Cyber security breaches survey 2025/2026: education institutions findings

Question 1

Summary

Accepted Answer

Prevalence and impact of cyber security breaches and attacks

Over seven in ten secondary schools (73%), nearly nine in ten further education colleges (88%) and almost every higher education institution (98%) had identified breaches or attacks in the last 12 months. Fewer primary schools (49%) reported experiencing a breach or attack.
For most tiers of education, the level of incidents was similar to 2024/2025, but a significantly higher proportion of secondary schools this year (73%) said they had identified breaches or attacks in the past 12 months, compared with 2024/2025 (60%).
With the exception of primary schools, educational establishments had a notably higher incidence of cyber incidents than businesses (43%).
Just over one in four (27%) further and higher education institutions reported experiencing a breach or attack at least weekly. This compared to 14% of primary schools and 20% of secondary schools. These figures were broadly consistent with the 2024/2025 findings. For one in ten further and higher education institutions (12%) and secondary schools (11%), attacks were being experienced at least daily.
Among those identifying a breach, phishing was overwhelmingly the main threat to schools (90% of primary schools and 96% of secondary schools), colleges and universities (96% of further education and higher education institutions combined). Phishing was almost as widespread among businesses (88%) as in the education sector.
In combination, further and higher education institutions had significantly higher incidence levels than schools or businesses for most other breaches or attacks. This included impersonation (79% compared to 31% primary schools, 44% secondary schools and 28% businesses) and viruses, spyware or malware (51% compared to 11% primary schools, 15% secondary schools and 16% businesses).
Almost half the further and higher education institutions that identified a breach or attack (49%), suffered a negative outcome to their systems. This most frequently included, compromised accounts or systems being used for illicit purposes (23%), website applications or online services being slowed or taken down (16%), and loss of access to files or networks (14%). Primary schools (13%) and secondary schools (20%) were less likely to report negative impacts on their systems.

Engagement with cyber security

Educational institutions continued to describe a high level of senior management engagement with cyber security. Almost all reported that cyber security was either a very or fairly high priority for their governors or senior management. The figure was no lower than 96% (in higher education) and compared favourably to businesses as a whole (72%) and even medium (92%) and large enterprises (100%).
Every higher education institution participating in the 2025/2026 survey said they had a board member, trustee, governor or senior manager that took responsibility for cyber security (100%). This was the case for 82% of further education colleges and applied to a higher proportion of primary (85%) than secondary schools (73%). Except for universities (up from 81% in 2024/2025 to 100% this year), the figures were consistent with 2024/2025.
The majority of education institutions updated their governors or senior management on cyber security at least quarterly. The figure ranged from approximately eight in ten higher education institutions (84%) and further education colleges (79%) to six in ten secondary (64%) and primary schools (60%). The figure for primary schools was lower than in 2024/2025 (73%) and closer to that reported in 2023/2024 (63%). When updating senior executives, educational institutions most frequently covered how they were managing cyber security risk.
Except for primary schools, educational institutions were making more use of the cyber security information and guidance from non-government or public sector bodies than that made available by official sources. Schools were primarily looking to external security/IT consultants while colleges and universities were using the Jisc network.
Ranging from 81% of primary schools to 98% for higher education, most educational institutions had heard of at least one government guidance initiative or communications campaign on cyber security. The three initiatives with greatest awareness were: Cyber Essentials, the Cyber Aware Campaign and 10 Steps to Cyber Security.
There was almost universal awareness of the Cyber Essentials scheme among higher education institutions (98%) this year, while over eight in ten further education colleges (85%) also knew of it. With awareness having increased since 2024/2025 (from 43% to 57%), more than half of secondary schools have now heard of Cyber Essentials but awareness was unchanged and remained relatively low within primary schools (20%).

Approaches to cyber security

The need for specialist insurance cover was most keenly felt in higher education. While 8% had cyber cover as part of a broader policy, one in six institutions (61%) had a specific cyber security insurance policy. This was an increase of almost double since 2024/2025 when 34% of higher education institutions had specific cyber security insurance.
Storage of personal data was a major vulnerability for many educational institutions. Over a quarter of further education colleges (27%) and almost half of higher education institutions (49%) said they held personal data on employees or students, which was not protected by techniques such as anonymisation or encryption.
At each level of education, at least seven in ten establishments had a formal policy in place covering cyber security risks and / or business continuity plans covering cyber security. They were far more likely to have them in place than the average UK business.
Over eight in ten primary schools (83%) now have a formal policy or policies in place covering cyber security risks. This rose to at least 90% in all other educational establishments. Almost three-quarters (74%) of primary schools had business continuity plans that covered cyber security, rising to 80% of secondary schools, 79% of further education colleges, and 86% of higher education institutions. The incidence of formal cyber security policies and cyber-specific business continuity plans was little changed from 2024/2025.
In the past 12 months, at least eight in ten educational institutions had taken one or more actions to identify cyber security risks. The figure ranged from 81% of primary schools to 100% of higher education institutions. In all cases the figures were broadly consistent with 2024/2025 and continued to exceed the level recorded among businesses (52%).
The incidence of specific risk detection activities was consistent with that observed in 2024/2025, with very little change among primary or secondary schools. Notable exceptions were that further education colleges were now less likely to be undertaking cyber security vulnerability audits (down from 75% last year to 55% this year), while fewer higher education institutions were testing staff awareness (down from 94% last year to 71% this year). This may reflect increased pressure on budgets and staff time and perhaps as a consequence, a higher proportion of higher education institutions were using or investing in threat intelligence (up from 72% last year to 92% this year).
As in 2024/2025, the overwhelming majority of educational institutions had technical rules or controls in place to cover boundary firewalls and internet gateways, secure configurations, user access controls and malware protection. At least nine in ten in every type of school, college or university had relevant rules or controls in place in these areas. The technical area of Cyber Essentials that fewest educational establishments addressed was patch management (a policy to apply software security updates within 14 days), but this had increased among secondary schools (from 56% in 2024/2025 to 62% in 2025/2026) and decreased among further education colleges (from 90% in 2024/2025 to 73% in 2025/2026). Most businesses had controls in place covering four of Cyber Essentials’ five technical areas, but they were less evident than in education.
Nearly all educational institutions had acted on at least five of the 10 Steps to Cyber Security. However, in no tier of the UK education sector had a majority of institutions covered all 10. Fewer than two in ten primary schools (14%) has covered every Step, with relatively low proportions within secondary schools (23%) and further education (33%). The figure rose to 45% of higher education institutions and in all cases the figures were similar to 2024/2025.
Although there were many areas where educational establishments could increase their coverage, they still significantly outperformed UK business. Fewer than one in twenty private sector enterprises has covered all 10 Steps (3%) with the figure for large businesses (30%) below that for further and higher education.

AI and cyber security

At every level of education, the overwhelming majority considered AI of relevance to their organisation. In most cases schools, colleges and universities had already adopted some AI tools, with many more in the process of doing so. AI tools had already been adopted by 63% of higher education institutions, 82% of further education colleges, and 53% of both secondary and primary schools. Adoption of AI within the education sector was significantly greater than for private sector businesses (21%), and even exceeded the level seen among large businesses (45%).
Most educational establishments that had or were considering the use of AI, had specific cyber security practices or processes in place to manage the associated risks. These AI-specific practices or processes were most evident among further education colleges (66%), secondary (59%) and primary schools (56%). Only a minority of universities (49%) that used or intended to use AI had relevant processes in place. In general, educational establishments were more likely than private businesses to have adopted practices or processes to mitigate AI risk.

Question 2

Chapter 1: Methodology

Accepted Answer

1.1 Summary of methodology

Each year, the Cyber Security Breaches Survey includes two strands: a quantitative survey and follow-up qualitative interviews with some of the organisations taking part in the survey.

Quantitative survey

The 2025/2026 survey of state educational institutions comprised a random probability telephone survey, carried out from August to December 2025. It included:

273 primary schools
222 secondary schools
33 further education colleges
49 higher education institutions

Primary and secondary schools and further education colleges in this survey are all public sector, publicly funded organisations. Higher education institutions in this survey are considered publicly funded organisations but are not government owned and typically operate independently. Privately run educational institutions are included in the business sample.

The school samples included a random selection of free schools, academies, Local Authority-maintained schools and special educational schools.

The samples were selected from the following sources, ahead of fieldwork in June and July 2025:

All institutions in England: Get Information About Schools database
Schools in Scotland: Scottish Government School Contact details
Schools in Wales: Welsh Government Address list of schools
Schools in Northern Ireland: Northern Ireland Department of Education database
FE Colleges in Scotland: Colleges Scotland directory
FE Colleges in Wales: Welsh Government Further Education Institutions
FE Colleges in Northern Ireland: NI Direct FE College directory
Higher education institutions in Scotland, Wales and Northern Ireland: Universities UK website cross-referenced against the comprehensive list of Recognised Bodies on GOV.UK

Qualitative interviews

In addition, we carried out 14 qualitative interviews with institutions that took part in the survey including:

3 primary schools
3 secondary schools
2 further education institutions
6 higher education institutions

In this annex, we include the key findings from these education institutions, as well as a selection of quotes from these interviews to illustrate the themes raised. We do not provide specific job title descriptions when attributing the quotes as these may be disclosive. Participants in these interviews were all cyber or IT specialists.

