UK: Education Sector Faces Surge in Cyber Breaches Despite Stable National Threat Levels

The British public education sector has faced a significant increase in cyber breaches over the past year, despite stable threat levels recorded in the UK.

These findings are part of the Cyber Security Breaches Survey 2025/2026, released by two UK government agencies, the Department for Science, Innovation and Technology (DSIT) and the Home Office, on April 30.

First, the annex shows that the proportion of British primary schools identifying cyber breaches increased by 4% in the 2025/2026 findings compared to the previous reporting period between August and December 2024.

Additionally, 73% of UK secondary schools also said they experienced a cyber breach, up from 60% in the report published in 2025.

The 2025/2026 report also showed 88% of further education colleges were reportedly hit by cyber breaches in the 2026 report, a 3% increase on the previous reporting period.

Worse, higher education institutions in the UK went form 91% that suffered breaches in the 2025 report to a near-universal 98% in the 2026 report.

The educational institutions covered in the 2025/2026 survey comprise 273 primary schools, 222 secondary schools, 33 further education colleges and 49 higher education institutions. Private education businesses were considered separately and are not included in these findings.

Aside from education, the survey did not reveal any broader increasing trend in attacks or cybercrimes.

Most findings remain similar to those reported in the previous edition, indicating a stable trend where approximately 43% of businesses and 28% of charities identified a breach or attack in the last 12 months. In the April 2025 edition of the survey, 43% of businesses and 30% of charities reported cyber breaches or attacks.

Phishing Dominates as Breach Rates Hold Steady

Phishing remained the most prevalent and disruptive threat by far (experienced by 38% of businesses and 25% of charities).

Additionally, there has been a notable increase in the proportion of organizations experiencing only phishing attacks and no other type of incidents (from 45% last year to 51% this year). This shift is partly attributed to the perception that phishing has become easier for attackers to execute in high volumes.

More complex threats like ransomware and impersonation attacks have seen a decline over the last two years, with just 1% of businesses claiming to have experienced ransomware over the 2025/2026 reporting period.

"When budgets tighten, cyber hygiene is often the first thing cut and that's exactly when attackers take advantage."

While the overall frequency of breaches is stable, the severity of the consequences for businesses appears to be rising.

Although the total proportion of organizations experiencing any negative outcome remained consistent with last year (19% for business and 11% for charities in the 2025/2026 survey compared to 16% for both businesses and charities in the previous edition), there was a specific increase in businesses reporting that breaches led to a loss of revenue or share value (from 2% in the April 2025 report to 5% in the 2025/2026 one).

UK Small Businesses See Cyber Hygiene Rollback

Muhammad Yahya Patel, CISO and cybersecurity advisor for EMEA at Huntress, noted that, while the survey paints a picture of a cyber threat landscape that remains “stubbornly persistent,” one of the most alarming findings is a reversal in small business cyber hygiene.

Patel referred to findings that saw UK small businesses return to 2023/2024 cyber hygiene levels, including undertaking cyber security risk assessments (41% in 2025/2026, a decrease from 48%), having a formal cyber security policy covering cyber security risks (52% in 2025/2026, down from 59%) and business continuity plans that address cyber security (44% in in 2025/2026, down from 53%).

“Small businesses saw significant drops across key controls. When budgets tighten, cyber hygiene is often the first thing cut and that's exactly when attackers take advantage,” Patel said.

“Dropping your incident response plan during an era of rising cybercrime is like removing your smoke detectors because you've had a good few months.”

Jon Fielding, managing director of EMEA for Apricorn, also noticed that “staff training continues to be deemed a low priority among small businesses,” with just a third carrying out sessions compared to 84% of large organizations.

“Because of this, the user still remains the weakest link in the chain, and those users are becoming ever more vulnerable because attacks are being crafted and honed by AI,” he argued.

“Phishing and social engineering attacks are now much more sophisticated and difficult to spot, making it vitally important that employees know how they can report any suspicious communications.”

Cyber Essentials Adoption Stalls at Just 5%

The latest survey revealed that only 5% of surveyed UK businesses reported adhering to Cyber Essentials.

“This signals a missed opportunity for structured resilience,” said Chris Newton-Smith, CEO of compliance software firm ISMS Online.

This despite Jonathan Ellison, UK National Cyber Security Centre’s director for national resilience, hinting that the the uptake for Cyber Essentials in the last financial year was up around 20% compared during CYBERUK 2026.

Newton-Smith commented, “Frameworks shouldn't be seen as compliance overhead as they provide proven, repeatable security practices and often reduce reliance on fragmented external advice.  Those organizations that rely heavily on consultants instead of frameworks risk inconsistent controls but also a lack of internal capability.  Frameworks, such as Cyber Essentials, can help turn an organization's good intentions into operational discipline.”