A teacher opens a shared document while preparing a lesson. A school office receives an email that appears to relate to a parent query. A college administrator moves between learner records, funding systems and staff messages. A university team member receives a request linked to an account, research system or student service.
None of these moments feels like a cyber event. They feel like education work. The person involved is not usually thinking about threat categories, technical controls or incident response. They are trying to support learning, keep communication moving, protect continuity, respond to people who depend on them and make the working day manageable.
That is the useful way to read the Cyber Security Breaches Survey 2025/2026: Education Institutions Findings. The report is not just a set of cyber statistics for schools, colleges and universities. It is a snapshot of how cybersecurity now sits inside the ordinary operating reality of education: teaching, safeguarding, administration, access, communication, third-party platforms, AI use, learner support and institutional continuity.
The education annex covers UK state educational institutions, including primary schools, secondary schools, further education colleges and higher education institutions. The latest fieldwork was carried out between August and December 2025. It is worth noting early that the education samples are unweighted and smaller than the main business and charity survey samples, so the findings should be read as a broad sector view rather than perfect certainty, especially for further and higher education year-on-year comparisons.
That caveat matters, but it does not weaken the value of the report. If anything, it makes the interpretation more important. The survey should not be used to make sweeping claims that every school, college or university faces the same level of risk in the same way. Its real value is in showing the pattern: education is highly engaged with cybersecurity, often more structured than many businesses, and still heavily exposed because of the way education work actually happens.
The issue is not simply whether education leaders know cyber matters. In most cases, they do. The harder question is whether staff, leaders, governors, IT teams and support teams are equipped to make clear decisions when cyber risk appears inside normal education work.
The education picture is serious, but not simple
Cybersecurity in education cannot be understood as an occasional IT issue that appears separately from teaching and operations. The report shows that cyber incidents are already part of the digital environment in which schools, colleges and universities work.
Almost half of primary schools, 49%, identified breaches or attacks in the previous 12 months. The figures rose sharply across the education system, with 73% of secondary schools, 88% of further education colleges and 98% of higher education institutions identifying breaches or attacks. Secondary schools saw the clearest year-on-year movement, increasing from 60% in 2024/2025 to 73% in 2025/2026.
Those figures should make education leaders take notice, but they should not be turned into fear-led messaging. The point is not that education is failing. The point is that education is now a high-volume digital environment. Schools, colleges and universities depend on connected systems, cloud platforms, staff accounts, student access, parental communication, external suppliers, shared resources, finance systems, HR platforms and learning technologies. More digital activity creates more places where decisions matter.
The pattern also changes by institution type. A primary school may have fewer systems and fewer users than a university, but it may depend heavily on external providers and a small number of staff who carry multiple responsibilities. A secondary school has more staff, more pupils, more devices, more accounts and more communication. A further education college often works across multiple courses, campuses, funding requirements, learner support needs and employer relationships. A university adds research, alumni accounts, student autonomy, complex networks, international activity and large-scale digital infrastructure.
That is why the survey is best read as a maturity and complexity story, not a simple ranking. The higher prevalence in further and higher education is not just about being “more at risk” in a vague sense. It reflects larger and more open environments where access, autonomy and availability are essential to how the institution functions.
Education should therefore avoid both extremes. It should not dismiss the findings because “we already take cyber seriously”, and it should not interpret them as proof that everything is broken. The stronger reading is that cybersecurity has become part of education’s everyday operational resilience.
Phishing remains the clearest education decision test
Phishing remains the most obvious example of why cybersecurity in education is a decision-making issue. It does not usually arrive as something dramatic. It appears inside communication that looks close enough to normal to be acted on quickly.
A staff member sees an email that appears to relate to a parent, pupil, learner, governor, supplier, platform provider or internal system. The message may ask them to open a document, confirm a login, review a file, respond to a request, approve an action or update information. In a busy school or college day, that kind of request does not automatically feel suspicious. It feels like another thing that needs doing.
That is why the phishing figures matter. Among education institutions that identified breaches or attacks, phishing was reported by 90% of primary schools, 96% of secondary schools and 96% of further and higher education institutions combined. The previous 2025 education annex showed similarly high phishing levels, with 89% of affected primary schools, 89% of affected secondary schools and 97% of affected further and higher education institutions reporting phishing.