1.2 A note on representativeness

The education institution samples are all unweighted. They were surveyed as simple random samples, with no stratification. As such, they should be considered as less representative samples.

As the sample sizes are relatively small compared to the business and charity survey samples, the margins of error were higher. There is also greater uncertainty over estimates which have the highest variation e.g. where around 50% of respondents answered “yes”. The summary below highlights the upper bound for the most uncertain estimates of the 95% confidence margins of error^{[footnote 1]} for each type of education institution:

± 5.9 percentage points for primary schools
± 6.4 percentage points for secondary schools
± 16.2 percentage points for further education colleges
± 11.9 percentage points for higher education institutions

1.3 Comparability to the main results for businesses and charities

In this annex, we have primarily compared our four largest types of education institution samples against each other, and against the benchmark set by UK businesses. Where base sizes fall below 30 for further or higher education institutions they are combined for reporting. The report is intended to give a broad view of how schools, colleges and higher education institutions compare to businesses as regards their cyber security experiences and practices.

1.4 Comparisons with previous surveys

The findings from 2025/2026 are compared with equivalent findings from the 2024/2025 survey. The 2025/2026 sample sizes for all four types of educational institutions were similar to those obtained in 2024/2025. Because of the small sample sizes for further education colleges (52 in 2024/2025, 33 in 2025/2026) and higher education institutions (32 in 2024/2025, 49 in 2025/2026), changes between years should be treated with caution, and should be viewed as indicative only.

Where appropriate, the report also comments on longer-term changes since 2019/2020 (the first year that education institutions were included in the survey). This analysis seeks to identify broad patterns of change over time, rather than specific instances of statistically significant changes.

Whilst there were no changes to the methodology between 2024/2025 and 2025/2026, there were some minor changes to the questionnaire which are fully detailed in the Technical Annex. None of the 2025/2026 changes impact the ability to compare data in this Education Annex from 2025/2026 to previous years of the survey.

1.5 Naming convention for reference period of the Cyber Security Breaches Survey

For this year’s survey, DSIT and the Home Office decided to update the naming convention used for reference periods for the Cyber Security Breaches Survey from a single year label (e.g. CSBS 2025) to a dual-year format (that is, CSBS 2025/2026 or CSBS 2025 to 2026). This change aims to reduce confusion, as previously the survey’s title aligned with the year of publication but did not typically align with when the fieldwork was conducted, potentially misleading users about the timeframe of the findings. The dual-year approach reflects common UK government reporting practices, especially for activities spanning two calendar years or fiscal years.

Table 1.1 maps how previous CSBS surveys and fieldwork periods relate to the labelling convention in this year’s report.

Table 1.1: CSBS survey references and fieldwork dates

Previous survey reference	Fieldwork period	Updated survey reference
CSBS 2016	November 2015 to February 2016	CSBS 2015/2016
CSBS 2017	October 2016 to January 2017	CSBS 2016/2017
CSBS 2018	October 2017 to December 2017	CSBS 2017/2018
CSBS 2019	October 2018 to December 2018	CSBS 2018/2019
CSBS 2020	October 2019 to December 2019	CSBS 2019/2020
CSBS 2021	October 2020 to January 2021	CSBS 2020/2021
CSBS 2022	October 2021 to January 2022	CSBS 2021/2022
CSBS 2023	September 2022 to January 2023	CSBS 2022/2023
CSBS 2024	September 2023 to January 2024	CSBS 2023/2024
CSBS 2025	August 2024 to December 2024	CSBS 2024/2025
CSBS 2025/2026	August 2025 to December 2025	CSBS 2025/2026

Question 3

Chapter 2: Key findings

Accepted Answer

2.1 Prevalence and impact of cyber security breaches or attacks

It is important to remember that the survey could only measure the breaches or attacks that organisations have themselves identified. There were likely to be hidden attacks, and others that go unidentified, so the findings reported here may have underestimated the full extent of cyber security incidents.

As shown in Figure 2.1, almost half of primary schools (49%) had identified breaches or attacks in the past 12 months. This was relatively low when compared to other educational establishments. Over seven in ten secondary schools (73%), nearly nine in ten further education colleges (88%) and almost every university (98%) had identified breaches or attacks in the last 12 months.

In statistical terms, the proportion of primary schools, further education colleges and universities identifying breaches was similar to 2024/2025. However, a significantly higher proportion of secondary schools this year (73%) said they had identified breaches or attacks in the past 12 months compared with 2024/2025 (60%).

The proportion of businesses reporting cyber incidents (43%) was unchanged from 2024/2025. This was a similar level to primary schools but lower than any other type of educational establishment.

Figure 2.1: Percentage of organisations that have identified breaches or attacks in the last 12 months

Organisations	% identified breaches or attacks
Primary schools	49%
Secondary schools	73%
Further education colleges	88%
Higher education institutions	98%
Businesses overall	43%

^{Bases: 273 primary schools; 222 secondary schools; 33 further education colleges; 49 higher education institutions; 2,112 businesses overall}

Around a quarter of further education institutions (24%) and three in 10 higher education institutions (29%) reported experiencing a breach or attack at least weekly. This compares to 14% of primary schools and 20% of secondary schools. These figures were broadly consistent with the 2024/2025 findings (where 27% of further education institutions, 34% of higher education institutions, 9% of primary schools and 16% of secondary schools reported weekly breaches).

Types of breaches or attacks identified

The findings reported in the remainder of Section 2.1 were based only on those institutions that identified a breach or attack. Findings for further and higher education institutions have been combined in this section due to the base size for further education institutions falling below 30.

Figure 2.2 breaks down the types of breaches or attacks experienced and highlights how phishing was overwhelmingly the main threat to schools, colleges and universities. Phishing was almost as widespread among businesses as in the education sector.

Each of the other types of attack or breach were reported marginally more frequently by secondary than primary schools. In combination, further and higher education institutions had significantly higher incidence levels than schools or businesses for most breaches or attacks, including:

impersonation (79% for further and higher education institutions compared to 31% primary schools, 44% secondary schools and 28% businesses)
viruses, spyware or malware (51% for further and higher education institutions compared to 11% primary schools, 15% secondary schools and 16% businesses)
denial of service attacks (49% for further and higher education institutions compared to 3% primary schools and 7% secondary schools and 6% businesses)
unauthorised accessing of files or networks by staff (29% for further and higher education institutions compared to 2% primary schools and 12% secondary schools and 2% businesses)
unauthorised accessing of files or networks by students (23% for further and higher education institutions compared to 1% primary schools and 10% secondary schools)

Not only were further and higher education institutions more likely than other educational establishments to experience each type of breach or attack, but these attacks were becoming more prevalent. The proportion of further and higher education institutions reporting impersonation attempts has increased from 68% to 79% since 2024/2025, with higher numbers also seen for viruses, spyware or malware (up from 42% to 51%), denial of service attacks (up from 36% to 49%), and unauthorised accessing of files or networks by both staff (up from 22% to 29%) and students (up from 11% to 23%).

Figure 2.2: Percentage that identified the following types of breaches or attacks in the last 12 months, among the educational institutions that have identified any breaches or attacks

Types of breaches or attacks	Primary schools	Secondary schools	Further and higher education institutions	Businesses overall
Phishing attacks	90%	96%	96%	88%
People impersonating, in emails or online, your organisation or your staff	31%	44%	79%	28%
Viruses, spyware or malware (excluding ransomware )	11%	15%	51%	16%
Hacking or attempted hacking of online bank accounts	3%	5%	10%	8%
Denial of service attacks	3%	7%	49%	6%
Takeovers or attempts to take your website social media accounts or email accounts	2%	6%	18%	5%
Unauthorised accessing of files or networks by staff	2%	12%	29%	2%
Ransomware	0%	6%	14%	3%
Unauthorised accessing of files or networks by students	1%	10%	23%	0%
Unauthorised accessing of files or networks by outsiders	1%	2%	17%	2%
Unauthorised listening into video conferences or instant messaging	0%	2%	5%	0%
Any other breaches or attacks	4%	9%	30%	4%

^{Bases: Those that identified a breach or attack in the last 12 months; 135 primary schools; 163 secondary schools; 77 further and higher education institutions (combined due to low base for further education); 1,026 businesses overall}

How were educational institutions affected?

Among those that had experienced breaches or attacks in the last 12 months, further and higher education institutions were affected more often than schools and were more likely to have suffered a negative impact.

Almost half the further and higher education institutions that identified a breach or attack (49%), said there were one or more negative outcomes on their systems. This most frequently included, compromised accounts or systems being used for illicit purposes (23%), website applications or online services being slowed or taken down (16%), and loss of access to files or networks (14%). Primary schools (13%) and secondary schools (20%) that identified a breach or attack were less likely to report negative impacts on their systems.

