UK businesses have reported a greater number of data breaches than ever before, according to annual research from Apricorn.

The company’s 2025 survey has revealed that 69% of organisations surveyed have self-disclosed a data breach or potential data breach to the Information Commissioner’s Office (ICO) in the past year, up significantly from 53% in 2024.

Just 8% of businesses surveyed were reported by a third party, compared to 14% last year, indicating stronger internal reporting processes and a move away from reactive disclosure.

This change, according to Apricorn, suggests that businesses are beginning to take greater ownership over their breach response strategies and are stepping up to take responsibility.

Yet self-reporting does not necessarily imply incidents are under control.

Remote and mobile workers causing data breaches

Apricorn’s research found that 46% of organisations surveyed admit their remote or mobile workers knowingly put corporate data at risk in the last year.

Additionally, 61% believe their mobile workforce is likely to expose them to a future data breach.

These persistent concerns highlight a lack of confidence in user behaviour and endpoint management, especially within decentralised and hybrid work environments.

Phishing remains the top cause of data breaches, cited by 37% of IT decision makers surveyed, closely followed by employee mistakes (33%).

While external threats continue to pose a risk, the data confirms that human behaviour remains the leading cause of vulnerability, whether through error, negligence or malicious intent.

Apricorns research has pointed out that the majority (99%) of organisations have a mobile/remote working security policy in place and 95% believe their workers understand and follow it.

But this confidence is undermined by a rising number of respondents (58%) of employees surveyed having stated that they lack the technology or skills needed to properly secure data, even when they are willing to comply.

Employee-owned IT equipment

Adding to the challenge reportedly, is the continued reliance on employee-owned IT equipment.

The survey found that 56% of organisations now allow staff to use personal devices to access corporate systems and data, a 9% increase over last year and the highest level recorded by Apricorn since 2019.

Although most organisations use software to control access, these tools are said to lack the visibility and enforcement provided by corporate-issued devices.

Apricorn’s survey revealed that only 19% of respondents said their organisation mandates the use of company-provisioned equipment with endpoint controls.

This cautious shift upward from 15% in 2024, is said to reflect growing awareness but highlights how far most organisations still have to go in order to gain full control of the remote attack surface.

The over reliance on policies being followed

Jon Fielding, Managing Director, EMEA Apricorn stated: “Too many organisations are relying on assumptions that policies are followed, that devices are secure, that staff know what to do, but if organisations want to reduce breach risk, they must give staff the right tools to do the right thing.”

The research also revealed deeper technical and operational issues.

Almost 37% of organisations say they cannot be certain that their data is adequately secured or they’ve lost visibility of where corporate data is stored, while 16% report that their current technology doesn’t support secure mobile or remote working.

Additionally, a further 11% of employees said they don’t know which datasets within their organisation need to be encrypted, pointing to a lack of basic data classification and risk assessment.

Technology being disregarded

47% of organisations reported that managing all of the technology that employees need and use for mobile/remote working is too complex.

Meanwhile, 35% say remote working has made it harder to comply with GDPR, potentially due to rising concerns about cyber sovereignty and data localisation requirements.

Reporting data breaches is not enough

Fielding concluded: “Self-reporting breaches is a positive step, but if organisations want to reduce how often they’re doing it, they must bridge the gap between written policy and operational readiness.

“This includes clear provisioning of secure tools like hardware-encrypted drives, restricting data movement to known systems and prioritising the secure handling of data at every endpoint.”