The Cyber Security Breaches Survey 2025/2026 - Key Advice for Schools
The Cyber Security Breaches Survey 2025/2026 was published on 30t April 2026 by DSIT and the Home Office. We outline the current threat picture for schools.
The Threat Picture for Schools
The Educational Institutions Findings is part of the Appendix.
The headline finding is that schools face a significantly higher cyber threat than the average UK business. Over seven in ten secondary schools (73%), nearly nine in ten further education colleges (88%) and almost every higher education institution (98%) had identified breaches or attacks in the last 12 months. Primary schools fared better but a significantly higher proportion of secondary schools this year (73%) said they had identified breaches or attacks in the past 12 months, compared with 2024/2025 (60%) which is a sharp rise in one year.
Attacks are not rare events for many schools. Around a quarter of further education institutions (24%) and three in ten higher education institutions (29%) reported experiencing a breach or attack at least weekly. Some further and higher education institutions reported that attacks were experienced at least daily.
Phishing dominates.
Phishing was overwhelmingly the main threat to schools:
- 90% of primary schools
- 96% of secondary schools among those that experienced a breach. The report notes attackers are increasingly using AI to make phishing emails more convincing and harder to detect.
More serious threats are rising in colleges and universities.
Further and higher education institutions had significantly higher incidence levels than schools or businesses for impersonation (79% compared to 31% primary schools, 44% secondary schools), viruses/spyware/malware (51%), denial of service attacks (49%), and unauthorised accessing of files or networks by students (23%). GOV.UK
Negative outcomes are real.
Almost half the further and higher education institutions that identified a breach or attack (49%) suffered a negative outcome to their systems, including compromised accounts being used for illicit purposes (23%), websites or services being slowed or taken down (16%), and loss of access to files or networks (14%). Schools fared better, but secondary schools (20%) and primary schools (13%) that identified a breach were still reporting negative impacts on their systems.
Negative outcomes are not just technical; they include financial loss, reputation and staff time.
Where Schools Are Doing Well
The report is clear that schools outperform the average UK business across most cyber security measures. This is worth acknowledging.
Almost all educational institutions reported that cyber security was either a very or fairly high priority for their governors or senior management.
Cyber security training or awareness raising sessions had been delivered by seven in ten primary schools (72%), eight in ten secondary schools (77%) and nine in ten further education colleges (91%) and higher education institutions (92%). Only large businesses (84%) come close to these levels.
Over eight in ten primary schools (83%) now have a formal policy or policies in place covering cyber security risks, rising to at least 90% in all other educational establishments, compared to just 36% of businesses overall.
At least nine in ten in every type of school, college or university had technical rules or controls in place covering boundary firewalls, secure configurations, user access controls and malware protection.
The Key Gaps and What Schools Should Do
1. Patch management is the weakest technical control.
The technical area of Cyber Essentials that fewest educational establishments addressed was patch management which is a policy to apply software security updates within 14 days. Just under half of primary schools had this in place (45%). Secondary schools improved to 62%, but it remains a clear weak point.
Advice: Prioritise establishing a formal patching policy. Outdated software is one of the easiest entry points for attackers. Even if resources are constrained, automating updates wherever possible is a low-cost, high-impact action.
2. Supply chain security is the biggest strategic gap.
Fewer than half of primary schools (44%), secondary schools (48%) or further education colleges (48%) were covering supply chain security, which represents the area of greatest relative weakness within education. Schools are often placing trust in suppliers without auditing their security credentials.
Advice: Start asking software and IT suppliers about their cyber security practices. At minimum, consider requiring suppliers of cloud or data storage services to hold Cyber Essentials accreditation. Conduct at least a basic review at onboarding rather than leaving it entirely to trust. Complete DPIA and due diligence checks with your DPO.
3. Personal data is not adequately protected at higher levels.
Over a quarter of further education colleges (27%) and almost half of higher education institutions (49%) said they held personal data on employees or students which was not protected by techniques such as anonymisation or encryption.
Advice: Audit what personal data you hold, where it sits, and how it is protected. This is a data protection risk as well as a cyber risk. Review with your DPO.
4. Vulnerability management needs attention.
Only a minority of primary schools (45%) had a level of vulnerability management compatible with the 10 Steps requirements This included actions such as having a patching policy and undertaking vulnerability audits and penetration testing. Secondary schools were also low at 62%.
Advice: Use the NCSC's free "Check Your Cyber Security" tool as a starting point. Consider periodic external vulnerability audits even if penetration testing feels out of reach on budget.