Many educational institutions suffering a breach or attack also reported a negative impact on intangible aspects such as the ability of staff to perform day to day work, additional staff time required to respond to the breach, or taking new measures to prevent or protect against future breaches or attacks. Again, such outcomes were more frequently reported by further and higher education institutions (62%), than primary (33%) or secondary schools (45%).

Further and higher education institutions were more likely than businesses to suffer any negative outcome on their systems as a direct result of a breach or attack (49% vs. 19%), and were more likely to suffer any type of impact on staff time or other operational factors (62% vs 30%).

Qualitative insights on perceptions of cyber security risk

The 14 qualitative interviews suggest cyber security remains a very high priority for IT professionals within educational institutions. As individuals they were acutely aware of the risks, and fortunately the potential for incidents to have a profoundly negative impact was being recognised by greater numbers of teaching and support staff, and senior management teams.

“There isn't more of a priority than cyber security. It is at the forefront of everybody's mind, whether you're a senior leader or another person at the school. Number one is doing everything we can to mitigate or stop cyber attacks. We don’t have many staff meetings where it is not mentioned, which is a real positive.” Secondary school

Those working in education were increasingly aware of cyber security risks and that individuals have a degree of personal responsibility for helping to protect their institution. To some extent this was the result of training and general awareness raising undertaken by internal IT and cyber security teams. The cyber security message was also being delivered when people first joined.

“We've done a lot of public awareness campaigns on the threat cyber security poses and I think people have bought into that.” Higher education institution

“When they start, they get the IT policy, they've got to acknowledge that they have read and understood it. That's then updated on an annual basis.” Primary school

“When we're doing DBS checks, we also say can you complete Cyber Security training which is issued by the National Cyber Security Centre.” Secondary school

In addition, widespread media coverage of high-profile cyber breaches and attacks have focussed many minds on how impactful cyber security incidents can be.

“(High-profile attacks at large companies) is fresh in people's minds. It's national news that certain things can hit you. There are radio ads going out at the moment as well about cyber security. So a lot of places are doing our job for us.” Primary school

“The large cyber-attacks reported in the media have really increased awareness of the potential impact of an attack. The examples this year have shown it could be way more than shutting down a site for a few hours. We've leveraged it for communication purposes.” Higher education institution

Some schools, colleges and universities were also taking the cyber security message to their pupils and students. At one further education college they were considering asking the police to give talks to students. As general awareness of cyber threats grows, ignorance becomes less credible as an excuse. As a result, some institutions were now less tolerant of questionable behaviour, and the threshold for banning students and disabling accounts has been lowered.

However, awareness and acceptance of cyber risks was not improving everywhere. Some institutions continue to struggle to get their staff on board. It was difficult to stop determined individuals attempting software downloads, while in larger colleges and universities, the level of autonomy of finance, HR and student registry departments could represent a significant cyber security vulnerability. Meanwhile, several higher education institutions, described how they were shutting down large numbers of dormant and vulnerable alumni accounts.

“We’ve known for a while that the alumni accounts were unsustainable. Once they got used in a couple of attacks, we were able to state a really strong case for getting rid of them. We found (approximately) 150,000 had not been used in the last few years. We zapped those and are moving towards getting rid of the thing as a concept.” Higher education institution

The qualitative interviews confirmed phishing as a persistent threat. Some have come to regard it as an annoyance, and so prevalent they no longer record the volume of attempted attacks. They remain aware that a single successful attack could have devastating consequence so instead focus on identifying and neutralising the more threatening attempts.

“Phishing attacks happen all the time, the system picks it up and it gets blocked so we’re not really worried about the overall number. We take a risk based approach. It doesn’t matter if 3,000 emails come in, as long as we have the processes in place to block them.” Higher education institution

Some rely on staff to report phishing attempts, and while there were exceptions (one primary school said “staff and teachers don't report anything. It's blissful ignorance”) most appear broadly satisfied with the level of vigilance. To a large extent this was a result of general awareness raising, but often IT teams tested their staff by creating phishing attacks of their own and monitoring the response.

“To help improve awareness, we actively phish our own staff. The number taken in was going down but we did a very convincing email about payroll changes and it suddenly went back up (from 5% to 17% across the Trust). We used the data to drive training for those who didn't do so well.” Secondary school

Many were trying to remove the human element by taking a more methodical and tech-based approach to neutralising attacks. This included the use of software to filter and block phishing attempts. However, the threat was evolving with ever more sophisticated attacks being attempted, often supported by AI. It was felt a balance needs to be struck between being secure and providing the autonomy staff and students need to teach and learn.

“We use software that can track down exactly where suspicious messages come from, who else received it and instantly remove it from all inboxes without (us having to) manually log in and do that. It can generate a report on how far reaching that threat was.” Secondary school

“Our high level strategy is to build resilience using AI. The biggest threat for is social engineering for targeted phishing or credential theft, we get that a lot and it's difficult to secure.” Higher education institution

“We are doing what we can to lock our systems down whilst at the same time being careful not to lock them down so much that they become impractical and cause us stress in our everyday work, so it’s a balance” Further education college

Most institutions would like to do more to protect themselves from cyber-attacks, but often they were constrained by a lack of resources. Either a lack of human resource or budgetary constraints. Cuts to personnel in some higher education institutions had a particularly negative impact on the IT teams’ ability to cover cyber security.

“I can't justify throwing out old machines that I can upgrade, but it would actually be easier from a time perspective and be better for the long term (security) to be able to spend a chunk of money and buy new machines.” Primary school

“Particularly for [a school], budgets and resources are tight. Email security is something that can always be improved and we are limited by budget with that.” Secondary school

“Solutions to fix cyber security problems have got more expensive. Education funding hasn't increased with the expense of those solutions.” Secondary school

“(We) try the best we can with limited resources. My team has gone down from five to one, so you can see that we are stretched with resources. We know we should be doing more proactive patching, but there’s nobody there to do it.” Higher education institution

2.2 Senior management engagement with cyber security

Consistent with findings reported since 2019/2020, educational institutions described a high level of senior management engagement with cyber security. Almost all reported that cyber security was either a very or fairly high priority for their governors or senior management (98% of primary schools, 97% of secondary schools, 97% of further education colleges and 96% of higher education institutions). The overall figure among businesses was 72%, increasing to 92% of medium and 100% of large enterprises.

The majority of education institutions updated their governors or senior management on cyber security at least quarterly. The figure ranged from approximately eight in ten higher education institutions (84%) and further education colleges (79%) to six in ten secondary (64%) and primary schools (60%). This compared to 57% of medium businesses and 81% of large businesses. The figure for primary schools was lower than in 2024/2025 (73%) and closer to that reported in 2023/2024 (63%).

When updating senior executives, educational institutions most frequently covered how they were managing cyber security risk, and this was more likely to be done by higher education institutions (96%) compared to 83% of primary schools and 84% of secondary schools. It was also included in updates by the majority of further education institutions (94%). It was also common for institutions to include the number of significant attacks detected (72% of primary schools, 67% of secondary schools, 90% of further education institutions and 73% of higher education institutions) and the types of attacks detected (75% of primary schools, 70% of secondary schools, 87% of further education institutions and 61% of higher education institutions) and this was more common among further education institutions. Around three-quarters included their approach to developing cyber skills within the organisation (76% of primary schools, 71% of secondary schools, 77% of further education institutions and 73% of higher education institutions) and investments in cyber security (63% of primary schools, 69% of secondary schools, 81% of further education institutions and 78% of higher education institutions).

Every higher education institution participating in the 2025/2026 survey said they had a board member, trustee, governor or senior manager that took responsibility for cyber security. This was also the case for 82% of further education colleges, 85% of primary schools and 73% of secondary schools. Except for higher education institutions (up from 81% in 2024/2025 to 100%), the figures were consistent with 2024/2025.

In education, there was a higher incidence of senior management involvement in cyber security than across UK businesses. The average for all businesses was 31%, rising to 52% of medium businesses and 68% of large businesses.

Qualitative insights on senior management engagement

Senior level engagement with cyber security was often a factor of the management structure of the institution and the policies they had in place to identify and manage risk. In schools, and as with most other elements of its operation, the Head was ultimately responsible for cyber security. However, the reality was that the most senior IT professional tended to take on this responsibility. Although responsibility stayed in the school, the centralised delivery of IT in Northern Ireland (by C2K), with oversight from the Education Authority (EANI) had an impact on levels of senior engagement.

In further education colleges and higher education institutions, cyber security tended to have a more formal status, and here operational responsibilities and governance were more clearly separated. For example, in one case the Chief Information Officer was the dedicated risk owner who reported to the board. Meanwhile, there was also sometimes a board of trustees providing oversight and holding the board to account.

