Almost a third of British businesses have suffered a remote working-related cybersecurity breach in the past year, according to newly compiled data, as public concern about phishing attacks reaches its highest level in two decades.
For HR professionals, the statistics carry a direct operational implication. Employees interacting with cloud platforms, shared files, messaging tools, and collaborative software outside a conventional office environment represent an expanded attack surface.
The UK Government’s Cyber Security Breaches Survey 2025 reveals that 29% of UK organisations experienced at least one security incident linked to remote or hybrid working in the last 12 months, with phishing accounting for 85% of all business breaches recorded. For charities, the figure is even higher, with 86% of breaches involving phishing attacks, highlighting the breadth of the threat across both commercial and voluntary sectors.
The findings coincide with analysis from secure networks specialist Nasstar, which examined 21 years of Google Trends data and found that UK searches for “phishing” hit an all-time record high in December 2025, surpassing even the previous peak in October 2020, when much of the UK workforce was working remotely due to pandemic restrictions. Searches for a “phishing link checker” have surged by 600%, while queries for “what is spear phishing in cyber security” rose by 1,500%, pointing to growing awareness among workers of the risk posed by highly targeted attacks.
Leigh Walgate, Managing Director of Secure Networks at Nasstar, says the scale of the problem reflects a fundamental shift in how businesses operate rather than simply where employees are based.
“Despite the widespread adoption of traditional network perimeter security controls, phishing remains the dominant attack vector because it targets users, identities, and cloud applications rather than exploiting network vulnerabilities,” he explains. “Phishing exploits identity and trust, not network vulnerabilities, which is why security needs to be designed around identity rather than perimeter assumptions.”
The government survey underscores the particular vulnerability of larger organisations, with 67% of medium-sized businesses and 74% of large businesses reporting a breach over the same period, compared to an overall rate of 43% across all UK businesses. Of those that experienced incidents, 65% identified phishing as their most disruptive attack.
Walgate points to the rapid migration towards cloud and software-as-a-service platforms as a key factor in why phishing has proved so difficult to contain through conventional means.
“The real shift over the last few years hasn’t just been where people work from, but how organisations consume applications and data,” he said. “As businesses have moved rapidly towards cloud and SaaS platforms, identity has effectively become the new perimeter. That fundamentally changes the risk profile, because attackers no longer need to break into a private network, they just need to abuse a legitimate user account.
“What’s particularly notable is the level of concern we’re seeing around phishing today. The surge in search interest suggests organisations and individuals are increasingly aware that these attacks are harder to detect and more difficult to defend against using traditional approaches.”
Nasstar advocates for the adoption of SASE (Secure Access Service Edge) architectures, which combine network security functions with URL filtering, malware detection, and data loss prevention in a cloud-delivered service. Walgate argues that this approach applies meaningful protection at the point where risk is actually created, rather than relying on perimeter controls designed for a pre-remote era.
“Modern phishing attacks aren’t limited to email, they increasingly arrive via cloud services, shared files, messaging platforms, and social engineering techniques that all aim to abuse legitimate user identities,” he explains. “SASE doesn’t replace email security; it enforces identity- and context-aware access controls at the point of use, limiting what an attacker can do even when credentials are compromised.”