Cyber security breaches survey 2024: education institutions annex
Published 9 April 2024
© Crown copyright 2024
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2024/cyber-security-breaches-survey-2024-education-institutions-annex
This annex includes findings from the samples of UK educational institutions included in this year’s Cyber Security Breaches Survey. The results primarily cover:
- primary schools
- secondary schools
- further education colleges
- higher education institutions
The annex supplements a main Statistical Release published by the Department for Science, Innovation and Technology (DSIT), covering the 2024 results for businesses and charities.
There is another Technical Annex, available on the same GOV.UK page, which provides the methodological details of the study and copies of the main survey instruments to aid interpretation of the findings.
The Cyber Security Breaches Survey is a research study for UK cyber resilience, aligning with the National Cyber Strategy. It is primarily used to inform government policy on cyber security, making the UK cyberspace a secure place to do business. The study explores the policies, processes and approach to cyber security, for businesses, charities and educational institutions. It also considers the different cyber attacks and cyber crimes these organisations face, as well as how these organisations are impacted and respond.
For this latest release, the quantitative survey was carried out in winter 2023/24 and the qualitative element in early 2024.
Lead analyst
Maddy Ell
Responsible statistician
Saman Rizvi
Enquiries:
Summary
Prevalence and impact of cyber security breaches and attacks
- Primary schools are relatively close to the typical business in terms of how many identify breaches or attacks - 52% identified a breach or attack in the past year.
- All other types of education institutions are more likely to have identified cyber security breaches or attacks in the last 12 months than the average UK business.
- 71% of secondary schools identified a breach or attack in the past year.
- Further education and higher education institutions are more likely to experience breaches and attacks than schools, and to experience a wider range of attack types, such as impersonation, viruses or other malware, and unauthorised access of files or networks by outsiders.
- 86% of further education colleges identified a breach or attack in the past year.
- Higher education institutions are more likely to be affected by cyber-attacks - 97% identified a breach or attack in the past year. Just under six in ten of the higher education institutions identified that they had been negatively impacted by a breach.
Engagement with cyber security
- Education institutions typically report a higher level of board engagement with cyber security than the average UK business. In this sense, they are more like large businesses.
- Primary and secondary schools have less awareness this year of government guidance like the National Cyber Security Centre’s (NCSC) 10 Steps to Cyber Security and Board Toolkit, certification schemes like Cyber Essentials, and communications campaigns like Cyber Aware. Awareness of these initiatives is much more widespread in further education colleges and higher education institutions.
Approaches to cyber security
- All educational institutions have a level of preparedness and planning for cybersecurity that is notably more advanced to that of the average business, bearing more resemblance to large businesses. Most of these educational institutions have an established cyber security policy. These are more prevalent in further education colleges and higher education institutions than in primary and secondary schools.
- The majority of education institutions have taken action in the last 12 months to help identify cyber security risks (e.g. undertaking risk assessments). Primary schools tend to have less sophisticated cyber risk management approaches than secondary schools, colleges and higher education institutions.
- All types of education institutions are more likely to have technical controls in place in the five technical areas covered in Cyber Essentials than the average UK business.
Chapter 1: Overview of the data
1.1 Summary of methodology
Each year, the Cyber Security Breaches Survey includes two strands - a quantitative survey and follow-up qualitative interviews with some of the organisations taking part in the survey.
Quantitative survey
The survey of educational institutions comprised a random probability telephone survey, carried out from September 2023 to January 2024. It included:
- 185 primary schools
- 171 secondary schools
- 43 further education colleges
- 31 higher education institutions
The school samples include a random selection of free schools, academies, Local Authority-maintained schools and special schools.
The samples were selected from the following sources:
- All institutions in England: Get Information About Schools
- Schools in Scotland: Scottish Government School Contact details
- FE Colleges in Scotland: Colleges Scotland directory
- Schools in Wales: Welsh Government Address list of schools
- FE Colleges in Wales: Colleges Wales directory
- Schools in Northern Ireland: NI Department of Education database
- FE Colleges in Northern Ireland: NI Direct FE College directory
- Higher education institutions in Scotland, Wales and Northern Ireland: Universities UK website, cross-referenced against the comprehensive list of Recognised Bodies on GOV.UK
Qualitative interviews
In addition, we carried out 15 qualitative interviews with institutions that took part in the survey. Including:
- 2 primary schools
- 6 secondary schools
- 7 higher education institutions
In this annex, we include the key findings from these education institutions, as well as a selection of quotes from these interviews to illustrate the themes raised. We do not provide job title descriptions when attributing the quotes as these may be disclosive. Participants in these interviews were all cyber or IT specialists.
1.2 A note on representativeness
The education institution samples are all unweighted. They were surveyed as simple random samples, with no stratification. As such, they should be considered as representative samples. As the sample sizes are relatively small compared to the business and charity survey samples, the margins of error are higher:
- ± 4-6 percentage points for primary schools
- ± 4-7 percentage points for secondary schools
- ± 9-15 percentage points for further education colleges
- ± 8-14 percentage points for higher education institutions
1.3 Comparability to the main results for businesses and charities
In this annex, we have primarily compared our four largest education institution samples against each other, and against the benchmark set by UK businesses. The report is intended to give a broad view of where schools, colleges and higher education institutions lie in relation to businesses when it comes to cyber security.