“We don't have a cyber security policy. We have an internet usage policy, we have a confidentiality policy, a GDPR policy, but there's nothing titled cyber security. Cyber security as such in the school is me. Ultimately the head teacher is responsible. But I'd be the one who gets the blame” Primary school

“We're now seeing cyber security as a governance and risk issue: A subject matter area, separate to the operational delivery of our services. Cybersecurity is seen as a strategic risk. It's on the strategic risk register. Our risk and audit committee, who are our external governance, have a keen eye on it.” Higher education institution

In broad terms, appreciation of cyber security risk and understanding of how best to mitigate it, was less developed in schools than in further education colleges and higher education institutions. Some primary schools spoke of passive governors that rarely asked pertinent questions. Awareness did not extend beyond their personal experience of using IT. A similar situation was evident in some secondary schools. In one instance governors were described as lacking a sense of urgency. They would listen but were not proactive.

“The only time I'll get like an ad hoc request (from a Governor) is if they have a problem with their laptop.” Secondary school

“The unfortunate thing about education and my school's no different, is decisions aren't made quickly. In a field where a critical decision can mean the difference between things going okay and going wrong that can be quite frustrating.” Secondary school

In further and higher education and sometimes driven by more formal documentation of cyber risk, senior management and non-executives were often more engaged. They did not trouble themselves with the details but were focussed on the bigger picture and wider implications of a major breach. This could be the loss of reputation or, in the case of a further education college, the ability to recover from a big outage.

“We take cyber security really seriously. We've got a lot of research (projects running in the university). Reputational damage is obviously a key consideration for a university.” Higher education institution

Communication with senior executives tended to be ad-hoc in schools but more regular and structured in further education colleges and higher education institutions. In some schools, cyber security was rarely if ever an agenda item at governors’ meetings. The channels of communication tended to be open but not used.

“If I really need to talk to the governors, I have 100% confidence they would add me in (to their next meeting).” Secondary school

By contrast, cyber security was regularly reviewed in a formal manner by the senior directors and non-executives of higher education institutes.

“We've got a cyber security board that meets monthly and we look at the risks that we're facing and ways we can minimise those, then look at any incidents and our approach to them and see whether anything could have been done differently.” Higher education institution

“We communicate with the board a lot and they ask a lot of questions. There is a quarterly audit and risk committee that receives threat intelligence from the cyber security team.” Higher education institution

2.3 Sources of information and guidance

Seeking information

Over nine in ten higher education institutions (94%) said they had sought information or guidance about cyber security from external sources in the last 12 months. This was also the case for approximately seven in ten primary schools (74%), secondary schools (76%) and further education colleges (67%). Every category of educational institution included in this survey were more likely than businesses (44%) to have sought information or guidance about cyber security from external sources in the last 12 months.

Except for primary schools, educational institutions were making more use of the cyber security information and guidance offered by non-government or public sector bodies than that made available by official sources. Among higher education institutions the proportion using non-governmental or public sector sources (86%) was almost double that using information provided by the government or a public body (47%). The respective figures for colleges of further education were 61% and 24%, and for secondary schools 23% and 16%. More primary schools were using public sector sources (18%) for their cyber security information than turned to non-governmental or public sector sources (13%).

In terms of specific providers of cyber security information, the external sources used most frequently by each category of institution were:

Primary schools: External security/IT consultants/cyber security providers (33%), Department for Education - DfE (12%), and National Cyber Security Centre – NCSC (7%).
Secondary schools: External security/IT consultants/cyber security providers (30%), National Cyber Security Centre - NCSC (15%), and Department for Education - DfE (9%).
Further education colleges: Jisc/the Janet network (52%), external security/IT consultants/cyber security providers (27%), and National Cyber Security Centre - NCSC (24%).
Higher education institutions: Jisc/the Janet network (82%), external security/IT consultants/cyber security providers (71%), National Cyber Security Centre - NCSC (78%), Government's Cyber Essentials materials (55%) and security product vendors e.g. AVG Kaspersky etc. (53%).

Awareness of government guidance, initiatives and communications

A minimum of eight in ten educational institutions had heard of at least one government guidance initiative or communications campaign on cyber security. The figure currently ranges from 81% of primary schools to 90% in secondary education and almost every institution offering further (97%) or higher education (98%).

On average, the three initiatives with greatest awareness were: Cyber Essentials, the Cyber Aware Campaign and 10 Steps to Cyber Security. Meanwhile, awareness of individual initiatives or guidance was more widespread in higher education institutions and colleges of further education.

There was almost universal awareness of the Cyber Essentials^{[footnote 2]} scheme among higher education institutions (98%), while over eight in ten colleges of further education (85%) also knew of it. Awareness of Cyber Essentials has increased among secondary schools since 2024/2025 (from 43% to 57%) but awareness was unchanged and remained relatively low within primary schools (20%).

Having fallen in 2024/2025, higher education institutions’ awareness of the government’s Cyber Aware communications campaign (69%) was now at a similar level to 2023/2024 (74%). Awareness of the campaign among further education colleges remained in line with 2024/2025 (55% this year compared to 67% last year).
However, compared to 2024/2025, awareness of the campaign has increased within secondary schools (64% this year compared to 55% last year) and primary schools (57% this year compared to 48% last year).

Although based on relatively small sample sizes, there was notably higher awareness of 10 Steps to Cyber Security^{[footnote 3]} among higher education institutions (up from 69% in 2024/2025 to 90% in 2025/2026). Awareness has remained stable among further education colleges (62% in 2024/2025 and 61% in 2025/2026) or primary schools (38% in 2024/2025 and 42% in 2025/2026) but had increased in secondary education (from 40% in 2024/2025 to 51% in 2025/2026).

Initiatives or campaigns with relatively high visibility within each type of educational establishment were as follows:

Primary schools: Check Your Cyber Security Tool (41%), Cyber Governance Code of Practice (41%), Software Security Code of Practice (34%)
Secondary schools: Check Your Cyber Security Tool (57%), Cyber Governance Code of Practice (45%), Software Security Code of Practice (35%)
Further education colleges: Check Your Cyber Security Tool (73%), Cyber Governance Code of Practice (58%), Action Fraud 24/7 business incident reporting telephone line (52%)
Higher education institutions: The Cyber Security Toolkit for Boards (92%), Action Fraud 24/7 business incident reporting telephone line (88%) and Check Your Cyber Security Tool (57%)

2.4 Identifying cyber security risks

In the past 12 months, at least eight in ten educational institutions had taken one or more of the actions shown in Figure 2.3 to help identify cyber security risks. The figure ranged from 81% of primary schools to 100% of higher education institutions. In all cases the figures were broadly consistent with 2024/2025 and continued to exceed the level recorded among businesses (52%).

Compared to primary and secondary schools, further education colleges and higher education institutions were more likely to have undertaken each of the six individual activities designed to identify cyber risks. In the case of higher education, the lowest figure for any activity was 71% (for testing staff awareness and response), with almost universal use of specific tools designed for security monitoring (96%) and leveraging of threat intelligence (92%).

Threat intelligence (45%) was the only one of six activities to be undertaken by a minority of further education colleges. Most were taking each of the other five initiatives, with large proportions testing staff awareness (88%), making risk assessments covering cyber security (85%) and using specific tools designed for security monitoring (79%).

At least six in ten secondary schools were now using specific tools designed for security monitoring (66%), making risk assessments covering cyber security (64%) and testing staff awareness (61%). However, fewer were undertaking penetration testing (38%) or using or investing in threat intelligence (32%).

Although the absolute level of use was a little lower, the pattern of activity among primary schools was similar to that seen within the secondary sector. The three actions most frequently taken to help identify cyber security risks were making risk assessments covering cyber security (61%), using specific tools designed for security monitoring (51%), and testing staff awareness (51%). Fewer than one in four primary schools were undertaking penetration testing (23%) or using or investing in threat intelligence (18%).

The incidence of specific activities was broadly consistent with that observed in 2024/2025, with very little change among either primary or secondary schools. Some notable exceptions were that further education colleges were now less likely to be undertaking cyber security vulnerability audits (down from 75% in 2024/2025 to 55% in 2025/2026), while fewer higher education institutions were testing staff awareness (down from 94% in 2024/2025 to 71% in 2025/2026). However, a higher proportion of higher education institutions were using or investing in threat intelligence (up from 72% in 2024/2025 to 92% in 2025/2026).

A question asked for the first time in 2025/2026, suggests that among those conducting vulnerability audits, the main area investigated was whether the establishment had a cyber security strategy in place. This was the case in 73% of primary schools’ vulnerability audits, for 84% of secondary schools’ assessments and 74% of further and higher education institutions (combined due to low bases sizes).

Over six in ten vulnerability audits conducted in primary schools (63%) assessed whether cyber security was incorporated into the broader organisational governance structure. This rose to over seven in ten secondary schools (71%) and further and higher education institutions (75%). Six in ten audits completed by primary schools (60%) assessed whether all board members were actively involved in discussions of cyber security. This was also the case for 47% of secondary schools and 46% of further and higher education institutions.