This tells us something important. Phishing is not persisting because education staff have never heard of it. Many have. The report itself describes widespread awareness activity, phishing testing and staff reporting processes in parts of the sector. The problem is that phishing works by fitting into the pressures education staff already experience.
A school office does not want to delay a parent query. A teacher does not want to hold up lesson preparation. A safeguarding or pastoral team does not want to miss something important. A finance or HR team does not want to block a legitimate request. A college or university department does not want to interrupt access to systems that learners and staff rely on.
The decision is rarely “do I ignore cyber security?” It is more often “does this fit what I am already trying to do?” If the request fits the context, acting can feel reasonable.
That is why phishing awareness in education has to move beyond the obvious warning signs. Spelling mistakes, strange links and unexpected attachments are still useful, but they do not fully prepare staff for the more difficult moment: a message that looks familiar, arrives at the right time and asks for an action that seems to support the work.
The real test is whether staff can recognise when something that feels normal still deserves a second route of verification. That is where education cybersecurity becomes behavioural, not just technical.
Further and higher education show what happens when complexity increases
The survey becomes even more revealing when it separates schools from further and higher education. In schools, phishing dominates the picture. In further and higher education, phishing remains extremely common, but the range of reported incidents becomes much broader.
Among further and higher education institutions that identified breaches or attacks, the report found high levels of impersonation, malware, denial of service attacks and unauthorised access by both staff and students. Impersonation was reported by 79% of affected further and higher education institutions, malware by 51%, denial of service attacks by 49%, unauthorised access by staff by 29%, and unauthorised access by students by 23%. Several of these figures were higher than the previous year, although the report’s sample-size caveat means those changes should be treated carefully.
That wider threat picture makes sense when you look at how further and higher education operate. These institutions are often open by design. They support larger user bases, multiple sites, student autonomy, external partnerships, research activity, cloud platforms, personal devices, specialist systems and wider public-facing digital services.
The pressure is different from a smaller school. Access has to work at scale. Students need systems. Staff need autonomy. Departments may have their own processes. Research, finance, HR and learner support may each operate with different workflows. The institution cannot simply lock everything down without affecting the purpose it exists to serve.
That is where cyber risk becomes harder to manage. A university or college may have stronger technical capability than many smaller education settings, but it also has more places where access, autonomy and trust have to be balanced. A dormant alumni account, a student login, a staff permission level, a departmental tool or a public-facing service can all become part of the risk picture.
The report notes that further and higher education institutions were more likely than schools to experience negative outcomes from breaches or attacks. Among those identifying incidents, 49% of further and higher education institutions reported negative outcomes to their systems, and 62% reported impacts on staff time or other operational factors. Primary and secondary schools were less likely to report those system outcomes, at 13% and 20% respectively.
This is not just a technical observation. It is an operational one. In larger education environments, disruption can affect access to learning, staff workload, student services, research activity, reputation and continuity. Cybersecurity therefore becomes part of institutional resilience, not a separate technology concern.
High senior engagement makes the remaining gap more important
One of the most interesting findings in the education annex is that education institutions generally report very high senior engagement with cybersecurity. This prevents the article from becoming a lazy “education does not understand cyber” argument.
The report found that cybersecurity was considered a very or fairly high priority by governors or senior management in 98% of primary schools, 97% of secondary schools, 97% of further education colleges and 96% of higher education institutions. It also found that every higher education institution in the survey had a board member, trustee, governor or senior manager responsible for cybersecurity, alongside 82% of further education colleges, 85% of primary schools and 73% of secondary schools.
That is a positive picture. It also makes the remaining gap more important. If education leaders already recognise cyber as a priority, then the challenge is not basic awareness at the top. The challenge is translation.
Senior priority has to reach the point where decisions are made. It has to reach the staff member deciding whether to report something unusual. It has to reach the teacher using a shared platform. It has to reach the administrator handling parent, learner or staff data. It has to reach the colleague deciding whether to use an AI tool, approve access, trust a supplier email or challenge a familiar-looking request.
The report’s qualitative findings show that engagement is not uniform. In further and higher education, cyber is often more formally embedded into governance and risk structures. In schools, communication with governors may be more ad hoc, and some governors may be less proactive or less confident in asking detailed questions. The report also describes education decision-making as sometimes slow, even where cyber decisions may need timely action.