1.4 Comparisons with previous surveys
The findings from 2024 are compared with equivalent findings from the 2023 survey. The 2024 sample sizes for all four types of educational institutions are similar to, or slightly lower than, those obtained in 2023. Because of the small sample sizes for further education colleges (44 in 2023, 43 in 2024) and higher education institutions (52 in 2023, 31 in 2024), changes between years should be treated with caution, and should be viewed as indicative only.
Where appropriate, the report also comments on longer-term changes since 2020 (the first year that education institutions were included in the survey). This analysis seeks to identify broad patterns of change over time, rather than specific instances of statistically significant changes.
Whilst there were no changes to the methodology between 2023 and 2024, there were some changes to the questionnaire. Noteworthy changes to the questionnaire were as follows, with full details and implications detailed in the Technical Annex.
Some changes were introduced to the question Q53A_Type that captures which cyber breaches or attacks an organisation may have experienced. These modifications included:
The question now explicitly suggests to include events even if the organisation was not impacted by them. This was only implicit in previous years (never said aloud). Changing in the wording for some codes from ‘infected’ to ‘targeted’:
(1) ‘Your organisation’s devices being infected with ransomware’ was changed to ‘Your organisation’s devices being targeted with ransomware’.
(2) ‘Your organisation’s devices being infected with other malware’ was changed to ‘Your organisation’s devices being targeted with other malware’.
○ At code 6 on phishing, the text ‘even if they even if they did not engage with these websites or emails’ was added so that it reads ‘phishing attacks, i.e. staff receiving fraudulent emails, or arriving at fraudulent websites - even if they did not engage with these emails or websites’.
Significant changes were made to the cyber crime section that was introduced in 2023 to improve the design of the section and ensure more accurate data was collected. The questions were simplified by avoiding long sentences, removing double negative questions and presenting concepts such as the ‘final event’ only at or just before the question using those concepts. The order of questions in the cyber crime section was also changed to reflect the hierarchy for coding the ‘principle’ cyber crime offence.
Due to these changes, it is not possible to make direct comparisons between 2024 and previous years on incidence of cyber breaches or attacks and on the cyber crime questions.
Chapter 2: Key findings
2.1 Prevalence and impact of cyber security breaches or attacks
It is important to remember that the survey can only measure the breaches or attacks that organisations have themselves identified. There are likely to be hidden attacks, and others that go unidentified, so the findings reported here may underestimate the full extent of cyber security incidents.
As Figure 2.1 shows, primary schools were relatively close to the typical business in terms of how many identified breaches or attacks (52% vs. 50%). Secondary schools were much more likely to identify breaches or attacks (71%) and were closer to medium (70%) and large (74%) businesses in this regard. Of all the educational institutions surveyed, further education colleges (86%) and higher education institutions (97%) were most likely to identify breaches or attacks.
Figure 2.1: Percentage of organisations that have identified breaches or attacks in the last 12 months
| All UK businesses | 50% |
| Primary schools | 52% |
| Secondary schools | 71% |
| Further education colleges | 86% |
| Higher education institutions | 97% |
Bases: 2,000 UK Businesses; 185 primary schools; 171 secondary schools; 43 further education colleges; 31 higher education institutions.
Types of breaches or attacks identified
The findings reported in the rest of Section 2.1 are based only on the institutions that have identified a breach or attack.
Figure 2.2 breaks down the types of breaches or attacks experienced and shows that schools do not necessarily stand apart from the typical business in terms of the kinds of breaches and attacks they are reporting. Schools almost universally had lower levels of breaches and attacks than further education colleges and higher education institutions.
Schools were less likely to have suffered attacks (except for phishing where 92% primary and 89% secondary reported a phishing attack) and tended to be consistent with the level of attacks they experienced in 2023.
Higher education institutions stood out in particular in terms of phishing attacks (100%), impersonation attacks (90%), viruses, spyware or malware (77%), unauthorised access of files or networks by staff (27%), unauthorised access of files or networks by outsiders (20%) and any other breaches or attacks (47%).
Further education colleges were higher than schools but lower than higher education institutions in terms of impersonation attacks (78% further education vs. 90% higher education), viruses, spyware or malware (32% vs. 77%), unauthorised access of files or networks by outsiders (0% vs. 20%) and any other breaches or attacks (16% vs. 47%).
