The Cyber Security Breaches Survey is a key research study supporting the UK’s cyber resilience and the goals of the National Cyber Strategy. Its findings help shape government policy on cyber security, with the aim of making the UK’s digital environment a safer place to do business.

The survey examines how businesses, charities, and educational institutions manage cyber security — including their policies, processes, and overall approach. It also analyses the types of cyber attacks and cyber crimes these organisations experience, the impact of such incidents, and how they respond

Prevalence and Impact of Cyber Security Breaches and Attacks

• Primary schools reported levels of cyber breaches or attacks similar to the average UK business, with 52% identifying at least one incident in the past year;

• All other types of educational institutions were more likely than the average UK business to experience cyber security breaches or attacks;

• 71% of secondary schools identified a breach or attack within the last 12 months;

• Further education (FE) and higher education (HE) institutions experienced breaches and attacks more frequently than schools, and across a wider range of attack types, including impersonation attempts, malware infections, and unauthorised network or file access;

• 86% of FE colleges and 97% of HE institutions reported experiencing a breach or attack in the past year; and

• Almost six in ten HE institutions said they had been negatively impacted by a cyber incident.

Engagement with Cyber Security

Education institutions generally demonstrated greater senior-level engagement with cyber security than the average UK business, comparable to that seen in large enterprises.

However, awareness of government guidance—such as the National Cyber Security Centre’s (NCSC) 10 Steps to Cyber Security, Board Toolkit, certification schemes like Cyber Essentials, and campaigns such as Cyber Aware—was lower among primary and secondary schools this year.

Awareness and adoption of these initiatives were much higher in FE colleges and HE institutions.

Approaches to Cyber Security

Across the sector, educational institutions showed stronger preparedness and planning for cyber security than the average UK business, with approaches more closely resembling those of large organisations.

Most had an established cyber security policy, particularly in FE colleges and HE institutions, where such policies were most prevalent.

The majority had taken active steps in the past 12 months to identify and manage cyber risks, such as conducting formal risk assessments.

Primary schools tended to have less sophisticated cyber risk management processes compared with secondary schools, colleges, and universities.

All types of educational institutions were more likely than the average business to have implemented technical controls across the five key areas covered by the Cyber Essentials framework.