UK Businesses More Exposed to Major Cyber Incidents Than Any Other Country, According to New Research by Commvault

Rhea-AI Summary

Commvault (NASDAQ:CVLT) has released concerning research findings about cybersecurity in the UK. The study reveals that 93% of UK businesses have experienced business-critical cyber incidents, with 57% occurring in the last 18 months - the highest rate globally.

Despite facing increased threats, UK organizations are 21% less likely to have deployed dedicated recovery environments and 11% less likely to have tested recovery plans within the last month compared to other countries. The main challenges include system complexity (52%) and keeping recovery plans updated (47%).

On the positive side, UK businesses lead in some preparatory measures, with 65% maintaining critical system inventories and 61% creating defined incident response processes, exceeding global averages of 50% and 41% respectively.

Positive

• 65% of UK businesses maintain inventories of business-critical systems, ahead of global average of 50%
• 61% have created defined runbooks and processes for incident responses, surpassing global average of 41%

Negative

• 93% of UK businesses experienced business-critical cyber incidents, with 57% in past 18 months
• UK organizations are 21% less likely to have dedicated recovery environments
• Only 36% of UK organizations strongly believe in prioritizing minimum viability approach
• 52% struggle with system complexity as main barrier to achieving minimum viability

93% of UK businesses have experienced a business-critical cyber incident, yet they are 21% less likely to have a dedicated environment in which to recover

READING, England, Aug. 19, 2025 /PRNewswire/ -- New research by Commvault, a leading provider of cyber resilience and data protection solutions for the hybrid cloud, in collaboration with research firm GigaOm, has revealed that the UK experiences a higher rate of critical cyber incidents than any other country. A cyber incident can be defined as an event or series of events that negatively affects the security of data systems or digital information within an organisation, including a security breach or ransomware attack.

Only 7% of the UK businesses surveyed report never having experienced a "business-critical" incident, compared to 14% of the rest of the world. This means that a staggering 93% of UK businesses have experienced a business-critical incident, of which 57% occurred in the past 18 months.

Despite experiencing more frequent devastating incidents than the global average, UK organisations are falling behind when it comes to their readiness to react and recover from cyberattacks. According to the research, they are 21% less likely to have deployed a dedicated recovery environment, and 11% less likely to have tested their recovery plans within the last month compared to the other countries - two aspects of a recovery plan that are widely considered to be fundamental.

Barriers to Being a Minimum Viability Company
The survey also highlights key findings tied to the Minimum Viability Company (MVC) concept. This concept outlines the core operations that are necessary to resume business quickly after a cyberattack. In an age where cybercriminals are increasingly sophisticated, infiltrating backups with malware, or planting dormant ransomware that activates after restoration, this approach is fundamental to operating in a state of continuous business.

Survey respondents stated that the biggest challenge preventing UK businesses from achieving minimum viability is the complexity of existing systems and applications (52%), followed closely by the struggle to keep recovery plans in line with changing business needs (47%).

Almost a third (30%) cited difficulties separating 'core' systems from less business-critical, 'broader' operations as another primary barrier to implementing the MVC concept.

However, nearly two-thirds of UK businesses have laid some foundational steps in their efforts to be resilient against attacks, with 65% having an inventory of business-critical systems and dependencies and 61% creating defined runbooks, roles, and processes for incident responses. This is ahead of the global averages of 50% and 41%, respectively. This suggests that while UK businesses are investing time and resources into incident response preparations, that is not translating into real-world recovery readiness.

Many of these cyber readiness practices are directly relevant to establishing what's needed to adopt a MVC approach. Yet only 36% of UK organisations strongly believe that they should prioritise the minimum viability approach.

"With the threat landscape evolving, business recovery is now a key concern at the board level," said Richard Gadd, Senior Vice President, EMEA, Commvault. "However, this research identifies critical gaps many organisations in the UK face as they rapidly try to advance their cyber resilience strategies. Having a tested recovery plan in place and a dedicated recovery environment in the cloud can make all the difference between chaos and continuous business."

"Business-scale cyberattacks are now the norm, not the exception. If complexity is killing efforts to prepare for recovery, executive leaders need to assume control and set business-level priorities, so they can keep the organisation running after an attack," said Howard Holton, Chief Operating Officer, GigaOm.

Methodology
GigaOm surveys serve to test hypotheses about a given topic area. In this survey, we looked to explore how enterprise organisations are approaching recovery, and the barriers and enablers that impact success. 1,000 senior decision makers responded to the survey, directly involved in defining, buying, or using application acceleration solutions. The sample of UK respondents was 100. Respondents came from a cross-section of industries without limitation, from companies with 1,000-plus employees across the globe.

About Commvault
Commvault (NASDAQ: CVLT) is the gold standard in cyber resilience, helping more than 100,000 organisations keep data safe and businesses resilient and moving forward. Today, Commvault offers the only cyber resilience platform that combines the best data security and rapid recovery at enterprise scale across any workload, anywhere—at the lowest TCO.

View original content to download multimedia:https://www.prnewswire.com/news-releases/uk-businesses-more-exposed-to-major-cyber-incidents-than-any-other-country-according-to-new-research-by-commvault-302532721.html

SOURCE COMMVAULT

FAQ

What percentage of UK businesses have experienced critical cyber incidents according to Commvault's research?

According to Commvault's research, 93% of UK businesses have experienced business-critical cyber incidents, with 57% occurring in the past 18 months - the highest rate globally.

What are the main barriers preventing UK companies from achieving Minimum Viability Company status?

The main barriers are system complexity (52%), difficulty in keeping recovery plans aligned with changing business needs (47%), and challenges in separating core systems from less critical operations (30%).

How do UK businesses compare globally in terms of cyber incident recovery preparation?

UK businesses are 21% less likely to have dedicated recovery environments and 11% less likely to have tested recovery plans within the last month compared to other countries.

What positive steps have UK businesses taken in cyber incident preparation?

UK businesses lead globally with 65% maintaining critical system inventories and 61% creating defined incident response processes, compared to global averages of 50% and 41% respectively.

How many UK organizations prioritize the minimum viability approach according to Commvault's study?

Only 36% of UK organizations strongly believe they should prioritize the minimum viability approach to cyber recovery.