UK businesses faced rising cyberattack pressure

Cyber Reports

Q2 2026 Cyber Threat Report

UK businesses were targeted by an average of 190,716 cyberattacks each during Q2 2026, equivalent to 2,096 attacks per day.

This represents a 5.7% increase on Q1 2026 and a 3.4% increase compared with Q2 2025, showing that the slight easing seen at the start of the year has not continued. Attack volumes remain above the already elevated levels recorded throughout 2025.

Beaming’s analysis shows that automated attack activity continues to focus on the systems businesses rely on for remote access, administration and online services. The data also points to a notable shift in where some of this activity is coming from, with Brazil rising sharply as a source of attacking IP addresses during the quarter.

Attack volumes moved upwards again

Across April, May and June, UK businesses experienced an average of 2,096 attacks per day.

For IT teams and business leaders, the message is clear: high-volume automated scanning and probing should now be treated as a constant operational risk, not an occasional event.

Q2 2026 Cyber-threats on UK business by Quarter with Average.

 

Remote control applications saw the sharpest rise

Remote control applications were the most heavily targeted application category in Q2 2026, averaging 275 attacks per business per day.

This was a 76% increase on Q1 2026 and a 69% increase compared with Q2 2025.

This is the most notable movement in the quarter’s application data. Remote control tools are attractive to attackers because, if poorly secured, they can provide a direct route into business systems. Even where legitimate tools are in use, weak passwords, exposed services or missing multi-factor authentication can increase risk.

Businesses should review all remote control and remote administration tools, confirm who has access, remove anything no longer required and ensure the right MFA is enforced wherever possible.

Business Applications Attacked in Q2 2026

Remote desktop and VPN activity also increased

Remote desktop attacks rose by 10% compared with Q1 2026 and were 31% higher than in Q2 2025.

VPN attacks also increased, up 10% quarter-on-quarter and 13% year-on-year.

This reinforces a familiar pattern: attackers continue to look for weaknesses in the systems that allow people to connect to business networks remotely. Remote access remains essential for many organisations, but it needs careful management.

Practical steps include restricting access by user and location, keeping VPN appliances and remote desktop services patched, enforcing strong authentication, and monitoring for unusual login behaviour.

Business Applications targeted since 2021

Brazil saw the biggest country-level increase

China and the USA remained the two largest sources of attacking IP addresses in Q2 2026, with 29,932 and 27,483 unique attacking IPs respectively.

However, the most notable change was Brazil, which rose to 19,849 unique attacking IPs in the quarter. This was a 141% increase on Q1 2026 and more than five times the level recorded in Q2 2025.

Together, China, the USA and Brazil accounted for 78% of all attacking IP addresses recorded from the top ten source countries in Q2.

The source country of an attacking IP does not necessarily show where a cybercriminal is based. It often reflects where compromised devices, hosting services or botnet infrastructure are located. Even so, these shifts are useful for understanding how attack infrastructure changes over time and if you need to adjust country blocking policies.

Cyber threats on by Quarter with originating countries

 

What businesses should do next

The Q2 2026 data shows that attackers continue to focus on practical entry points: remote control tools, remote desktop, VPNs and internet-facing applications.

Businesses should use this as a prompt to review their exposure:

  1. Audit remote access tools
    Check which remote control, remote desktop and VPN services are exposed to the internet. Remove anything that is no longer required.
  2. Enforce MFA
    Use multi-factor authentication for remote access, administrator accounts and cloud services. Consider introducing passkeys for administrator accounts and other critical business systems.
  3. Patch quickly
    Keep operating systems, VPN appliances, firewalls, servers and applications up to date, especially where there are known exploited vulnerabilities.
  4. Restrict access
    Review access control policies and where possible, limit access by user, device, location and business need.
  5. Test backup and recovery
    Strong prevention matters, but businesses also need confidence that they can recover quickly if an incident occurs.
‘Businesses shouldn't be alarmed by these figures, but they should recognise that cyberattacks are largely automated and relentless. Good cyber security isn't about stopping every scan or probe, it's about making sure attackers can't turn these attempts into successful breaches. Organisations that regularly review their remote access, keep systems up to date and use strong authentication put themselves in a much stronger position.’
Sonia Blizzard, Managing Director, Beaming

Summary

Cyberattack activity against UK businesses increased in Q2 2026, with organisations targeted more than 190,000 times on average across the quarter.

The most significant development was the sharp rise in attacks on remote control applications, supported by increases in remote desktop and VPN activity. This points to continued attacker interest in systems that provide access into business networks.

Choosing a network partner that prioritises security, resilience and responsive support can reduce the burden on internal IT teams. Contact Beaming to find out how we can help protect your business.