of how modern attacks unfold.
