The clearest answer from the best available evidence is this: foreign-based external attackers are the bigger overall threat to company networks in England, especially financially motivated cybercriminals and hostile state-linked actors. But that is not the whole story, because internal people still matter enormously. In practice, many of the worst breaches happen when an external attacker gets in through a human weakness inside the business, or when a trusted insider misuses access. So the top-line verdict is external attackers are the main strategic threat, while insiders are a serious tactical and operational risk. Why the answer is not perfectly England-only One nuisance of British cyber reporting, because apparently clarity would be too generous, is that most official data is published for the UK, not England on its own. For English businesses, the best public proxy is therefore UK-wide government and industry reporting, plus England-based case studies such as the 2025 retail attacks and England responses captured in government surveys. The short verdict Biggest overall threat: foreign external attackers If you are asking which side causes the larger volume of sustained pressure, disruption and strategic risk, it is foreign-based attackers. The NCSC says state actors continue to present a significant threat to UK and global cyber security, and the UK Government’s 2026 Cyber Action Plan says hostile states and criminal groups are actively probing our defences. Microsoft’s 2025 Digital Defense Report also says the vast majority of cyber-attacks are conducted by cybercriminals, not nation-state actors, which still points overwhelmingly to external rather than internal attackers. Biggest day-to-day weakness: people inside the organisation At the same time, the most common path into businesses is often not some elite keyboard wizard in a bunker. It is staff being phished, impersonated, socially engineered, or abusing access. The UK Cyber Security Breaches Survey 2025 found phishing was by far the most common cyber crime experienced by businesses, and the Cyber Security Longitudinal Survey found phishing and email impersonation were the most prevalent incidents, with staff also being a source of unauthorised access in a meaningful minority of larger firms. What the official UK evidence says NCSC and government: hostile states and cybercriminals are the main strategic danger The NCSC’s 2025 Annual Review says state actors continue to present a significant threat, and highlights China, along with wider hostile-state activity, as part of the UK threat picture. It also says ransomware remains one of the most acute and pervasive threats to the UK. The Government Cyber Action Plan uses similarly blunt language, warning that hostile states and criminal groups are actively probing UK defences. That is a very strong signal from the UK’s own security apparatus that the main strategic threat sits outside the network and often outside the country. UK business surveys: phishing and impersonation dominate incident patterns The Cyber Security Breaches Survey 2025 found 43% of UK businesses identified a cyber breach or attack in the previous 12 months. Among businesses that identified an attack, 85% reported phishing, while 34% reported impersonation of the organisation or staff in emails or online. It also found phishing was the most disruptive breach type for most businesses that had suffered one. That profile points much more strongly to external actors attacking from outside, even when they rely on staff mistakes to succeed. Longitudinal survey: insider incidents exist, but are not the main volume driver The Cyber Security Longitudinal Survey, which focuses on medium and large UK organisations, found phishing incidents in 76% of businesses, email impersonation in 56%, and denial-of-service attacks in 8%. By contrast, among businesses, unauthorised access to files or networks by staff was reported by 14% of large businesses and 5% of medium-sized businesses. That is not trivial, but it is clearly lower than phishing and impersonation. So if the question is “which threat hits more businesses more often?”, the evidence still points to external attackers. Advertisement NORTON 360 PREMIUM PLUS 150GB IN 1 USER 10 DEVICE 12MO AMAZON ENR… PRE-PAID SUBSCRIPTION WITH SIGN UP AND ACTIVATION ONLINE: A payment method (credit card or PayPal) must be saved in your… SUBSCRIPTION WITH AUTOMATIC RENEWAL: No service disruption since this subscription automatically renews annually. If you… Protect multiple devices, including PCs, Mac, smartphones and tablets, against malware, phishing and ransomware with add… £34.99 Buy on Amazon Verizon DBIR: insiders matter more in EMEA than many people assume There is one important complication. Verizon’s 2025 DBIR said that in EMEA, 29% of breaches originated from within the organisation. That is a much larger insider share than many executives like to imagine, and it means insider risk cannot be treated as a side note. But even that figure does not make insiders the largest category overall. It means insiders are a substantial minority contributor, not the dominant source of breach activity. So who is the bigger threat in practice? If you mean frequency and strategic pressure: foreign hackers Foreign attackers are the bigger threat because they provide the bulk of the hostile pressure. That includes ransomware crews, phishing gangs, access brokers, data extortion groups, botnet operators and hostile state-linked operators. The NCSC says the UK must stay ahead of cyber criminals and hostile states, and Microsoft says the vast majority of attacks it sees are conducted by cybercriminals rather than espionage actors. In other words, most attacks are not coming from some furious systems administrator in Essex. They are coming from the global cybercrime economy. If you mean who can do exceptional damage