Figure 2.2: Percentage that identified the following types of breaches or attacks in the last 12 months, among the educational institutions that have identified any breaches or attacks
| Type of breach or attack | Businesses | Primary Schools | Secondary Schools | Further education colleges | Higher education institutions |
|---|---|---|---|---|---|
| Phishing attacks | 84% | 92% | 89% | 97% | 100% |
| Others impersonating organisation in emails or online | 35% | 29% | 58% | 78% | 90% |
| Viruses, spyware or malware (excluding ransomware) | 17% | 14% | 21% | 32% | 77% |
| Hacking or attempted hacking of online bank accounts | 7% | 1% | 5% | 8% | 10% |
| Denial of service attacks | 5% | 3% | 14% | 41% | 40% |
| Takeover of organisation’s user accounts | 8% | 4% | 5% | 11% | 20% |
| Unauthorised accessing of files or networks by staff | 1% | 4% | 11% | 19% | 27% |
| Ransomware | 6% | 3% | 2% | 8% | 10% |
| Unauthorised accessing of files or networks by outsiders | 1% | 1% | 3% | 0% | 20% |
| Unauthorised listening into video conferences or instant messages | 1% | 0% | 0% | 3% | 3% |
| Any other breaches or attacks | 3% | 2% | 3% | 16% | 47% |
Bases: 1111 UK businesses that identified a breach or attack in the last 12 months: 97 primary schools; 122 secondary schools; 37 further education colleges; 30 higher education institutions.
How are educational institutions affected?
Among those that have experienced breaches or attacks in the last 12 months, higher education institutions were more likely to be affected than further education colleges and schools: Over two in five (43%) higher education institutions reported experiencing a breach or attack at least weekly. In comparison, primary schools (13%) and secondary schools (16%) experienced significantly fewer weekly breaches or attacks. Three in ten further education colleges (32%) experienced breaches or attacks at least weekly.
Just under six in ten higher education institutions (57%) experienced any negative outcomes from a breach. A third (33%) stated that their accounts or systems were compromised and used for illicit purposes. By contrast, further education colleges (35%), secondary schools (19%) and primary schools (10%) were less likely to report a negative outcome.
Qualitative insights on perceptions of cyber security risk in the current geopolitical and economic environment
The qualitative interviews suggest that, despite economic conditions, many education institutions have continued to invest the same amount in cyber security over the last 12 months. There was a sense across the interviews that cyber security was still high on the priority list. However, it was clear during the interviews with education institutions that funding and restricted budgets were a big issue, making it difficult for them to increase their investment in cyber security.
“Funding is really difficult at the moment. Hit over 3-4 years - numbers on roll are down. Not down enough that can’t drop down. 40 children down. 140k less and that is without deficit.”
Primary School
One interviewee said that the economic conditions have meant they must be more reactive to attacks, rather than being able to plan and invest in cyber security to prevent attacks happening in the first place:
“Yes, basically nobody’s got any money so it’s being reactive rather than proactive.”
Secondary School
Another theme emerging from the interviews, which was also seen across businesses, was that the number of cyber attacks had increased because the difficult economic conditions were driving opportunists to take advantage. Despite recognising the increased risk, one primary school felt helpless because they cannot invest more into cyber security.
“These people are out there, especially with the economic climate, people are out there to just take what they can. So, the risk is probably greater, as to what we can do about it, I don’t know.”
Primary School
“I think the risks will maybe stay the same or increase and we will become vulnerable to the risks due to our lack of funding.”
Further Education College
2.2 Senior management engagement with cyber security
The educational institutions in our sample typically reported a higher level of senior engagement with cyber security than the average UK business. In this sense, they were more like large businesses, which was also the case in previous years.
Almost all reported that cyber security was a high priority for their governors or senior management (98% of primary schools, 96% of secondary schools, and 100% of further education colleges and higher education institutions). These findings have remained very consistent over time since 2020. This contrasted with businesses and charities, which showed an apparent decrease in prioritisation from last year.
The majority of education institutions updated their governors or senior management on cyber security at least quarterly: 84% of higher education institutions, 88% of further education colleges, 63% of primary schools (down from 78% in 2023) and 65% of secondary schools. This compared to 63% of medium businesses and 78% of large businesses.
Around seven in ten schools had a governor or senior manager with responsibility for cyber security (71% of both primary and secondary schools, vs. 30% of businesses and 63% of large businesses). Nine in ten higher education institutions (90%) and almost nine in ten further education colleges (84%) similarly assigned such responsibility at a senior level.
Qualitative insights on senior management engagement
The qualitative interviews indicated a varied level of involvement, understanding, and attitudes towards cyber security across the boards.
Some boards demonstrated a high level of engagement with cyber security. For example, one interviewee said that their board take a regular and proactive interest in cyber security by keeping it on their agenda and meeting at least quarterly.
“They are supportive and make sure it is on their agenda, formally at least quarterly, and monthly on the steering group.”
Higher education institution
Another interviewee indicated that there was a degree of expertise within the board. This suggests that the board are not only involved but also equipped with the necessary knowledge to help make informed decisions.
“They have the ‘right understanding’, with some having specialist backgrounds too.”
Higher education institution
On the other hand, other interviewees described their board members as not being particularly involved with cyber security. For example, one interviewee suggested that the board have a reactive rather than proactive approach, and they rely on the IT department to manage cyber security. This is demonstrated in the following quote:
“No, they’re not involved but they would be very vocal if things (cyber breaches) did happen. They are an ageing population that understands little about IT and take it as read that things are covered.”
Secondary School
Across the interviews, there was general agreement that the boards’ understanding and awareness of cyber security is growing. However, there was a sense that cyber security is led from the bottom up, so the board are less likely to gain a deep and detailed understanding on the topic.
“In the past 6 months they have been getting more involved. Expect it to be another year before really involved.”