That nuance matters. A school may genuinely care about cybersecurity and still struggle to move quickly. A college may have strong governance but still face pressure across departments. A university may have sophisticated oversight but still find that risk appears in autonomous teams, legacy accounts or complex supplier relationships.
The leadership lesson is not simply “care more”. Education already cares. The more useful question is whether leaders have created the conditions where good cyber decisions feel normal: verifying requests, reporting uncertainty, using approved tools, challenging unusual access, updating systems, and treating cyber judgement as part of professional responsibility.
Policies and controls are strong, but resilience still depends on behaviour
The education annex shows that many institutions have stronger formal controls than the national business average. This is important because it reinforces the same pattern: the issue is not that education is doing nothing. The issue is that controls and policies still have to work inside busy education environments.
At least eight in ten primary schools had formal policies covering cybersecurity risks, and the figure rose to at least 90% across secondary schools, further education and higher education. Business continuity planning was also widespread, with 74% of primary schools, 80% of secondary schools, 79% of further education colleges and 86% of higher education institutions having business continuity plans that covered cybersecurity.
Technical controls were also strong in many areas. The report found that at least nine in ten institutions across schools, colleges and universities had relevant controls in place for boundary firewalls and internet gateways, secure configurations, user access controls and malware protection. However, patch management was weaker, especially in primary schools, where only 45% had a policy to apply software security updates within 14 days. Secondary schools improved on this measure, rising from 56% to 62%, while further education fell from 90% to 73%.
This is where the real-world decision layer matters. A patching policy is not just a technical control. It is affected by old devices, limited IT time, disruption to lessons, supplier dependencies, testing requirements and the need to keep systems available. A device may need updating, but the institution may also need it for a classroom, office, lab, admin process or student service.
The same applies to access controls. Education needs openness. Staff and students need systems to work. Visitors, contractors, governors, parents, trustees, suppliers and partner organisations may all need some form of communication or access. The report itself reflects the tension between securing systems and not making them impractical for teaching and learning.
That tension is not a failure. It is the reality of the sector. Education cannot operate like a locked-down corporate environment where every convenience can be removed without consequence. Security has to support teaching, learning, safeguarding, administration and continuity.
This is why behaviour matters even when controls are strong. A firewall cannot decide whether a parent email feels slightly unusual. A policy cannot, by itself, make a staff member feel confident enough to escalate. A technical control cannot fully replace judgement when someone is deciding whether a tool, request, login prompt or supplier instruction should be trusted.
Good cybersecurity in education is not only about having the right controls. It is about helping people use those controls properly when work is live.
Incident response is stronger than many businesses, but early reporting still matters
The survey shows that many education institutions are relatively well prepared for incident response, especially compared with businesses overall. That is positive, and it should be acknowledged.
Formal incident response plans were reported by 73% of primary schools, 77% of secondary schools, 79% of further education colleges and 92% of higher education institutions. The report also found high levels of written guidance on who to notify, assigned roles and responsibilities, internal incident recording and formal debriefs to capture lessons learned.
That suggests many education institutions understand that cybersecurity incidents need structure. But incident response still begins with a person noticing something and deciding what to do next.
A staff member sees a suspicious message. A student account behaves unusually. A shared drive appears to have changed. A login prompt seems unexpected. A system slows down. A file has been opened. A parent or supplier request no longer feels quite right. The question is whether the person reports it early, waits, tries to fix it themselves, or assumes it is not serious enough.
Why might someone delay? Because they are busy. Because they do not want to create work for IT. Because they are unsure whether it counts as an incident. Because they worry they have made a mistake. Because they do not want to interrupt a lesson, support process, exam window, safeguarding workflow or administrative deadline.
That is where plans meet culture. A formal incident response plan is useful, but only if people feel confident enough to activate it. Early reporting depends on trust, clarity and repeated reinforcement. Staff need to know what is worth reporting, who to tell, and what will happen next.
For education, this is particularly important because operational continuity is so central. A delayed report can affect more than a system. It can affect staff time, access to learning, communication with families, student services, data handling and wider institutional trust.
The report’s incident response findings therefore should not be read as “education has this covered”. They should be read as “education has useful structures, but those structures still depend on timely human decisions.”