Figure 2.3: Percentage of educational institutions that have used the following activities to identify cyber security risks in the last 12 months

Activity to identify cyber security risks	Primary schools	Secondary schools	Further education colleges	Higher education institutions	Businesses overall
Any of the listed activities	81%	89%	97%	100%	52%
Used specific tools designed for security monitoring	51%	66%	79%	96%	32%
Risk assessment covering cyber security risks	61%	64%	85%	80%	30%
Testing staff awareness and response (e.g. mock phishing )	51%	61%	88%	71%	22%
A cyber security vulnerability audit	40%	46%	55%	80%	18%
Penetration Testing	23%	38%	52%	84%	13%
Used or invested in threat intelligence	18%	32%	45%	92%	11%

Among higher education institutions (80%) a majority had reviewed potential cyber security risks presented by their immediate suppliers or partners. This figure has increased since 2024/2025 (69%) and was significantly higher than in 2023/2024 (58%). It has also increased among both secondary (from 38% last year to 47%) and primary schools (from 26% last year to 42%). The proportion of further education colleges that have reviewed cyber risks among their immediate suppliers or partners (48%) was unchanged from 2024/2025. Educational institutions remained far more likely than businesses (15%) to have reviewed cyber risks among their immediate suppliers or partners, where the figure was stable since 2024/2025 (14%).

Educational establishments were less likely to have reviewed the cyber security risks presented by their wider supply chains, than to have checked their immediate suppliers. Just under four in ten higher education institutions (37%) had done this, compared with 18% of further education colleges, 21% of secondary and 27% of primary schools. However, every figure was higher than for businesses overall (6%). The proportion reviewing the cyber security risks presented by their wider supply chains has grown amongst primary schools (27% this year compared to 15% in 2024/2025.)

Cyber security considerations when purchasing software

As in 2024/2025, most UK educational establishments considered cyber security to a large extent when purchasing new software. The proportion was a little under six in ten for primary (54%) and secondary schools (58%) and increased to eight in ten institutions of further (79%) and higher education (80%).

The figure at each level of education was significantly higher than that observed among businesses as a whole (22%). The proportion recorded among primary schools (54%) reflects that seen in medium sized businesses (54%), while that for further (79%) and higher (80%) education exceeds that among large businesses (69%).

While over one in ten businesses (12%) said they did not consider cyber security when purchasing new software, this attitude was rare within the education sector. No more than 2% at any level of education expressed this view. However, a sizeable minority relied on the reputation of their software suppliers as a form of assurance. One in five primary schools (21%) said that because they purchased new software from established and/or large companies, cyber security was not a major concern. This view was shared by 16% of secondary schools, but very few further (3%) or higher education (2%) institutions.

Qualitative insights on supply chain risk

The inherent cyber security risk of the supply chain was becoming increasingly apparent, with the qualitative interviews highlighting how media coverage of breaches at large corporations has heightened awareness of these vulnerabilities. Some institutions were already looking more closely at this area and at one college of further education an external audit of cyber security identified the need to investigate practices within their supply chain, which they then did.

“I think we're going to have to start really looking at it. It would be good for us to understand, that if the worst was to happen to a supplier we've got more assurance that our data will be protected.” Secondary school

“An ongoing conversation in the business is about having suppliers with stronger cyber security controls. We are coming up with a new strategy which requests Cyber Essentials or something similar.” Higher Education Institution

While awareness of supply chain cyber security risk may be increasing, this was not routinely or rigorously investigated. Primary and secondary schools in particular appeared not to be engaged in supply chain risk management.

“I would have absolutely no knowledge of (suppliers’ cyber security) ability or otherwise. Do I look on their website to see that they've got such and such? No. I don't have time for that. I don't ask them to have anything except a pleasant telephone manner.” Primary school

One secondary school and some universities were asking their suppliers to have Cyber Essentials and/or ISO27001. This was primarily regarding software and IT suppliers providing cloud or other data storage services. Meanwhile a college of further education was now insisting that suppliers have auditable log-in procedures (such as Multi Factor Authentication) and that checks can be made on safeguarding of data management.

The size and complexity of the task was something that prevented educational establishments from performing more detailed checks of their suppliers’ cyber security credentials. One university was still doing due diligence on technology-based suppliers and had not yet reviewed the cyber security aspects of other suppliers, but in many cases schools, colleges and universities were simply placing trust in suppliers and hoping breaches did not happen. Or if they did, that they were not impacted by the fallout.

“We’re 75% confident (in the cyber security practices of our suppliers). There's no check, we just ask them. There's no auditing done.” Higher Education Institution

“We have a reasonable level of confidence, but (our checks) have exposed an uncomfortable minority of suppliers that don't have a particularly robust approach when it comes to cyber security.” Higher Education Institution

While some educational institutions were trying to assess the cyber security credentials of their suppliers, and occasionally insisted they had Cyber Essentials or other accreditations, they struggled to maintain their focus. One university was engaging software that sent alerts if a supplier was affected by a cyber-attack, but often only an initial review was undertaken.

“We’ve got established processes that ask suppliers about what they have in place, what accreditations they have etc. So we do extensive supplier assurance at the point of onboarding. Where we are weaker is maintaining that awareness of their processes.” Higher Education Institution

Staff training and awareness raising

Cyber security training or awareness raising activities were currently being conducted by at least seven in ten UK educational establishments. Cyber security training or awareness raising sessions specifically for any staff and/or volunteers not directly involved in cyber security, had been delivered by seven in ten primary schools (72%), eight in ten secondary schools (77%) and nine in ten further education colleges (91%) and higher education institutions (92%). These figures were in line with the 2024/2025 survey, with a suggestion that the longer-term increase in primary and secondary school activity taking place since 2021/2022 has continued. Meanwhile, only in large businesses (84%) did the incidence of cyber security training by businesses reflect that seen in education.

Cyber security planning and documentation

The vast majority of educational establishments had generated formal documentation to help plan and manage their cyber security. Furthermore, they were far more likely than private sector businesses to have them in place. Over eight in ten primary schools (83%) now have a formal policy or policies in place covering cyber security risks. This rose to at least 90% in all other educational establishments. The corresponding figure for businesses was 36%, rising to 89% of large businesses.

Over seven in ten UK schools, colleges and universities also had business continuity plans covering cyber security. This was the case for 74% of primary schools, 80% of secondary schools, 79% of further education colleges, and 86% of higher education institutions. The figure for businesses was 33% (85% of large businesses).

The incidence of formal cyber security policies and cyber-specific business continuity plans was little changed from 2024/2025. However, when it came to having a formal policy or policies in place covering cyber security risks, the proportion of secondary schools with them in place had increased (81% in 2024/2025 to 90% this year).

At least seven in ten educational organisations have a written list of the most critical data systems or assets that they want to protect. This covered 69% of both primary and secondary schools, 85% of further education colleges, and 78% of higher education institutions. The figure for businesses was 29% (70% of large businesses).

In terms of documentation, educational establishments had a high level of preparedness for any cyber security attacks they might suffer. As illustrated by Figure 2.4, at least seven in ten schools, colleges and universities had created or established each of a formal incident response plan, assigned roles or responsibilities to specific individuals during or after an incident, written guidance on who to notify, and issued guidance on when to report externally e.g. to regulators or insurers. Such initiatives were far more prevalent within education than private businesses. For example, only a quarter of business (25%) had a formal incident response plan.

Should a breach or attack occur, most educational establishments were clear on the specific actions they would need to take. A majority in every school, college or university would attempt to identify the source of the incident (ranging from 52% of primary schools to 88% of higher education establishments). Between six and nine in ten (64% of secondary schools and 90% of universities) would make an assessment of the scale and impact of the incident. This was a rare case where businesses as a whole responded in a manner similar to the education sector. In the private sector, 50% would identify the source of the incident, while 59% would assess the scale and impact. Among large businesses the figure was 69% in each case.

Figure 2.4: Percentage of educational institutions that take the following actions, or have these measures in place, for when they experience a cyber security incident

Activity to identify cyber security risks	Primary schools	Secondary schools	Further education colleges	Higher education institutions	Businesses overall
Inform your governors of the incident	88%	74%	79%	87%	81%
Keep an internal record of incidents	81%	82%	94%	92%	62%
Assessment of the scale and impact of the incident	73%	84%	73%	90%	59%
Formal debriefs to log any lessons learnt	75%	85%	64%	84%	57%
Inform your cyber insurance provider (among those with insurance)*	51%	31%	0%	29%	52%
Inform a regulator of the incident when required	63%	44%	42%	47%	49%
Attempting to identify the source of the incident	52%	62%	67%	88%	50%
Roles or responsibilities assigned to specific individuals during or after an incident	82%	85%	91%	94%	39%
Written guidance on who to notify	89%	86%	82%	84%	34%
Guidance on when to report externally e.g. to regulators or insurers	77%	79%	73%	90%	32%
Formal incident response plan	73%	77%	79%	92%	25%
External communications and public engagement plans	56%	59%	67%	89%	16%
Use an NCSC-approved incident response company	23%	14%	15%	31%	16%
Inform your immediate suppliers and/or wider supply chain	56%	34%	30%	18%	47%

^{Bases: 273 primary schools; 222 secondary schools; 33 further education colleges; 49 higher education institutions; 2,112 businesses overall}

^{*Only asked of those that have cyber insurance (167 primary schools, 137 secondary schools, 34 higher education institutions, 525 businesses overall; figures not shown for further education colleges as base size is 27 which falls below the 30 threshold for reporting)}

Figure 2.4 also illustrates that primary schools were more likely than other educational institutions to inform stakeholders of any breach of attack. A majority would inform governors (88%), a regulator if the incident required it (63%), their suppliers (56%) and, where relevant, their cyber insurance provider (51%). Although two-thirds (67%) would, higher education institutions were the least likely of the educational establishments to inform trustees or their equivalent of a breach.