Secondary School
However, there’s also an indication that the level of involvement and understanding varies, with one interviewee saying:
“Things they understand well are things they encounter in their own lives like phishing over things they understand less well: 24/7 monitoring and protection.”
Secondary School
Some interviewees also mentioned that budget constraints were a barrier and meant that they could only meet the minimum cyber security requirements.
“They are aware of issues, and the things we have to monitor but we do not have the budget to deal with things in the best way. We do the bare minimum because that is all we can afford.”
Further education college
Overall, the insights reveal a mixed picture of board involvement and understanding of cyber security, with signs of growing engagement and awareness, but also room for more support and understanding. Budget constraints and a reactive approach to cyber security were common issues identified in the qualitative interviews, suggesting a need for more proactive, cost-effective strategies to enhance cyber security in education institutions.
2.3 Sources of information and guidance
Seeking information
Higher education institutions (87%) were more likely than further education colleges (58%) and primary and secondary schools (76% and 70% respectively) to have sought information or guidance about cyber security from external sources in the last 12 months.
All types of education institutions included in this survey were more likely than businesses (41%) to have sought information or guidance about cyber security from external sources in the last 12 months.
The most common sources of information and guidance used in 2023 reduced in use this year, as follows:
- Government and public sector sources reduced among further education colleges from 70% to 19%, and from 55% of higher education institutions to 32% in 2024. Meanwhile there was a drop from 35% of primary schools to 17%, and from 34% to 20% among secondary schools.
- External cyber security or IT providers also reduced from 54% to 21% among further education colleges. Both primary (30%) and secondary (27%) schools remained broadly consistent to the 30% in 2023, while higher education institutions increased from 16% to 39%.
There were also other differences between schools, colleges and higher education institutions. Schools were more likely to have been in contact with local authorities (18% of primary schools and 5% of secondary schools, both broadly consistent with 2023). Just over half of further education colleges (51%) and higher education institutions (52%) mentioned Jisc and the Janet Network[footnote 1] which provide UK universities and colleges with shared digital infrastructure and services. These were significant reductions from 2023 for Jisc/Janet (74% further education and 84% higher education). Seven in ten higher education institutions (71%) mentioned the National Cyber Security Centre (NCSC), compared to 19% for further education colleges. The NCSC was mentioned by 13% of secondary schools (the same as 2023) and 7% of primary schools (up from 4%).
Awareness of government guidance, initiatives and communications
As in 2022 and 2023, there were still many educational institutions that had not heard of the various government guidance, initiatives and communications campaigns on cyber security. Awareness was, as found in previous years, much more widespread in further education colleges and higher education institutions, where typically half or more are aware of the various communications covered in the survey:
Awareness of the government’s Cyber Aware communications campaign decreased among primary schools (from 55% in 2023 to 43% in 2024). Higher proportions of secondary schools (57%), further education colleges (70%) and higher education institutions (74%) had heard of the campaign.[footnote 2]
There was lower awareness of the Cyber Essentials scheme in primary schools (20%) and secondary schools (51%) than was reported in further education colleges (91%) and higher education institutions (97%)[footnote 3]. The awareness levels were broadly consistent with 2023, although 100% of higher education institutions claimed awareness last year. Higher education institutions (74%) and further education colleges (58%) were more likely to have heard of the 10 Steps to Cyber Security, whereas awareness of this guidance was lower among primary and secondary schools (both 41%)[footnote 4]. There was a decrease in awareness since 2023 among higher education institutions (down from 87%) and a smaller decrease among further education colleges (down from 68%).
The National Cyber Security Centre’s (NCSC’s) Board Toolkit was much more widely recognised in higher education institutions in 2023 (82%) but has dropped to 65% for 2024. However, in further education colleges recognition had increased a little, although not significantly, from 53% in 2023 to 56% in 2024. In primary and secondary schools there had been a small increase in recognition in 2023 (both 27%) to 31% and 36% respectively in 2024. It is again worth noting that the Board Toolkit, which is aimed at senior managers and governing bodies, had not been specifically promoted across educational institutions.
2.4 Identifying cyber security risks
As in 2023, the majority of the educational institutions had taken at least one of the actions shown in Figure 2.3 in the past 12 months to help identify cyber security risks. Primary schools still tended to have less sophisticated approaches, whereas secondary schools, further education colleges and higher education institutions tended to have more sophisticated ones. All types of educational institutions were more likely than businesses to have taken the various actions, continuing the trend from the last two years.
Further education colleges and higher education institutions were again specifically more likely than schools to carry out audits, penetration tests and invest in threat intelligence. In general, there was less difference between further education colleges and higher education institutions. Further education increased actions in 2024 relative to 2023, especially in terms of risk assessment (up from 66% to 88%), a vulnerability audit (up from 59% to 84%) and penetration testing (up from 68% to 84%). Whereas further education’s use of, or investment in, threat intelligence had remained static (53% versus 57% in 2023), higher education institutions had increased since 2023 (up to 77% from 71%).
