Cyberattacks on UK businesses are escalating at an alarming rate.

In the last 12 months alone, 50 percent of businesses and more than 30 percent of all charities experienced some sort of data breach or cybersecurity threat. While worrisome, the numbers are even more staggering for larger organizations.

Nearly 75 percent of medium and large-sized businesses and 60 percent of charities whose income exceeds £500,000 per annum experienced similar threats.

The UK’s Cyber Security Breaches Survey, which happens annually, revealed a slight improvement. Compared to last year, only 43 percent of small businesses and 30 percent of charities reported these threats. Still, the numbers remain staggeringly high for larger organizations.

The financial impact of these breaches is also increasing. Over the past year, the average cost of the most disruptive attacks was estimated at £1,600 for businesses and £3,240 for charities. In response, the UK government plans to introduce the Cyber Security and Resilience Bill. The bill will mandate businesses to fortify their cybersecurity defenses.

It has also designated UK-based data centres as critical national infrastructure, meaning they’ll now receive the same support as essential utilities like power and water during a national emergency or cyber threat.

Meanwhile, small businesses have adopted much better “cyber hygiene” practices in the past 12 months. This includes cybersecurity risk assessments, cyber insurance, formal cybersecurity risk policies, and continuity plans.

However, fewer high-earning charities are performing appropriate risk assessments than before. The survey found this could be due to budget constraints. It also suggests that only 70 percent of large businesses and 57 percent of medium-sized ones have proper cybersecurity strategies in place.

“Time and again, we see that businesses and charities are under relentless attack, but those on the front line of our digital defences are working with one hand tied behind their back by outdated legislation,” says Simon Whittaker, head of IT firm Instil. “We urgently need a modern legal framework that protects the public and enables cybersecurity professionals to do their jobs.”

UK businesses are in trouble if they don’t start developing and implementing strong cyber defenses. The government can help — but only if it updates its policies.

One example of an outdated piece of policy is the Computer Misuse Act of 1990. It’s “outdated” and “no longer fit for purpose,” and it “risks criminalising the very professionals we rely on to detect, defend against and prevent these attacks,” according to Whittaker.