Decoding the UK’s Cyber Security Longitudinal Study

The Cyber Security Longitudinal Study (CSLS), published in late February, is one of the most insightful pieces of UK cyber-security research because it tracks behaviour over time rather than capturing a single-year snapshot. Wave 5 focuses on medium and large businesses and high-income charities, combining survey data with follow-up interviews to understand what changes organisational cyber-security, what stalls it and what drives improvement.

 

Unlike the broader Cyber Security Breaches Survey, which provides a snapshot across all business sizes, the CSLS focuses on larger organisations and tracks change at multiple points in time to reveal how behaviours and controls shift as a result of experience, influences and governance decisions.

 

What the CSLS reveals should make business leaders take note, but a 72-page document is a lot to digest. So, what are the key themes?

 

Stark Statistics: Breaches on the Rise

This year’s report has some alarming statistics: 82% of businesses and 77% of charities experienced some form of cyber-incident in the period covered. This shows that cyber-security in 2026 is firmly an operational risk rather than a niche problem.

 

More importantly, organisations are more likely to introduce meaningful improvements after an incident has had real impact, rather than beforehand. This is especially concerning when most organisations are part of an intricate supply chain. Getting secure too late - or assuming you are too small to be targeted - puts entire ecosystems at risk.

 

Responding after an incident is natural, but it is also the most expensive way to build resilience. The controls that prevent common attacks are already well understood. External events and high-profile breaches can act as catalysts, but they are unreliable drivers of sustained change.

 

Resilience cannot depend on whether an organisation has recently been frightened into action - it has to be built into operations.

 

Supply Chain Impact

The most concerning finding in Wave 5 is supply chain security. Only 28% of businesses and 26% of charities formally assessed supplier cyber-risk over the last 12 months, meaning most organisations are still trusting their supply chain without verifying.

 

When you think of significant attacks that happened in 2025, like the M&S breach or the JLR hack, and consider the impact they had on supply chains, organisations really can’t afford to sit back. In the case of JLR, for example, production was halted for over a month and affected more than 5,000 organisations, with an estimated £1.9bn impact on the UK economy. This exemplifies how one incident can have a cascading national impact.

 

Uptick in Cyber Essentials: A Good Sign?

There is progress in Wave 5. Adherence to Cyber Essentials has risen, signalling movement towards structured baseline controls. Budgets reflect this: 37% of businesses and 36% of charities increased cyber-security spend over the last year.

 

However, progress remains uneven. Cyber-resilience is not something achieved once - it must be maintained. Many organisations still treat it as a project that peaks after an event and then fades.

 

Increased spend also does not consistently translate into stronger governance or board-level capability, with weaker momentum around board training over time.

 

That is the risk: organisations buy tools and call it progress, when what they really need is consistency and discipline.

 

Encouragingly, the study reinforces what practitioners already know. Real improvements come from the basics - multi-factor authentication, monitoring and detection, endpoint security, staff education, incident response planning and email security.

 

By contrast, over-reliance on antivirus and superficial controls creates a false sense of safety.

 

How Can Leaders Secure Their Organisations?

Wave 5 does not suggest a lack of practical guidance. It suggests the opportunity now is embedding what already exists.

 

Firstly, cyber-security must remain on the board agenda. Cyber isn’t a ‘one and done’ discipline. The NCSC’s message that “cyber-security is business survival” makes clear this is a board-level responsibility. The Cyber Governance Code of Practice reinforces that resilience should be built into routine governance cycles, not triggered by breach headlines.

 

Next, make baseline controls non-negotiable. Campaigns like “lock the door on cyber-criminals” position Cyber Essentials as the minimum standard.

 

Supplier scrutiny should be normalised. In a survey of MSP leaders, three-quarters (77%) of them noted that scrutiny of their own businesses’ security capabilities had increased either slightly or a lot over the past 12 months. This must become standard practice. The government has directly urged UK leadership teams, including FTSE boards, to strengthen cyber-security governance and resilience, including through supply chain expectations.

 

SMEs should seek support through existing channels. The NCSC’s MSP guidance helps organisations choose partners who can implement and maintain baseline controls as part of day-to-day IT, reducing the barrier to adoption.

 

Finally, leaders must shift from reaction to routine. The Cyber Governance Code of Practice is a practical step towards making cyber resilience continuous.

 

Looking Ahead to Wave 6

Looking ahead to Wave 6, there are key indicators to watch.

 

First, a reduction in organisations only occurs after an incident. Second, baseline adoption must shift from minority uptake to standard practice. Third, supplier scrutiny must rise, as supply chains are where individual weaknesses become systemic risk. Finally, governance maturity must go beyond increased spending to increased attention and capability.

 

These shifts would signal structural change: earlier action, stronger accountability and resilience that is maintained continuously rather than patched up after impact. 

 

---

 

Jamie Akhtar is CEO and Co-Founder of CyberSmart

 

Main image courtesy of iStockPhoto.com and Maks_Lab