Schools were more likely to have remained consistent in terms of taking at least one of the actions in 2024 than they were in 2023. This applied both to primary schools (74% in 2023 vs. 76% in 2024) and secondary schools (89% in 2023 vs. 91% in 2024). This relative consistency by schools remains for the specific activities to identify cyber security risks, although there were larger increases in risk assessments for primary schools (up from 48% to 58%) and secondary schools (up from 57% to 71%).
Figure 2.3: Percentage of educational institutions that have used the following activities to identify cyber security risks in the last 12 months
| Activity used | Businesses | Primary schools | Secondary schools | Further education colleges | Higher education institutions |
|---|---|---|---|---|---|
| Any of the listed activities | 51% | 76% | 91% | 100% | 100% |
| Used specific tools designed for security monitoring | 33% | 47% | 63% | 70% | 87% |
| Risk assessment covering cyber security risks | 31% | 58% | 71% | 88% | 90% |
| Testing staff awareness and response (e.g. mock phishing) | 18% | 38% | 53% | 84% | 65% |
| A cyber-security vulnerability audit | 17% | 29% | 55% | 84% | 74% |
| Penetration testing | 11% | 15% | 37% | 84% | 81% |
| Invested in threat intelligence | 10% | 14% | 32% | 53% | 77% |
Bases: 2,000 UK businesses; 185 primary schools; 171 secondary schools; 43 further education colleges; 31 higher education institutions
All types of educational institutions were more likely than businesses to say they have reviewed supplier-related risks to cyber security:
- Around a third of primary schools (35%), two in five secondary schools (41%) and over half of higher education institutions (58%) said they had reviewed such risks posed by their immediate suppliers or partners. Further education colleges were most likely to do so, with over three in five (63%) reviewing such risks. This compares to a minority (11%) of businesses.
- Around one in five of schools said they had reviewed the risks presented by their wider supply chains: primary schools (18%), secondary schools (20%). Larger proportions of further education colleges (26%) and higher education institutions (29%) had reviewed these risks. This compares to just 8% of businesses, which is in line with 2023.
Qualitative insights on supply chain risk
The education institutions we spoke to in the qualitative interviews had similarly informal supply chain cyber risk management processes as businesses and charities did, despite an increasing awareness of the risks.
Some education institutions had implemented systematic approaches to ensure their suppliers meet the necessary cyber security standards. For example, one interviewee said that they check their supplier has all the relevant accreditations and the supplier will also go through an approval process.
“We have to make sure they have all the relevant accreditation and meet standards for data protection. Any system that has to be integrated has to be authorised by the council.”
Secondary School
Another interviewee noted their use of APUC (Advanced Procurement for Universities and College), which vets and controls suppliers.
“They use APUC before entering into an agreement. All suppliers would need to have Cyber Essentials.”
Further Education Institution
On the other hand, other education institutions took a less structured approach, and relied more on GDPR standards rather than cyber security specifically.
“It’s not systematic approach. We have close relationship with cyber provider for 15 years. Use Data Protection impact assessment from ICO used to look at all potential risks.”
Primary School
Staff training and awareness raising
Cyber security training or awareness raising activities were less common in schools (albeit majorities) than further education colleges and higher education institutions, although both primary and secondary schools had increased since 2023. Around three in five of primary schools (up from 49% to 62% in 2024) and three-quarters of secondary schools (up from 62% to 75% in 2024) had undertaken any such activities in the last 12 months. This rises to nine in ten further education colleges (88%) and higher education institutions (90%).
The longer term picture shows an increase in activity among primary and secondary schools since 2021.
Cyber security planning and documentation
In terms of documentation, all four groups of educational institutions were far more developed than the typical business, and much more akin to large businesses. Three-quarters or more had a cyber security policy in primary schools (75%) and secondary schools (81%). The proportion was even higher in further education colleges (up from 77% in 2023 to 88% in 2024) while it remained consistent in higher education institutions (90%).
Business continuity plans covering cyber security also tended to be in place in most of these educational institutions, although they were less common in primary and secondary schools (66% and 75% respectively) than in further education colleges (95%) and higher education institutions (84%).
Both further education colleges (81%) and higher education institutions (87%) were more likely to have a formal incident response plan than secondary schools (71%) and primary schools (57%), and all were higher in 2024 than in 2023.
Incident response planning in education institutions was also more sophisticated than in the average business, as Figure 2.4 indicates. Higher education institutions were more likely than other education institutions to have plans that encompass assigning roles and responsibilities to specific individuals (94%) followed by further education colleges (88%).
Figure 2.4: Percentage of educational institutions that take the following actions, or have these measures in place, for when they experience a cyber security incident
| Action taken | Businesses | Primary schools | Secondary schools | Further education colleges | Higher education institutions |
|---|---|---|---|---|---|
| Inform directors/trustees/governors | 77% | 79% | 75% | 79% | 84% |
| Keep an internal record of incidents | 54% | 78% | 78% | 86% | 84% |
| Assessment of the scale and impact of the incident | 53% | 64% | 65% | 81% | 81% |
| Formal debriefs to log any lessons learned | 50% | 67% | 68% | 72% | 74% |
| Inform a regulator | 44% | 62% | 50% | 42% | 39% |
| Attempt to identify the source of the incident | 45% | 50% | 63% | 67% | 90% |
| Roles and responsibilities assigned to specific individuals | 37% | 77% | 86% | 88% | 94% |
| Written guidance on who to notify | 32% | 76% | 80% | 91% | 90% |
| Guidance on when to report incidents externally | 29% | 68% | 76% | 81% | 84% |
| Formal incident response plan | 22% | 57% | 71% | 81% | 87% |
| Communications and public engagement plans | 15% | 48% | 48% | 65% | 68% |
| Inform the cyber insurance provider | 11% | 29% | 20% | 28% | 13% |
| Used NCSC approved incident response company | 13% | 12% | 13% | 21% | 16% |
Bases: 2,000 UK businesses; 185 primary schools; 171 secondary schools; 43 further education colleges; 31 higher education institutions.
