13 June 2025

The 2025 report reveals that 69% of surveyed organisations have reported a breach or potential breach to the Information Commissioner’s Office (ICO) in the past year, marking a significant increase from 53% in the previous year.

This surge in self-reported incidents may reflect a heightened sense of awareness and accountability among businesses. Notably, only eight percent of breaches were reported by third parties this year, down from 14% last year. This decline suggests that companies are now more proactive in internal reporting processes and are taking greater ownership of their breach response strategies, moving away from reactive disclosures.

However, a higher rate of self-reporting does not necessarily equate to better control over data security. The research highlights ongoing concerns about the security of remote and mobile workforces. Nearly half (46%) of organisations admitted that their remote or mobile employees knowingly put corporate data at risk over the past year. Furthermore, 61% of respondents believe their mobile workforce could cause future breaches, reflecting persistent worries about endpoint security and user behaviour, especially within decentralised and hybrid working environments.

Phishing remains the leading cause of data breaches, cited by 37% of IT decision makers, closely followed by employee mistakes at 33%. Human error, negligence, or malicious activity continue to be primary vulnerabilities, underscoring the importance of addressing behavioural risks alongside technical safeguards.

While 99% of organisations have implemented security policies for remote and mobile working, and 95% of employees are believed to understand and follow these policies, confidence is increasingly challenged. Over half (58%) of respondents expressed concern that employees lack the necessary technology or skills to properly secure data, despite their willingness to comply.

The reliance on employee-owned devices further complicates security efforts. Currently, 56% of companies permit staff to access corporate systems using personal devices — a rise of 9% from 2024 and the highest level recorded since 2019. Although many organisations employ software to manage access, these tools often lack the comprehensive visibility and enforcement features of corporate-issued equipment. Only 19% of firms require staff to use company-provisioned devices with endpoint controls, a modest increase from 15% last year, highlighting the ongoing challenge in gaining full control over remote attack surfaces.

“Too many organisations rely on policies and assumptions that devices are secure and staff are fully trained. To truly reduce breach risk, companies must equip their staff with the right tools, such as hardware-encrypted drives, and enforce strict data handling protocols,” said Jon Fielding, Managing Director for EMEA at Apricorn.

The survey also uncovered deeper technical issues. Nearly 37% of organisations are unsure if their data remains adequately protected or if they have lost visibility over where their data is stored. Sixteen percent reported that their current technology does not support secure remote working, while 11% admitted they lack clarity on which datasets require encryption — pointing to gaps in data classification and risk assessment.

Managing remote technology remains a significant challenge, with 47% of organisations citing the complexity of overseeing the tools employees need for remote work as a major concern. Additionally, 35% indicated that remote working has made it more difficult to comply with GDPR, possibly due to growing concerns related to cyber sovereignty and data localisation.

“While self-reporting breaches is a positive step, organisations must move beyond policies to ensure operational readiness. This includes deploying secure hardware tools, restricting data movement to trusted systems, and prioritising secure data handling at every endpoint,” said Fielding.

As data security challenges evolve, UK businesses are urged to bolster both their technological safeguards and their operational practices to better defend against the increasing threat landscape.