quickly: insiders can be brutal Insiders can still be devastating because they already have legitimate access, know internal systems, understand business processes and may know how to avoid raising suspicion. CISA defines an insider threat as the potential for an insider to use authorised access or knowledge of the organisation to harm it, and its mitigation guide warns about collusive threats, where insiders work with external actors. That last point matters because some of the ugliest cases are not purely internal or purely external. They are blended. The awkward truth: many successful “foreign” attacks depend on internal human failure Staff are often the route in The government’s own longitudinal survey records one of the most honest lines in any cyber report: “Your staff are either going to be your biggest strength or your greatest weakness.” That is not melodrama. It reflects the fact that external attackers usually still need a way in, and email, password resets, fake identities, MFA-reset scams and credential theft give them that route. The 2025 UK retail attacks showed exactly how this works In the 2025 attacks affecting Marks & Spencer, Co-op and Harrods, reporting indicated that attackers impersonated employees and contacted IT help desks to get passwords reset. The NCSC publicly warned those incidents should act as a “wake-up call” to all organisations. So while the attackers were external, the breach path leaned heavily on social engineering against internal staff. That is why the right answer is not “foreign or internal”, as if these were clean categories. Criminals love using one to exploit the other. What about hackers actually based in England? Domestic attackers exist and can be very damaging They do exist, and sometimes they are highly effective. In July 2025, the NCA arrested four people in the UK in connection with the attacks on M&S, Co-op and Harrods. In September 2025, Reuters reported that the NCA believed the TfL attack was carried out by members of Scattered Spider. That shows a very uncomfortable reality: some major attacks hitting British organisations can involve actors inside Britain, not just faceless groups abroad. But that still does not overturn the bigger pattern Those cases matter, but they do not outweigh the broader threat picture from government and industry reporting, which still points to hostile states and international cybercriminals as the main sustained source of risk. Domestic actors are part of the landscape, but not the whole landscape. Also, many domestic actors plug into international ransomware and criminal ecosystems anyway, which means “inside England” and “foreign” are often operationally linked. Modern cybercrime, because civilisation was clearly getting too manageable, works through loose transnational networks rather than neat national boxes. Expert and official views Richard Horne, NCSC NCSC chief Richard Horne said the recent incidents should be a “wake-up call” and that cybercriminals will target organisations of all sizes. That reinforces the point that the threat is broad, persistent and not limited to critical infrastructure or giant corporates. UK survey participant on staff risk The UK longitudinal survey included this striking line from a business respondent: “Your staff are either going to be your biggest strength or your greatest weakness.” It is not polished conference-stage language, but it is probably closer to the truth than most vendor slogans. CISA on insider threats CISA’s definition is useful because it strips away the nonsense: an insider threat is the risk that someone with authorised access or understanding of the organisation can use it to cause harm. That includes malicious action, negligence, and collusion with outsiders. Advertisement Bestseller #1 Apple iPhone 16e 128GB: Built for Apple Intelligence, A18 Chip, Supersized Battery Life, 48MP Fusion Camera, 6.1-inch Super Retina XDR Display; Black BUILT FOR APPLE INTELLIGENCE — Personal, private, powerful. Write, express yourself and get things done effortlessly. A18 CHIP. FAST INTO THE FUTURE — A18 chip powers Apple Intelligence, gaming, and regular iOS updates to keep your iPhone… SUPERSIZED BATTERY LIFE — Text, browse, and binge movies and shows with up to 26 hours of video playback — the best batt… £499.00 Buy on Amazon The best way to frame the answer Foreign attackers are the bigger enemy They are the bigger enemy because they generate the largest volume of hostile activity, drive the main ransomware and phishing waves, and include state-backed actors as well as organised cybercriminals. The official UK and major industry evidence lines up on that point. Insiders are the bigger blind spot Insiders are the bigger blind spot because they are easier to underestimate. They may be malicious, careless, over-privileged, socially engineered, or simply tired and fooled by a convincing phishing email. And because they already belong to the organisation, they often bypass the mental model companies have of “the hacker” as someone obviously outside the walls. Final judgement Who is the biggest cyber threat to company networks in England? Foreign external attackers are the bigger overall cyber threat. That is the best-supported conclusion from UK government reporting, NCSC assessments and major incident data. They are more numerous, more persistent, and more strategically dangerous. What is the most important qualifier? The qualifier is that many successful foreign attacks only work because of internal weaknesses, and insider misuse can still cause severe damage on its own. So the smartest conclusion is not “ignore insiders”. It is this: England’s companies are mainly attacked from outside, but they are often breached through the inside. Post navigation The Best Way for a White Hat Hacker to Catch Up with AI in Cyber Security Are English Small Businesses Under Threat of Cyber Attacks?