With the exception of informing their governors or trustees, only a minority of secondary schools, and further and higher education institutions would share information regarding a breach or attack with other categories of stakeholder. Fewer than one in five further education colleges (19%) would inform their cyber insurance provider of a breach or attack. A similar proportion of higher education institutions (18%) would inform their immediate suppliers and/or wider supply chain.

Apart from primary schools, businesses tended to be more inclined than those in the education sector to inform others of a breach or attack on their organisation. Eight in ten (81%) businesses would inform their directors, while approximately half would inform their cyber insurance provider (52%), a regulator where required (49%), and their immediate suppliers and/or wider supply chain (47%).

The reaction to an incident varied, but post-incident actions tended to be consistent across all types of educational establishment. At least two-thirds hold formal debriefs to log any lessons learnt, with a minimum of eight in ten keeping an internal record of incidents. Compared to businesses, the UK’s educational institutions were more likely to hold post-incident debriefs and to keep an internal record of incidents.

Insurance against cyber security breaches

At least six in ten educational establishments had cyber security insurance, either through a specific policy or as part of a broader insurance policy. For primary (52%) and secondary schools (46%) and within further education (45%), their cyber insurance tends to be part of a wider policy. The respective proportions with a specific cyber security insurance policy were 9%, 15% and 36%.

The need for specialist cover was more keenly felt in higher education. While 8% had cyber cover as part of a broader policy, one in six institutions (61%) had a specific cyber security insurance policy. This was an increase of almost double since 2024/2025 when 34% of higher education institutions had specific cyber security insurance. Balanced against this, however, was the finding that a quarter (24%) of higher education institutions were not insured against cyber security breaches or attacks, higher than in primary schools (6%), secondary schools (8%) and further education colleges (0%).

Educational institutions were more likely than private sector businesses to have some form of cyber security insurance. Fewer than half of private sector businesses (47%) had cyber cover via a specific policy or as part of a broader insurance policy. This did rise to 61% of medium and 54% of large businesses.

As in 2024/2025, a sizeable minority of education institutions did not know if their organisation had cyber security insurance. This accounted for one in three primary (33%) and secondary school (30%) respondents. The figures were lower than in 2024/2025 (39% and 38%) but still suggested many with cyber security responsibilities were not fully involved with the broader financial or managerial aspects of the schools they were working to protect.

Technical rules and controls

As in previous years, the survey covered a range of technical rules and controls that organisations may have in place to help minimise the risk of cyber security breaches (illustrated across Figures 2.5 and 2.6). Many of these were good practice controls included in government guidance for the 10 Steps to Cyber Security or the Cyber Essentials scheme.

The government-endorsed Cyber Essentials scheme enables organisations to be independently certified for having met a good-practice standard in cyber security. Specifically, it requires them to enact basic technical controls across five areas:

boundary firewalls and internet gateways
secure configurations
user access controls
malware protection
patch management (i.e., applying software updates).

Figure 2.5: Percentage of educational institutions that have the rules or controls in place in the five technical areas from Cyber Essentials

Rules or controls in place	Primary schools	Secondary schools	Further education colleges	Higher education institutions	Businesses overall
Up-to-date malware protection	95%	95%	100%	100%	81%
Firewalls that cover your entire IT network as well as individual devices (boundary firewalls and internet gateways)	96%	96%	100%	96%	74%
Restricting IT admin and access rights to specific users (user access controls)	98%	99%	100%	96%	73%
Security controls on company-owned devices (e.g. laptops) (security controls)	96%	95%	100%	100%	61%
A policy to apply software security updates within 14 days (patch management)	45%	62%	73%	84%	34%

^{Bases: 273 primary schools; 222 secondary schools; 33 further education colleges; 49 higher education institutions; 2,112 businesses overall}

As in 2024/2025, the overwhelming majority of educational institutions had technical rules or controls in place to cover the following five technical areas of Cyber Essentials: boundary firewalls and internet gateways, secure configurations, user access controls and malware protection. At least nine in ten in every type of school, college or university had relevant rules or controls in place in these areas.

The exception was patch management (a policy to apply software security updates within 14 days), where fewer institutions had this in place. For primary schools and higher education institutions the proportion with this in place remained stable. Just under half of primary schools had patch management policies (48% in 2024/2025 and 45% in 2025/2026 and among higher education institutions the majority had this in place 91% in 2024/2025 and 84% in 2025/2026). For secondary schools the proportion with patch management policies increased from 56% in 2024/2025 to 62% this year. The inverse was true for further education where the proportion with this in place decreased from 90% in 2024/2025 to 73% this year.

When it came to businesses, the majority had controls in place to cover the Cyber Essentials’ five technical areas, but they were less evident than in education. The proportions with boundary firewalls and internet gateways (74%), secure configurations (61%), user access controls (73%) and malware protection (81%) were similar to 2024/2025, and it remained a minority of businesses that had a policy to apply software security updates within 14 days (34%).

The vast majority of educational institutions had additional rules and procedures surrounding password policies, agreed processes for staff to follow if a fraudulent email or malicious website was identified, two-factor authentication (2FA) for networks or applications, monitoring of user activity, and backing up data securely via a cloud service. Only with respect to further education colleges and the backing up of data securely via a cloud service, did fewer than eight in ten adopt this practice (79%).

Although implemented by a majority of primary schools, in comparison to other measures they had taken, they were relatively less likely to be backing up data securely via means other than a cloud service (54%), have established a virtual private network or VPN for staff connecting remotely (62%) or to have separate Wi-Fi networks for staff and for visitors (68%). The proportion with separate Wi-Fi networks for staff and visitors was lower than in other educational settings.

Compared to other measures they had taken, secondary schools were less likely to only allow access via organisation-owned devices (58%), to have established a virtual private network or VPN for staff connecting remotely (65%) or to be backing up data securely via means other than a cloud service (67%).

Except for only allowing access via organisation-owned devices (58%), at least seven in ten further education colleges had each of the additional rules and procedures in place. Meanwhile, the challenge of controlling the use of personal devices appeared to be particularly acute for higher education institutions. Possibly reflecting the size, diversity and working practices of their student and staff bodies, only two in ten (20%) had policies to only allow access via organisation-owned devices.

The level of adoption of these rules and procedures was similar to that recorded in 2024/2025. The only differences were as follows:

Primary schools: two-factor authentication (2FA) networks/ applications (up from 78% in 2024/2025 to 89%)
Further education: backing up data securely via other means and having a virtual private network or VPN for staff connecting remotely (both down from 83% to 73%)
Higher education: backing up data securely via a cloud service (up from 66% to 86%), monitoring user activity (up from 78% to 94%), and having an agreed process for staff to follow when they identify a fraudulent email or malicious website (up from 84% to 96%)

In general, education institutions were far more likely than businesses to have these controls in place. Fewer than four in ten private sector businesses had separate Wi-Fi networks for staff and for visitors (38%), a virtual private network or VPN for staff connecting remotely (36%), or monitored user activity (33%). Three-quarters did have a password policy that ensured users set strong passwords and were backing up data securely via a cloud service (both 74%). Perhaps reflecting the greater level of control businesses had over their employees they were more likely than most educational establishments to only allow access via organisation-owned devices (66% compared to 58% of secondary schools and further education colleges and 20% of higher education institutions).

A question new to the 2025/2026 survey indicated that the storage of personal data was a major vulnerability for many educational institutions. Over a quarter of further education colleges (27%) and almost half of higher education institutions (49%) held personal data on employees or students, which was not protected by techniques such as anonymisation or encryption. Possibly reflecting the absence of personal data, rather than greater use of encryption, this was the case in fewer than two in ten primary (14%) and secondary schools (18%).