Compared with 2023, educational establishments were less likely to have taken various actions or have measures in place, specifically:
- Primary schools were less likely to inform directors, trustees or governors of the incident (79% in 2024 vs. 85% in 2023), keep an internal record of incidents (78% vs. 87%), formally debrief to log any lessons learned (67% vs. 86%), make an assessment of the scale and impact of the incident (64% vs. 82%), inform a regulator (62% vs. 87%), attempt to identify the source of the incident (50% vs. 58%) and inform the cyber insurance provider (29% vs. 39%).
- However, primary schools were more likely to assign roles and responsibilities to specific individuals (77% in 2024 vs. 66% in 2023), have written guidance on who to notify (76% vs. 60%) and have communications and public engagement plans (48% vs. 38%).
- Secondary schools were less likely to keep an internal record of incidents (78% in 2024 vs. 90% in 2023), attempt to identify the source of the incident (63% vs. 81%), assess the scale and impact of an incident (65% vs. 87%), formally debrief to log any lessons learned (68% vs. 83%), inform a regulator (50% vs. 84%), and inform the cyber insurance provider (20% vs. 35%).
- However, secondary schools were more likely to assign roles and responsibilities to specific individuals (86% in 2024 vs. 70% in 2023), provide written guidance on who to notify (80% vs. 72%), provide guidance on when to report incidents externally (76% vs. 62%) and have a formal incident report plan (71% vs. 55%).
- Further education colleges were less likely to keep an internal record of incidents (86% in 2024 vs. 91% in 2023), inform a regulator (42% vs. 73%), inform the cyber insurance provider (28% vs. 41%) and use a NCSC approved incident response company (21% vs. 27%).
- However, further education colleges were more likely to inform directors, trustees or governors of the incident (79% in 2024 vs. 68% in 2023), assign roles and responsibilities to specific individuals (88% vs. 73%), provide written guidance on who to notify (91% vs. 66%), provide guidance on when to report incidents externally (81% vs. 68%), have a formal incident report plan (81% vs. 61%) and provide communications and public engagement plans (65% vs. 41%).
- Higher education institutions were less likely to inform a regulator of the incident (39% in 2024 vs. 50% in 2023) and to have used a NCSC approved incident support company (16% vs. 31%).
- However, higher education institutions were more likely to inform directors, trustees or governors of the incident (84% in 2024 vs. 44% in 2023), have formal debriefs to log any lessons learned (74% vs. 63%), have written guidance on who to notify (90% vs. 79%) and guidance on when to report incidents externally (84% vs. 71%).
Insurance against cyber security breaches
Under half of primary schools (44%) and even less secondary schools (36%) reported having cyber security cover as part of a broader insurance policy.
It is again worth noting that almost half of the individuals in cyber roles that we interviewed in primary and secondary schools did not know whether their school had this kind of insurance (both 42%)[footnote 5]. This compares to 19% of businesses not knowing. It highlighted that cyber security is perhaps more siloed in schools, and therefore considered separately from financial matters like insurance.
Just under half of further education colleges said they have cyber security cover as part of a broader insurance policy (47%) but only 13% of higher education institutions have such cover. Higher education institutions and further education colleges were more likely to have specific cyber insurance policies (52% and 37% respectively), just 5% of primary schools and 13% of secondary schools did.
Technical rules and controls
The survey covered a range of technical rules and controls that organisations may have in place to help minimise the risk of cyber security breaches (split out in Figures 2.5 and 2.6). Many of these are basic good practice controls taken from government guidance for the 10 Steps to Cyber Security or the Cyber Essentials scheme.
The government-endorsed Cyber Essentials scheme enables organisations to be independently certified for having met a good-practice standard in cyber security. Specifically, it requires them to enact basic technical controls across five areas:
- boundary firewalls and internet gateways
- secure configurations
- user access controls
- malware protection
- patch management (i.e., applying software updates).
Overwhelmingly, educational institutions had technical rules or controls covering the four of the five technical areas laid out in the Cyber Essentials guidance: boundary firewalls and internet gateways, secure configurations, user access controls and malware protection. Primary schools were still notably weaker in the area of patch management compared to other types of educational institutions, with half (49%) having a policy to apply software updates within 14 days. This compares to the majority of other educational institutions, especially further education colleges (88%) and higher education institutions (87% which is up from 67% in 2023).