Supply chain risk remains one of the weaker areas
Education depends heavily on third parties. That is not a criticism; it is simply how the sector now works. Schools, colleges and universities rely on management information systems, learning platforms, safeguarding tools, cloud services, finance systems, HR systems, payroll providers, assessment platforms, IT support partners, edtech suppliers and external infrastructure.
That makes supply chain cybersecurity a practical issue. A supplier relationship can be legitimate and still create risk. A provider may hold data, manage access, send links, introduce new portals, request configuration changes or support critical systems. Once the supplier is trusted, their communication can feel normal enough to act on without much scrutiny.
The report shows improvement in immediate supplier review across several education settings. Higher education institutions were most active, with 80% reviewing immediate supplier or partner cyber risks, up from 69% in 2024/2025. Primary schools increased from 26% to 42%, and secondary schools from 38% to 47%, while further education remained at 48%. Wider supply chain review was lower, at 37% for higher education, 27% for primary schools, 21% for secondary schools and 18% for further education colleges.
That improvement matters, especially in schools. But the 10 Steps mapping still identifies supply chain security as the relative weak point across much of the education sector. Fewer than half of primary schools, secondary schools and further education institutions covered the supply chain security area, at 44%, 48% and 48% respectively, while higher education was stronger at 80%.
The behaviour behind this is easy to understand. Education teams do not always have time to investigate every supplier deeply. They may rely on reputation, procurement frameworks, established relationships, local authority guidance, trust-level decisions or the fact that “everyone uses this platform”. The report’s qualitative findings show that supplier checks can be hard to sustain after onboarding, even where processes exist.
This is where supplier trust becomes a decision issue. A school or college may have a known supplier, but the staff member still has to decide whether a request from that supplier is normal. A university may have onboarding checks, but teams still need to maintain awareness when suppliers change systems, suffer incidents or introduce new access routes.
Supply chain cybersecurity should therefore not be treated only as procurement paperwork. It also lives in everyday behaviour: verifying requests, questioning changes, checking access, understanding data flows and recognising when supplier familiarity has replaced proper confirmation.
AI is now a live education cyber issue
AI is one of the most important education findings in the report because it shows how quickly cyber decision-making is moving into new areas of work.
AI adoption in education is already far higher than among businesses overall. The survey found that AI tools had already been adopted by 53% of primary schools, 53% of secondary schools, 82% of further education colleges and 63% of higher education institutions. This compared with 21% of private sector businesses overall.
That does not mean AI is automatically a cyber problem. The more useful point is that AI changes the decisions staff and students are making. A teacher may use AI to support lesson planning. A secondary school may use it to review coursework or support students with additional needs. A university may use it for automation, support, research, cyber defence or student services. The report’s qualitative findings describe education institutions taking small and sometimes informal steps, with AI use appearing across teaching, support, automation and administration.
The decision point is practical. What information can be entered into an AI tool? What learner, staff, parent, research or institutional data must stay out? Which tools are approved? Who checks accuracy? How do staff avoid over-trusting outputs? How do students use AI appropriately? What happens when AI makes phishing, impersonation or social engineering more convincing?
The report also found that among institutions using or considering AI, 66% of further education colleges, 59% of secondary schools, 56% of primary schools and 49% of higher education institutions had specific cybersecurity practices or processes in place to manage AI risks. That is better than the business average, but it still leaves many institutions either developing, planning or lacking formal processes.
The qualitative findings are especially useful here. The report describes AI as fast-developing, with most institutions taking some steps to create guidance or procedures, but formal policies were still rare. It also highlights concern about staff inputting personal information without thinking, AI making phishing more convincing, and staff becoming too reliant on AI outputs.
This should be handled carefully. The message should not be “AI is dangerous, keep it out of education.” That would be unrealistic and unhelpful. The better message is that AI is already becoming part of education work, so cyber judgement now has to include AI judgement.
AI use in education will not be controlled by policy alone. It will be shaped by the decisions people make when they are busy, curious, under pressure or trying to make their workload manageable. That is why the education sector needs practical guidance and scenario-led training around what to enter, what to trust, what to check and when to escalate.
Resource pressure explains why good intentions do not always become practice
The education annex is strongest when it avoids blame, and any useful interpretation should do the same. Education institutions are not ignoring cybersecurity. Many are highly engaged, more active than businesses in several areas, and often operating with strong policies, controls and incident response structures. But they are also trying to do more with limited time, limited budgets and competing responsibilities.
