Why Do Businesses Get Hacked?
Most successful cyberattacks exploit predictable weaknesses: weak or reused passwords, unpatched software, poorly configured cloud services, and employees deceived by phishing. Sophisticated zero-day exploits are rare — the majority of breaches trace back to controls that exist but weren't properly enforced.
Direct Answer
UK businesses are most commonly compromised through phishing emails that capture credentials, accounts without multi-factor authentication, unpatched software vulnerabilities, and misconfigured cloud services. Attackers generally follow the path of least resistance: they look for the combination of poor controls and high-value data. Small and mid-sized businesses are targeted precisely because they often lack the controls larger enterprises have in place. Addressing the most common root causes — MFA, patching, email security, and access control — reduces the risk considerably.
The Most Common Causes of Business Cyber Breaches
These root causes account for the overwhelming majority of successful attacks on UK businesses.
No Multi-Factor Authentication
Accounts protected only by a password are highly vulnerable to credential stuffing and phishing. MFA is one of the most effective single controls available.
Phishing Emails
Fraudulent emails deceive staff into entering credentials on fake sites or opening malicious attachments. Most ransomware starts with a successful phishing email.
Unpatched Software
Attackers actively exploit known vulnerabilities in operating systems, browsers, and applications. Delays in patching leave a window of exposure that is widely targeted.
Misconfigured Cloud Services
Overly permissive SharePoint settings, publicly accessible storage, and absent Conditional Access policies are common in organisations without dedicated IT security oversight.
Excessive User Permissions
When users have more access than they need, a compromised account can cause disproportionate damage. Least privilege reduces the impact of any single credential being stolen.
Absent or Untested Backups
Ransomware is most damaging when there are no usable backups. Backups stored in the same environment as production systems are often encrypted alongside them.
Vulnerable Business vs Protected Business
The controls that separate businesses that recover quickly from incidents and those that suffer major disruption.
| Feature | Vulnerable BusinessCommon gaps | Protected BusinessBasic controls in placeRecommended |
|---|---|---|
| MFA on all accounts | ||
| Patches applied within 14 days | ||
| Email filtering and DMARC | ||
| Immutable offsite backups | ||
| Least-privilege access controls | ||
| Staff security awareness training | ||
| Endpoint protection on all devices | Partial |
Cyber Essentials certification requires all five of these control areas to be in place. It is a practical baseline for any UK SME.
Frequently Asked Questions
Phishing is the most common attack type, identified by 85% of businesses that experienced a breach (DSIT 2025). Phishing accounts for 93% of cyber crimes against businesses. AI-powered phishing has driven a 204% increase in phishing emails delivering malware in 2025.
MFA requires two or more verification methods to access an account. Microsoft reports that over 99.9% of compromised accounts did not have MFA enabled. Only 40% of UK businesses have two-factor authentication enabled (DSIT 2025). MFA can prevent more than 99.9% of account compromise attempts.
Yes. 50% of small businesses (10-49 employees) reported a cybersecurity breach in 2025. UK small businesses face around 65,000 hack attempts daily, with approximately 4,500 successful breaches. More than a quarter of SMBs say a single cyber attack could put them out of business entirely.
UK businesses typically allocate 13.2% of their total IT budget to cybersecurity. More than half of UK small businesses increased their cybersecurity spending in 2024. 85% of UK firms plan to boost their cyber budget for 2026. The cost of prevention is significantly less than the average breach cost of £3,550.
BEC is a type of fraud where attackers impersonate executives or suppliers to trick employees into transferring funds or sharing sensitive data. BEC attacks increased 33% in 2025. The average loss per BEC incident is $137,000. Even organisations with fewer than 1,000 employees face a 70% weekly probability of a BEC attempt.
Find and Fix Your Vulnerabilities
AMVIA's security assessment reviews your current controls against the most common attack vectors and produces a prioritised remediation plan. Call 0333 733 8050.
Related Guides
How to Prevent Ransomware
Practical steps to reduce your exposure to one of the most disruptive attack types.
What Is Phishing?
The most common initial access vector in cyberattacks — explained.
What Is Cyber Essentials?
The UK's baseline certification that addresses the most common root causes of breaches.