Figure 2.5: Percentage of educational institutions that have the rules or controls in place in the five technical areas from Cyber Essentials
| Rule or control in place | Businesses | Primary schools | Secondary schools | Further education colleges | Higher education institutions |
|---|---|---|---|---|---|
| Up-to-date malware protection | 83% | 94% | 95% | 100% | 100% |
| Firewalls that cover the entire IT network, as well as individual devices (boundary firewalls and internet gateways) | 75% | 94% | 98% | 100% | 100% |
| Restricting IT admin and access rights to specific users (user access controls) | 73% | 97% | 98% | 100% | 94% |
| Security controls on company-owned devices (e.g. laptops) (security controls) | 58% | 92% | 97% | 100% | 94% |
| A policy to apply software updates within 14 days (patch management) | 34% | 49% | 68% | 88% | 87% |
Bases: 2,000 UK businesses; 185 primary schools; 171 secondary schools; 43 further education colleges; 31 higher education institutions.
As in 2023, primary schools were less likely than other educational institutions to have guest wifi networks (54% vs. 84% of secondary schools, 93% of further education colleges, and 94% of higher education institutions). Primary schools were as likely as the other institutions to only allow access via the school’s own devices (66%), although again higher education institutions were much lower in this respect (13%). As noted in 2023 this may reflect the specific nature of dealing with young children.
It was also notable that cloud back-ups were more common in primary schools (89%), while other educational institutions were more likely to use other means for secure back-ups. Compared to 2023, the deployment of several controls and procedures had increased. Among primary schools the greatest increases were a stronger password policy (91% in 2024 vs. 84% in 2023), two factor authentication (72% vs. 63%) and monitoring of user activity (83% vs. 73%). Primary schools were less likely to have VPN for staff connecting remotely (55% vs. 61%). Increases among secondary schools were cloud back-ups (84% in 2024 vs. 76% in 2023), to only allow access via the schools’ devices (67% vs. 56%) and VPN for staff connecting remotely (71% vs. 64%).
Further education colleges were more likely to have cloud back-ups (74% in 2024 vs. 59% in 2023), an agreed process for staff to follow with fraudulent emails or websites (95% vs. 75%), two factor authentication (100% vs. 86%) and only allowed access via college owned devices (65% vs. 30%).
Increases among higher education institutions were cloud back-ups (81% in 2024 vs. 69% in 2023), rules for storing and moving personal data securely (68% vs. 60%) and separate wifi networks (94% vs.77%).
Figure 2.6: Percentage of educational institutions that have additional rules or controls in place
| Additional rule or control in place | Businesses | Primary schools | Secondary schools | Further education colleges | Higher education institutions |
|---|---|---|---|---|---|
| A password policy that ensures users set strong passwords | 72% | 91% | 96% | 95% | 100% |
| Backing up data securely via a cloud service | 71% | 89% | 84% | 74% | 81% |
| An agreed process for staff to follo with fraudulent emails or websites | 54% | 90% | 93% | 95% | 97% |
| Only allowing access via company-owned devices | 61% | 66% | 67% | 65% | 13% |
| Backing up data securely via other means | 55% | 55% | 74% | 88% | 68% |
| Rules for storing and moving personal data securely | 48% | 88% | 91% | 84% | 68% |
| Two factor authentication | 39% | 72% | 71% | 100% | 97% |
| Monitoring of user activity | 30% | 83% | 94% | 86% | 81% |
| Separate Wi-Fi networks for staff and visitors | 35% | 54% | 84% | 93% | 94% |
| A Virtual Private Network, or VPN, for staff connecting remotely | 32% | 55% | 71% | 70% | 94% |
Bases: 2,000 UK businesses; 185 primary schools; 171 secondary schools; 43 further education colleges; 31 higher education institutions.
Outsourcing cyber security
Our sample suggests that, as reported in 2023, outsourcing cyber security is more common among primary schools than other educational institutions. Outsourcing had increased among all of the educational institutions. A total of 82% of primary schools (up from 75% in 2023) said an external provider manages their cyber security for them, compared with 50% of secondary schools (up from 44%), 40% of further education colleges (up from 14%) and 26% of higher education institutions (up from 15%). Despite this, the qualitative interviewees all managed their cyber security internally.
2.5 Implementing the 10 Steps to Cyber Security
The government’s 10 Steps to Cyber Security guidance sets out a comprehensive risk management regime that both businesses and charities can follow to improve their cyber security standards. It is not, however, an expectation that organisations comprehensively apply all the 10 Steps - this will depend on each organisation’s cyber risk profile.
These steps have been mapped to several specific questions in the survey. This is not a perfect mapping as many of the steps are overlapping and require organisations to undertake action in the same areas, but it gives an indication of whether organisations have taken relevant actions on each step.
Table 2.1 brings together these findings, some of which have been individually covered earlier in this annex.
There have been some changes in 2024 compared with 2023:
- primary schools were more likely to have undertaken action in risk management (58% in 2024 vs. 48% in 2023), identity and access management (72% vs. 63%) and in incident management (70% vs. 61%)
- secondary schools were more likely to have undertaken action in risk management (71% in 2024 vs. 57% in 2023) and identity and access management (71% vs. 66%)
- further education colleges were more likely to have undertaken action in risk management (88% in 2024 vs. 66% in 2023) and engagement and training (88% vs. 86%)
- higher education institutions were more likely to have undertaken action in risk management (90% in 2024 vs. 87% in 2023) and engagement and training (90% vs. 88%).