The qualitative interviews in the report describe education institutions wanting to do more while being constrained by budget and staffing. Examples include old machines that would be better replaced but are kept going, email security that could be improved if budget allowed, security tools becoming more expensive, and IT teams being reduced while still expected to manage proactive work such as patching.
This matters because it explains why awareness and intention do not always become practice. A school may know that patching matters, but not have the time, budget or staff capacity to manage it smoothly. A college may know supply chain risk needs attention, but be juggling audits, funding, learner support and system availability. A university may understand AI risk, but adoption may spread faster than central oversight can follow.
In education, cybersecurity competes with urgent, visible work. Lessons need to happen. Learners need support. Safeguarding processes need attention. Exams, funding, admissions, timetabling, HR, finance, parent communication and student services all have their own pressures. Cybersecurity has to fit into that reality.
This is why generic awareness content often falls short. Telling people to “be careful online” is not enough when they are trying to manage a real workload. Practical cybersecurity support for education has to reflect how decisions are actually made: under time pressure, with limited capacity, inside systems that need to remain open enough for teaching and learning.
That does not mean lowering expectations. It means making those expectations usable.
What the survey really shows about cybersecurity in education
The 2025/2026 Cyber Security Breaches Survey does not show an education sector that is unaware of cybersecurity. It shows an education sector that is highly engaged, increasingly structured and still heavily exposed because its working environment is complex, open, pressured and built around trust.
That distinction matters.
The report shows high senior priority, widespread policies, strong technical controls in several areas, high levels of risk-identification activity, strong incident response structures and high levels of staff training or awareness activity compared with businesses. At the same time, it shows high breach prevalence, overwhelming phishing exposure, wider incident complexity in further and higher education, uneven patching, weaker supply chain coverage, fast-moving AI adoption and real resource constraints.
That is not a contradiction. It is the reality of modern education.
Cybersecurity in education is not just a technical maturity issue. It is a decision-making issue. A staff member opens a resource. A school office responds to a parent. A college team handles learner data. A university department manages access. A teacher uses AI to reduce workload. A governor receives a report. A supplier sends a request. A student account behaves unusually. Someone has to decide whether to continue, verify, report, escalate or pause.
Those decisions are not made in ideal conditions. They are made during teaching days, deadlines, safeguarding concerns, funding cycles, service pressures, staff shortages and operational disruption. That is why the decision often makes sense at the time, even when it later looks risky.
For education leaders, the practical lesson is not to create fear or blame. It is to look carefully at where cyber-relevant decisions are already happening. Where do staff handle access, data, communication, AI, supplier requests and unusual activity? Where does speed take priority over verification? Where does trust reduce scrutiny? Where might someone delay reporting because they are unsure whether something is serious enough?
That is where cybersecurity becomes real.
For Cyber Rebels, this is also where behaviour-led cybersecurity training fits naturally. Not as another burden for education teams, and not as generic awareness content that tells people what they already know. The value is in helping staff, leaders, governors and support teams recognise the moments where risk appears inside normal education work, understand why certain decisions feel reasonable, and practise clearer ways to respond before those decisions become incidents.
Education does not need more fear about cyber. It needs practical support for the decisions people are already making while protecting teaching, learning, safeguarding, continuity and trust.
Director of Training and Development, Cyber Rebels.
Andy Longhurst is the founder of Cyber Rebels and a cybersecurity practitioner and educator focused on how risk actually shows up in real organisations. His work sits at the intersection of digital safety, education, and practical risk management — helping teams understand not just what policies say, but what happens in the moments where decisions are made under pressure.
With a background spanning adult education, web development, and technical consultancy, Andy specialises in translating complex security concepts into clear, usable understanding. Rather than focusing solely on tools or compliance frameworks, his approach centres on human behaviour, judgement, and the systems that shape everyday choices.
He delivers live, interactive cyber awareness training for organisations of all sizes, from small businesses and education providers to public-sector teams and larger organisations operating in complex risk environments.
Outside of delivery, Andy spends his time analysing emerging attack patterns, refining training design, and exploring how organisations can build resilience that holds up in the real world — usually with a strategically sized cup of tea close to hand.
