46 per cent of remote or mobile workers knowingly put data at risk over the past year
MANCHESTER, UK; 12 June 2025 – UK businesses are reporting a greater number of data breaches than ever before, according to annual research from Apricorn, the leading manufacturer of software-free, 256-bit AES XTS hardware-encrypted USB drives. The company’s 2025 survey reveals that 69 per cent of organisations surveyed have self-disclosed a breach or potential breach to the Information Commissioner’s Office (ICO) in the past year, up significantly from 53 per cent in 2024.
However, the shift could also be interpreted as evidence of a greater sense of awareness and accountability. Just eight per cent of businesses surveyed were reported by a third party, compared to 14 per cent last year, indicating stronger internal reporting processes and a move away from reactive disclosure. This change suggests that businesses are beginning to take greater ownership over their breach response strategies and are stepping up to take responsibility.
Yet self-reporting does not imply incidents are under control. Apricorn’s research found that 46 per cent of organisations surveyed admit their remote or mobile workers knowingly put corporate data at risk in the last year. Additionally, 61 per cent believe their mobile workforce is likely to expose them to a future breach. These persistent concerns highlight a lack of confidence in user behaviour and endpoint management, especially within decentralised and hybrid work environments.
Phishing remains the top cause of data breaches, cited by 37 per cent of IT decision makers surveyed, closely followed by employee mistakes (33 per cent). While external threats continue to pose a risk, the data confirms that human behaviour remains the leading cause of vulnerability, whether through error, negligence or malicious intent.
The majority (99 per cent) of organisations have a mobile/remote working security policy in place, and 95 per cent believe their workers understand and follow it. But this confidence is undermined by a rising number of respondents, 58 per cent, who say their employees lack the technology or skills needed to properly secure data, even when they are willing to comply.
Adding to the challenge is the continued reliance on employee-owned IT equipment. 56 per cent of organisations now allow staff to use personal devices to access corporate systems and data, a 9 per cent increase over last year and the highest level recorded by Apricorn since 2019. Although most organisations use software to control access, these tools often lack the visibility and enforcement provided by corporate-issued devices.
Only 19 per cent of respondents said their organisation mandates the use of company-provisioned equipment with endpoint controls. This cautious shift upward from 15% in 2024, reflects growing awareness but highlights how far most organisations still have to go in order to gain full control of the remote attack surface.
Jon Fielding, Managing Director, EMEA, Apricorn, warned that businesses cannot afford to confuse policy with protection. “Too many organisations are relying on assumptions that policies are followed, that devices are secure, that staff know what to do, but if organisations want to reduce breach risk, they must give staff the right tools to do the right thing.”
The research also revealed deeper technical and operational issues. Almost 37 per cent of organisations say they cannot be certain that their data is adequately secured or they’ve lost visibility of where corporate data is stored, while 16 per cent report that their current technology doesn’t support secure mobile or remote working. Additionally, a further 11 per cent said they don’t know which datasets within their organisation need to be encrypted, pointing to a lack of basic data classification and risk assessment.
The mounting complexity of managing remote technologies is another key concern with more organisations struggling with this than has ever been recorded in the survey. 47 per cent of organisations reported that managing all of the technology that employees need and use for mobile/remote working is too complex. Meanwhile, 35 per cent say remote working has made it harder to comply with GDPR, potentially due to rising concerns about cyber sovereignty and data localisation requirements.
Fielding concluded: “Self-reporting breaches is a positive step, but if organisations want to reduce how often they’re doing it, they must bridge the gap between written policy and operational readiness. This includes clear provisioning of secure tools like hardware-encrypted drives, restricting data movement to known systems, and prioritising the secure handling of data at every endpoint.”