Figure 2.6: Percentage of educational institutions that have additional rules or controls in place

Additional rules or controls	Primary schools	Secondary schools	Further education colleges	Higher education institutions	Businesses overall
A password policy that ensures users set strong passwords	95%	97%	100%	100%	74%
Backing up data securely via a cloud service	86%	90%	79%	86%	74%
Only allowing access via organisation-owned devices	82%	58%	58%	20%	66%
An agreed process for staff to follow when they identify a fraudulent email or malicious website	93%	93%	97%	96%	58%
Backing up data securely via other means	54%	67%	73%	84%	48%
Rules for storing and moving personal data securely	95%	86%	82%	73%	51%
Any two-factor authentication (2FA) networks/applications	89%	86%	94%	98%	47%
Separate Wi-Fi networks for staff and for visitors	68%	92%	94%	86%	38%
A virtual private network or VPN for staff connecting remotely	62%	65%	73%	98%	36%
Monitoring of user activity	91%	92%	88%	94%	33%

^{Bases: 273 primary schools; 222 secondary schools; 33 further education colleges; 49 higher education institutions; 2,112 businesses overall}

Outsourcing cyber security

As in 2023/2024 and 2024/2025, primary schools were more likely than other educational institutions to engage an external provider to manage their cyber security. Almost eight in ten primary schools (77%) continued to use external providers. This compared with 54% of secondary schools, 36% of further education colleges and 51% of higher education institutions (41% in 2024/2025 and an increase from 26% in 2023/2024). For context, the proportion among business was 48% (70% among medium-sized businesses and 42% of large businesses).

2.5 Implementing the 10 Steps to Cyber Security

The government’s 10 Steps to Cyber Security guidance sets out a comprehensive risk management regime that organisations can follow to improve their cyber security standards. It was not, however, an expectation that organisations comprehensively apply all the 10 Steps as this will depend on each organisation’s cyber risk profile.

These steps have been mapped to several specific questions in the survey. This was not a perfect mapping as many of the steps were overlapping and require organisations to undertake action in the same areas, but it gives an indication of whether organisations have taken relevant actions on each step.

Table 2.1 brings these findings together, some of which have been covered in earlier sections of this annex.

Table 2.1: Percentage of educational institutions undertaking action in each of the 10 Steps areas

Step	Step description – and how derived from the survey	Primary	Secondary	Further	Higher
1	Risk management – Organisations who update boards at least annually and have at least 2 of the following: a cyber security policy or strategy, adherence to Cyber Essentials or Cyber Essentials Plus, undertake risk assessments, have cyber insurance (either a specific or non-specific policy), undertake cyber security vulnerability audits, have an incident response plan, managing suppliers or supply chain cyber risks.	61%	64%	85%	80%
2	Engagement and training – Organisations that train staff or do mock phishing exercises	72%	77%	91%	92%
3	Asset management – Organisations that list of critical assets	69%	69%	85%	78%
4	Architecture and configuration – Organisations that configure firewalls and either: secure configurations, i.e., security controls on company devices or have a policy around what staff are permitted to do on company devices	99%	98%	100%	100%
5	Vulnerability management – Organisations that have a patching policy and at least one of the following: undertake vulnerability audits, penetration testing, update anti-malware, or have a policy covering SaaS	45%	62%	73%	84%
6	Identity and access management – Organisations that restrict admin rights or password policy or two factor authentication	89%	86%	94%	98%
7	Data security – Organisations with cloud or other backups and at least one of the following: secure personal data transfers, have policy covering removable storage or on how to store data	96%	97%	100%	100%
8	Logging and monitoring – Organisations with monitoring tools or if log breaches and had a breach	93%	95%	91%	100%
9	Incident management – Organisation with incident response plans or formal debriefs	85%	85%	91%	96%
10	Supply chain security – Organisations that monitor risks from suppliers or wider supply chain	44%	48%	48%	80%

As in 2024/2025 the area of greatest relative weakness within the education institutions is supply chain security. Fewer than half of primary schools (44%), secondary schools (48%) or further education institutions (48%) were covering this aspect of the 10 Steps. However, the survey suggests an improving picture, with a notable increase in the proportion of primary schools that monitor supply chain risk (up from 29% in 2024/2025). The figure was already relatively high among higher education institutions, but their increase was also of note (up from 69% in 2024/2025 to 80%).

Except for supply chain security (44%), vulnerability management (45%) and risk management (61%), at least two-thirds of primary schools met each of the requirements in the 10 Steps to Cyber Security. As in 2024/2025 (48%), still only a minority of primary schools (45%) had a level of vulnerability management compatible with 10 Steps’ requirements. This included actions such as having a patching policy and undertaking vulnerability audits and penetration testing.

It was these same three Steps on which secondary schools have the lowest level of protection. At least two-thirds of secondary schools met each of the 10 Steps’ requirements, except for supply chain security (48%), vulnerability management (62%) and risk management (64%). In general, the figures for secondary schools remained stable compared to 2024/2025.

Apart from supply chain security (48%) at least seven in ten further education institutions had covered the remaining nine steps of the 10 Steps guidance. After supply chain security, the lowest level of coverage among further education colleges was for vulnerability management. On this the figure has dropped from 90% in 2024/2025 to 73% this year.

Except for asset management, where an organisation lists critical assets (78%), at least eight in ten higher education institutions had covered each of the 10 Steps to Cyber Security. As noted above, the proportion of universities covering supply chain security increased between 2024/2025 and 2025/2026, and the same was true for incident management (81% in 2024/2025 compared to 96% this year).

Looking at the overall level of adoption of the 10 Steps, nearly all educational institutions had acted on at least five. However, in no tier of the UK education sector had most institutions covered all the 10 Steps to Cyber Security.

Figure 2.7: Percentage of educational institutions that have undertaken action in at least half or all the 10 Steps guidance areas

Actions undertaken	Primary schools	Secondary schools	Further education colleges	Higher education institutions	Businesses overall
Undertaken action on five or more of the 10 Steps	94%	93%	94%	100%	41%
Undertaken action on all of the 10 Steps	14%	23%	33%	45%	3%

^{Bases: 273 primary schools; 222 secondary schools; 33 further education colleges; 49 higher education institutions; 2,112 businesses overall}

As illustrated by Figure 2.7, fewer than two in ten primary schools (14%) has covered all 10 Steps, with relatively low proportions within secondary (23%) and further (33%) education. As was true for higher education (45%), these figures were similar to 2024/2025.

Although there were many areas where educational establishments could increase their coverage, they significantly outperformed businesses. Fewer than one in twenty private sector businesses has covered all 10 steps (3%). Even the figure for large businesses (30%) was lower than for further and higher education.

2.6 Adoption of AI (Artificial Intelligence) and associated cyber protection

At every level of education, the overwhelming majority considered AI of relevance to their organisation. In most cases schools, further education colleges and higher education institutions had already adopted some AI tools, with many more in the process of doing so. As illustrated by Figure 2.8, AI tools had already been adopted by 63% of higher education institutions, 82% of further education colleges, and 53% of both secondary and primary schools. Adoption of AI within the education sector was significantly greater than in private sector businesses (21%) and even exceeded that seen among large businesses (45%).

The education sector had much higher levels of engagement in using AI compared to businesses (where 64% had no active plans to adopt AI or considered it irrelevant to their organisation). Fewer than one in ten higher education institutions (8%) or further education colleges (3%) had no active plans to adopt AI or considered it irrelevant to their organisation. The respective figures for secondary and primary schools were 14% and 26%.

Figure 2.8: Percentage of educational institutions that were using or considering using AI (Artificial Intelligence) in their organisation (at any level or for any task)

AI use or consideration	Primary schools	Secondary schools	Further education colleges	Higher education institutions	Businesses overall
We have adopted some AI tools in our organisation	53%	53%	82%	63%	21%
We are in the process of adopting AI into our organisation (including piloting)	11%	23%	12%	22%	4%
We are actively considering adopting AI at some point	9%	8%	3%	6%	6%
We may adopt AI at some point, but have no active plans to do so	17%	10%	0%	8%	19%
I am aware of AI, but it is not relevant to my organisation	9%	3%	3%	0%	45%

^{Bases: 273 primary schools; 222 secondary schools; 33 further education colleges; 49 higher education institutions; 2,112 businesses overall}

Qualitative insights on use and attitudes towards AI

The qualitative interviews indicated a varied level of use of AI within an educational context. Most institutions were at the preliminary stages of adoption and were taking small and informal steps. Among primary schools AI was not routinely used by all staff and in one case had been restricted to the Head Teacher. However, it was increasingly being used informally and sometimes on teachers’ own equipment. It should be noted that in Northern Ireland most aspects of IT were centrally provided by C2k which was managed by the Education Authority. The qualitative feedback suggested AI was being increasingly employed by secondary schools, colleges and universities.

In schools, AI was typically used to support teaching rather than manage its operations, with examples provided of how it helped plan and create lessons. One secondary school saw the potential of AI to support pupils with additional needs such as dyslexia, while in another it helped review students’ coursework.

“If we were a business, we might be looking at ways AI can cut costs. Whereas in a primary school we're looking for ways to educate children better.” Primary school

“We use AI to check students’ coursework to see if they've used AI. A lot of examination boards insist on this. We push Gemini to the staff and encourage them to use that for supporting lesson planning and to save time on tedious jobs.” Secondary school

In larger organisations such as universities, it was recognised that AI was being used informally and to a greater extent than could be monitored by the IT department. It was described by one as “part of the future” while another described how it could support the operation of the university and support its cyber security activities in the context of limited resources.

