UK businesses remained under near-constant cyber pressure in 2025, with new research from Beaming revealing that attack volumes have stabilised at exceptionally high levels.
The analysis shows that organisations were targeted more than 791,600 times on average during the year, equating to just over 2,000 attempted attacks every day. Although marginally lower than the record activity seen in 2024, Beaming reports that this level of threat now represents a permanent baseline rather than a temporary spike.
Critical systems remain in attackers’ sights
Beaming’s data indicates that cybercriminals are concentrating their efforts on the systems that enable flexible working and store valuable business data:
- Ransomware access routes: Remote desktop services and VPN connections experienced ongoing automated attacks, as ransomware groups attempt to exploit stolen credentials to lock organisations out of their own networks.
- Data theft focal points: Databases continued to be heavily targeted by attackers looking to extract customer data for extortion schemes, often triggering regulatory action and reputational fallout.
- Web application weaknesses: Automated scanning of web applications intensified during 2025, allowing attackers to rapidly exploit vulnerabilities shortly after they are disclosed.
- Third-party attack paths: Incidents involving supplier portals and cloud-based services increased, highlighting the growing risks posed by interconnected supply chains.
China and the USA emerge as leading attack sources
China remained the dominant origin of malicious traffic throughout 2025, frequently accounting for more than 30,000 unique hostile IP addresses per month. Beaming also notes a significant rise in attack infrastructure originating from the USA, which is now much closer to China’s activity levels than in previous years. Together with Brazil, India and Russia, these countries make up the five most common sources of cyber threats targeting UK organisations.
Beaming observes that today’s threat environment is highly organised and industrialised. Attackers are increasingly using large-scale botnets that enable sustained and repeatable attack activity rather than short bursts of disruption.
Sonia Blizzard, Managing Director of Beaming, said: “In 2025, we saw cyberattack activity move from sporadic peaks to a relentless baseline of over 2,000 probes per day. For business leaders, 2026 needs to be the year where cyber resilience stays firmly on the boardroom agenda. It is no longer just about defending the perimeter; it’s about ensuring your organisation can keep operating even when under constant fire.”
Beaming’s recommendations for 2026
- Reduce attack surface: Audit and secure all internet-facing services, removing or restricting unnecessary ports.
- Strengthen remote access: Enforce Multi-Factor Authentication (MFA) across every remote login and remove direct RDP exposure.
- Implement identity-first security: Adopt conditional access policies that factor in user location and device health.
- Build resilience: Maintain immutable backups and regularly test recovery processes.
- Assess supplier risk: Review the security controls of third-party vendors as part of routine governance.