5. Governors need to be more engaged, especially in secondary schools.
Only 73% of secondary schools had a board member, trustee, governor or senior manager taking responsibility for cyber security, compared to 85% of primary schools and 100% of higher education institutions. The report described some governors as passive, rarely asking pertinent questions, and lacking a sense of urgency.
Advice: Put cyber security on the governing board agenda at least once a year - you should have assigned an SLT Digital Lead as part of the DfE Digital Standards. Use the NCSC's Cyber Security Toolkit for Boards to structure those conversations. Frame cyber risk alongside reputational and operational risk.
6. The frequency of board updates in primary schools is falling.
The proportion of primary schools updating governors or senior management on cyber security at least quarterly was 60%, which was lower than in 2024/2025 (73%).
Advice: Re-establish regular cyber security reporting to leadership, even if it's brief. A simple termly update covering incidents, risks, and actions taken keeps cyber on the agenda and helps governors fulfil their duty.
7. Insurance awareness is patchy and many don't know what they have.
A sizeable minority of education institutions did not know if their organisation had cyber security insurance. One in three primary (33%) and secondary school (30%) respondents.
Advice: Find out what insurance your school has, and whether it covers cyber incidents. Many schools' policies include cyber cover as part of a broader policy without staff knowing. If you don't have any cover, it's worth exploring, especially since Cyber Essentials certification can reduce premiums. Schools often have RPA insurance for facilities, cyber security is an add-on. If you do take out insurance, check you meet the requirements i.e. regular specific training before you make a claim.
8. AI adoption is racing ahead of AI governance.
AI tools had already been adopted by 53% of both primary and secondary schools, significantly greater than private sector businesses (21%). However, only 56% of primary schools and 59% of secondary schools that were using or considering AI had specific cyber security practices or processes in place to manage the associated risks.
Advice: Develop a clear AI policy that covers data protection risks (what staff and students should and should not input into AI tools), acceptable use, and copyright. The DfE has been issuing guidance and contact your DPO for template policies, due diligence and risk management. Don't allow AI adoption to outpace your safeguards.
9. Dormant and alumni accounts are a live risk (particularly in secondary schools and colleges).
The report highlighted how unused accounts become attack vectors. One university reported removing approximately 150,000 dormant alumni accounts after they were exploited in attacks.
Advice: Run regular audits of user accounts and disable those that are no longer active. This is especially relevant for leavers, students and staff, where accounts are often left open long after they depart. We regularly see data breaches reported from accounts where staff left months ago. Make sure you have a robust onboarding and leavers procedure.
10. Budget constraints are real, but some improvements are low-cost.
Solutions to fix cyber security problems have become more expensive while education funding has not increased at the same rate, as several respondents noted. Many schools are stretched on IT staffing.
Advice: Focus first on the free and low-cost NCSC resources: Cyber Essentials self-assessment, the Small Schools Guide, the Check Your Cyber Security tool, mock phishing exercises, and the Cyber Aware campaign materials. Getting Cyber Essentials certified is relatively affordable and signals you are taking security seriously; it can also unlock better insurance rates.
Top Priorities at a Glance
| Priority | Why it matters |
|---|---|
| Patch management policy | Biggest technical gap; keeps software vulnerabilities closed |
| Supply chain checks | Low awareness, growing attack vector |
| Phishing training & mock exercises | Dominant threat; schools testing their own staff are seeing results |
| AI governance policy | Adoption is outpacing safeguards |
| Governors on agenda | Engagement drives action and accountability |
| Account hygiene | Dormant accounts are easy entry points, tighten the 'joiners, movers, leavers' process |
| Cyber insurance review | Many don't know what they have |
| Conduct 'Shadow AI'Audits | Don't just ban it, provided a 'walled garden. Review what is being used |
|
Cyber Essentials accreditation for Further Education or trusts. The DfE Digital Standards for all schools. |
Framework for the basics; can reduce insurance costs |
The Cyber Resilience Pledge
-
Action: Sign the pledge to signal commitment. It requires boards to undertake NCSC Cyber Governance Training within 3 months. This is a powerful way to fix the "passive governor" issue: Government Cyber Resilience Pledge.
Transition from "Training" to "Culture"
The report shows 70-90% of schools do training, yet phishing still dominates.
-
Advice: Move away from annual "death by PowerPoint" sessions. Use monthly micro-learning (2-minute videos) and simulated phishing that rewards staff for reporting "suspect" emails rather than just punishing those who click.