“(We are) exploring a lot of opportunities with AI, particularly for automation, such as using chatbots to reduce incoming calls and emails. (AI will) expand and become much more prevalent. The economic climate means that we have limited resources, so we have to automate.” Higher Education Institution

The interviews also highlighted people’s fears over the threat AI posed to cyber security. The use of AI to support the creation of persuasive emails or to impersonate real people was mentioned on multiple occasions. The additional tools AI provided to bad agents was a great concern as was the potential for AI to make staff more complacent. Inputting personal information erroneously or without thought when using AI tools was highlighted as a particular danger.

“I've been very clear with staff that although AI can be a good tool in certain scenarios, they should not get lazy and think it can do my work for me. The more they switch off their brains, the more susceptible they are to phishing attacks and mistakes.” Secondary school

“It changes the threat landscape. There's a whole tool set available to the bad guys. For example, the ability to use generative AI to make phishing emails more convincing.” Higher Education Institution

“You've got these things where they can impersonate people. It's going to be a bigger factor, a bigger threat.” Higher Education Institution

Amongst educational establishments that had or were considering the use of AI, 66% of further education colleges, 59% of secondary schools, 56% of primary schools and 49% of higher education institutions, had specific cyber security practices or processes in place to manage the risks of using AI technology. Around a third of institutions, currently with no processes in place to manage the risk, said they may implement processes to do so in the next 12 months (32% of primary schools, 29% of secondary schools, 31% of further education colleges and 38% of higher education institutions). A minority of institutions had no processes in place to manage the risks of AI technology and had no plans to do so (4% of primary schools, 3% of secondary schools, 0% of further education colleges and 9% of higher education institutions).

In general, educational establishments were more likely than private businesses to have adopted practices or processes to mitigate AI risk. The proportion of businesses with no such processes and no plans to adopt them within the next 12 months (31%) currently exceeded those that did have them in place (24%). Only among large businesses (66%) did the proportion with AI-specific cyber security processes in place match the levels seen within education.

Qualitative insights on AI and cyber protection

AI was a fast-developing aspect of their operations and the threat landscape, and most education institutions in the qualitative interviews had taken some steps to develop guidelines or procedures around its use. This was evident across the whole sector, from primary schools to large universities. However, the approach currently appeared to be ad-hoc and informal and it was rare for formal policies to have been developed. Some have tried to manage potential threats by limiting use and slowly granting access where required, others had gone much further and required staff to read and sign an AI policy. Schools were looking to education authorities for guidance.

“We have got AI policies in place now. This was sent to staff to read and confirm they have acknowledged it. The DfE sends out a lot of guidance on AI at the moment. General awareness about putting personal information into this thing that has a memory longer than yours?” Primary school

“The Department of Education, Northern Ireland, is doing research on AI and [we are] expecting a framework or policy to be issued.” Primary school

“We have been blocking AI use for students and staff to begin with [and given access] when wanted or needed. There are clear rules for how teachers can use it e.g. check copyright issues, checking accuracy. Without guidance from higher up I couldn't make that decision on allowing students [to use AI] for certain things.” Secondary school

“We have issued guidelines as part of our data protection policy, around the use of AI. What you should and shouldn't use it for.” Higher Education Institution

Most of those spoken to saw the potential of AI to help counter cyber security threats. However, except for universities there was limited understanding of how they could exploit this potential. For some primary schools they did not have the resources to engage with and operate AI cyber security tools or hoped third party Multi Service Providers (MSPs) may be using it on their behalf. Even if they could not currently use AI tools for cyber security, some were using it to keep informed of relevant developments.

“I would have to spend time checking what it did. I cannot be sure that the information it was providing me was based on relevant or correct information.” Primary school

Compared to schools and further education colleges, universities appeared far better informed about the ability of AI to counter cyber security threats, or to be actively utilising its capabilities. In two instances comments focused on AI being ‘baked in’ to their cyber protection products. Three universities detailed how AI was being proactively used to provide better cyber security. In one case this was driven by the need to free up time for other activities, but the need for human intervention could not be removed entirely. The need remained to review incidents and use human resource as well as technical solutions “you can't just plug it in and leave it.”

“We’re constantly using AI. The good guys are getting these tools as well and we will make sure whatever vendor we use for cyber security defence has an AI roadmap to match. The arms race against the bad guys.” Higher Education Institution

“We'll be using (AI) a lot more to automate the boring bits of our job. We’ve got an AI routine within CrowdStrike that forces people to MFA. It can block an account, disable accounts, kill all their sessions and change the password without referring to us.” Higher Education Institution

Question 4

Appendix A: Further information

Accepted Answer

The Department for Science, Innovation and Technology and the Home Office would like to thank the following people for their work in the development and carrying out of the survey and for their work compiling this report.
- Alice Stratton, Ipsos
- Tom Bristow, Ipsos
- Hannah Harding, Ipsos
- Jono Roberts, Ipsos
- Eva Radukic, Ipsos
- Jayesh Navin Shah, Ipsos
The Cyber Security Breaches Survey was first published in 2016 as a research report, and became an Official Statistic in 2017. The education annex, however, should not be considered official statistics. Education institutions were included for the first time in the 2019/2020 survey. The previous reports can be found at https://www.gov.uk/government/collections/cyber-security-breaches-survey. This includes the full report and the technical and methodological information for each year.
The lead DSIT analyst for this release is Emma Johns and the responsible DSIT statistician is Saman Rizvi. The lead Home Office analyst for this release is Lamyr Megnin. For enquiries on this release, from an official statistics perspective, please contact DSIT at cybersurveys@dsit.gov.uk.
The Cyber Security Breaches Survey is an official statistics publication and has been produced to the standards set out in the Code of Practice for Official Statistics. For more information, see https://www.statisticsauthority.gov.uk/code-of-practice/. Details of the pre-release access arrangements for this dataset have been published alongside this release.
This work was carried out in accordance with the requirements of the international quality standard for Market Research, ISO 20252.

Further detail on the margins of error are included the separately published Technical Annex in section 1.6. ↩
The government-endorsed Cyber Essentials scheme enables organisations, including educational institutions, to be certified independently for having met a good-practice standard in cyber security. ↩
The 10 Steps to Cyber Security guidance aims to summarise what organisations should do to protect themselves. ↩

Cyber security breaches survey 2025/2026: education institutions findings

Summary

Prevalence and impact of cyber security breaches and attacks

Engagement with cyber security

Approaches to cyber security

AI and cyber security

Chapter 1: Methodology

1.1 Summary of methodology

Quantitative survey

Qualitative interviews

1.2 A note on representativeness

1.3 Comparability to the main results for businesses and charities

1.4 Comparisons with previous surveys

1.5 Naming convention for reference period of the Cyber Security Breaches Survey

Chapter 2: Key findings

2.1 Prevalence and impact of cyber security breaches or attacks

Types of breaches or attacks identified

How were educational institutions affected?

Qualitative insights on perceptions of cyber security risk

2.2 Senior management engagement with cyber security

Qualitative insights on senior management engagement

2.3 Sources of information and guidance

Seeking information

Awareness of government guidance, initiatives and communications

2.4 Identifying cyber security risks

Cyber security considerations when purchasing software

Qualitative insights on supply chain risk

Staff training and awareness raising

Cyber security planning and documentation

Insurance against cyber security breaches

Technical rules and controls

Outsourcing cyber security

2.5 Implementing the 10 Steps to Cyber Security

2.6 Adoption of AI (Artificial Intelligence) and associated cyber protection

Qualitative insights on use and attitudes towards AI

Qualitative insights on AI and cyber protection

Appendix A: Further information

Is this page useful?

Help us improve GOV.UK

Help us improve GOV.UK

Cookies on GOV.UK

Summary

Prevalence and impact of cyber security breaches and attacks

Engagement with cyber security

Approaches to cyber security

AI and cyber security

Chapter 1: Methodology

1.1 Summary of methodology

Quantitative survey

Qualitative interviews

1.2 A note on representativeness

1.3 Comparability to the main results for businesses and charities

1.4 Comparisons with previous surveys

1.5 Naming convention for reference period of the Cyber Security Breaches Survey

Chapter 2: Key findings

2.1 Prevalence and impact of cyber security breaches or attacks

Types of breaches or attacks identified

How were educational institutions affected?

Qualitative insights on perceptions of cyber security risk

2.2 Senior management engagement with cyber security

Qualitative insights on senior management engagement

2.3 Sources of information and guidance

Seeking information

Awareness of government guidance, initiatives and communications

2.4 Identifying cyber security risks

Cyber security considerations when purchasing software

Qualitative insights on supply chain risk

Staff training and awareness raising

Cyber security planning and documentation

Insurance against cyber security breaches

Technical rules and controls

Outsourcing cyber security

2.5 Implementing the 10 Steps to Cyber Security

2.6 Adoption of AI (Artificial Intelligence) and associated cyber protection

Qualitative insights on use and attitudes towards AI

Qualitative insights on AI and cyber protection

Appendix A: Further information

Is this page useful?

Help us improve GOV.UK

Help us improve GOV.UK