Table 2.1: Percentage of educational institutions undertaking action in each of the 10 Steps areas
| Step description and how derived from the survey | Primary | Secondary | Further | Higher |
| 1 Risk management - Organisations who update boards at least annually and have at least 2 of the following: a cyber security policy or strategy, adherence to Cyber Essentials or Cyber Essentials Plus, undertake risk assessments, have cyber insurance (either a specific or non-specific policy), undertake cyber security vulnerability audits, have an incident response plan, managing suppliers or supply chain cyber risks. | 58% | 71% | 88% | 90% |
| 2 Engagement and training - Organisations that train staff or do mock phishing exercises | 62% | 75% | 88% | 90% |
| 3 Asset management - Organisations that list of critical assets | 65% | 71% | 95% | 77% |
| 4 Architecture and configuration - Organisations that configure firewalls and either: secure configurations, i.e., security controls on company devices or have a policy around what staff are permitted to do on company devices | 98% | 100% | 100% | 100% |
| 5 Vulnerability management - Organisations that have a patching policy and at least one of the following: undertake vulnerability audits, penetration testing, update anti-malware, or have a policy covering SaaS | 49% | 68% | 88% | 87% |
| 6 Identity and access management - Organisations that restrict admin rights or password policy or two factor authentication | 72% | 71% | 100% | 97% |
| 7 Data security - Organisations with cloud or other backups and at least one of the following: secure personal data transfers, have policy covering removable storage or on how to store data | 97% | 98% | 100% | 100% |
| 8 Logging and monitoring - Organisations with monitoring tools or if log breaches and had a breach | 90% | 95% | 88% | 94% |
| 9 Incident management - Organisation with incident response plans or formal debriefs | 70% | 81% | 86% | 94% |
| 10 Supply chain security - Organisations that monitor risks from suppliers or wider supply chain | 39% | 43% | 67% | 58% |
Overall, this table shows, as it broadly did in 2023, that the areas that were still less well covered among educational institutions are:
- risk management (although this was not the case in 2023)
- asset management
- vulnerability management
- supply chain security
In addition, there are areas that were less well covered in schools in particular (rather than further education colleges and higher education institutions):
- risk management
- supply chain security
Looking at these 10 Steps together, nearly all educational institutions had taken action on at least five of these steps. However, there is still some progress to be made before these institutions have taken action in all 10 areas, as demonstrated in Figure 2.7.
Figure 2.7: Percentage of educational institutions that have undertaken action in half or all the 10 Steps guidance areas
| Number of actions undertaken | Businesses | Primary schools | Secondary schools | Further education colleges | Higher education institutions |
|---|---|---|---|---|---|
| Undertaken action on five or more of the 10 Steps | 39% | 87% | 92% | 100% | 98% |
| Undertaken action on all of the 10 Steps | 2% | 13% | 19% | 35% | 47% |
Bases: 2,000 UK businesses; 185 primary schools; 171 secondary schools; 43 further education colleges; 31 higher education institutions.
Appendix A: Further information
A1.The Department for Science, Innovation and Technology and the Home Office would like to thank the following people for their work in the development and carrying out of the survey and for their work compiling this report:
- Alice Stratton, Ipsos
- Nada El-Hammamy, Ipsos
- Sally-Ann Barber, Ipsos
- Finlay Proctor, Ipsos
- Nick Coleman, Ipsos
- Jayesh Navin Shah, Ipsos.
A2.The Cyber Security Breaches Survey was first published in 2016 as a research report, and became an Official Statistic in 2017. The previous reports can be found at https://www.gov.uk/government/collections/cyber-security-breaches-survey. This includes the full report and the technical and methodological information for each year.
A3.The lead DSIT analyst for this release is Maddy Ell. The responsible statistician is Saman Rizvi. For enquiries on this release, from an official statistics perspective, please contact DSIT at cybersurveys@dsit.gov.uk.
A4.The Cyber Security Breaches Survey is an official statistics publication and has been produced to the standards set out in the Code of Practice for Official Statistics. For more information, see https:/code.statisticsauthority.gov.uk/. Details of the pre-release access arrangements for this dataset have been published alongside this release.
A5.This work was carried out in accordance with the requirements of the international quality standard for Market Research, ISO 20252.
-
Supports innovative learning and teaching within higher education, underpins collaborations with research partners and enables business efficiencies. ↩
-
Findings for higher education institutions are excluded due to the small number of respondents (29). ↩
-
The government-endorsed Cyber Essentials scheme enables organisations, including educational institutions, to be certified independently for having met a good-practice standard in cyber security. ↩
-
The 10 Steps to Cyber Security guidance sets out 10 key areas organisations should address to protect themselves. ↩
-
Our interviewers sought to interview the senior person with most responsibility for cyber security within an organisation, who might be expected to know if the organisation was insured against cyber security breaches or attacks. This individual was identified by the organisation for us. ↩