More than one in four British companies suffered a cyber-attack in the past year, a marked rise from 16 percent the previous year, according to a nationwide survey by the Royal Institution of Chartered Surveyors (RICS). The findings highlight an urgent need for digital modernisation, as attackers increasingly target the systems that underpin the UK’s built environment.
The RICS survey — which polled more than 8,000 facilities managers, service providers, and consultancies — revealed that 27 percent of respondents had experienced at least one breach in the past 12 months. A further 73 percent expect a disruptive cyber incident within the next two years, underlining the sense of vulnerability across the sector.
RICS warned that property owners and occupiers of smart, sensor-laden buildings are “sleepwalking” into costly attacks unless they address long-standing weaknesses in digital defences. The watchdog singled out outdated operating systems — including building-management computers still running Windows 7 — and poorly secured operational technology, CCTV, and IoT access-control networks as prime targets.
“Buildings are no longer just bricks and mortar; they are interconnected digital environments, with technology now at the very heart of how they operate,” said Paul Bagust, RICS head of property practice. “Failure to identify growing digital challenges risks sleepwalking into cyber-attacks, putting businesses and the wider public at serious risk.”
The findings echo the UK government’s Cyber Security Breaches Survey 2025, which reported that 43 percent of all UK businesses — and 67 percent of medium-sized firms — detected at least one cyber incident last year, with phishing remaining the most common attack vector.
Small businesses remain especially exposed. Research published last week by BT and Be the Business found that 42 percent of small enterprises had suffered a cyber-attack in the past year, yet 39 percent offer no cybersecurity training to staff. BT said average recovery costs for a micro or small firm total £7,960.
Large corporates have not been spared. Marks & Spencer recently disclosed that a ransomware attack in April is expected to cut operating profit by around £300 million and will likely disrupt online clothing orders until at least July.
RICS has called on property owners to conduct “digital due-diligence” audits, patch legacy software, and adopt industry-standard frameworks such as ISO 27001 to strengthen building systems. The organisation also urged closer collaboration with insurers and regulators, warning that attackers are increasingly deploying AI-driven impersonation and ransomware tools at scale.
