“98%” — nearly universal — of UK higher education institutions reported suffering a cyber breach in the Cyber Security Breaches Survey 2025/2026, a striking jump from the previous year’s 91% and the clearest signal in a report that otherwise describes a broadly stable national picture.
Higher education: near-universal penetration, small sample
The Cyber Security Breaches Survey 2025/2026, released on April 30 by the Department for Science, Innovation and Technology (DSIT) and the Home Office, records that 98% of surveyed higher education institutions reported a cyber breach in the latest reporting period. That figure is drawn from 49 higher education institutions included in the education annex of the study. The increase — from 91% in the April 2025 edition to 98% this year — is the single most dramatic rise in the report’s education findings.
Primary, secondary and further education: sharp rises across the board
The annex shows notable increases at other levels of public education. Among 273 primary schools surveyed, the proportion identifying cyber breaches rose by 4% in the 2025/2026 findings compared with the prior reporting period (August–December 2024). For 222 secondary schools, 73% reported a breach this year, up from 60% in the 2025 report. Further education colleges — 33 in the sample — reported an 88% breach rate in the 2026 report, a 3% rise over the previous period. Private education businesses were treated separately and are not part of these figures.
Phishing dominates; incident types shift while overall breach rates remain steady
Outside education, the report finds national trends holding steady. Approximately 43% of businesses and 28% of charities identified a breach or attack in the last 12 months, figures similar to the prior edition (43% of businesses and 30% of charities). Phishing remains the most prevalent and disruptive threat: experienced by 38% of businesses and 25% of charities. The share of organizations reporting only phishing, and no other incident type, increased from 45% last year to 51% this year — a shift the report attributes in part to phishing being easier for attackers to run at scale.
More complex incidents appear to have declined: just 1% of businesses reported experiencing ransomware in the 2025/2026 reporting period. While the overall frequency of breaches is steady, the economic consequences for some firms are rising: the proportion of businesses reporting that breaches led to loss of revenue or share value increased from 2% in April 2025 to 5% in the 2025/2026 survey. The total proportion of organizations suffering any negative outcome reported as a result of a breach was 19% for businesses and 11% for charities, compared with 16% for both in the prior edition.
Small businesses: a rollback in cyber hygiene, experts warn
The survey flags a worrying reversal among small businesses. Muhammad Yahya Patel, CISO and cybersecurity advisor for EMEA at Huntress, highlighted that small businesses have returned to 2023/2024 levels on key controls: performing cyber security risk assessments (41% in 2025/2026, down from 48%); holding a formal cyber security policy (52%, down from 59%); and having business continuity plans addressing cyber security (44%, down from 53%). Patel said, “Dropping your incident response plan during an era of rising cybercrime is like removing your smoke detectors because you've had a good few months.”
Jon Fielding, managing director of EMEA for Apricorn, drew attention to training shortfalls: only about one-third of small businesses run staff training sessions compared with 84% of large organisations. Fielding argued that “the user still remains the weakest link in the chain, and those users are becoming ever more vulnerable because attacks are being crafted and honed by AI,” making employee reporting and awareness “vitally important.”
Framework uptake and national resilience: Chris Newton-Smith and Jonathan Ellison
Adherence to Cyber Essentials among surveyed UK businesses remains very low: only 5% reported following the scheme. Chris Newton-Smith, CEO of compliance software firm ISMS Online, called this “a missed opportunity for structured resilience,” arguing that frameworks “shouldn't be seen as compliance overhead” and that they provide “proven, repeatable security practices.”
The report also references a comment from Jonathan Ellison, the UK National Cyber Security Centre’s director for national resilience, who hinted that Cyber Essentials uptake in the last financial year was “up around 20%” compared to the period discussed at CYBERUK 2026. Newton-Smith warned that reliance on fragmented external consultants rather than frameworks risks inconsistent controls and weak internal capability, while frameworks such as Cyber Essentials “can help turn an organization's good intentions into operational discipline.”
What this means for policymakers, technologists, and schools
- Policymakers and resilience planners should weigh the education annex’s concentrated increases alongside the report’s broader stability: a national breach rate that is steady overall can mask sectoral surges, as the higher and school-sector figures demonstrate.
- Technologists and security teams in education and small business should prioritize basics highlighted in the survey — risk assessments, formal policies, continuity planning and staff training — areas where the report documents backsliding.
- School leaders and college administrators face an acute operational problem: the report’s near-universal breach rates in higher education and steep rises in primary and secondary settings suggest that cyber incidents are now common-enough events that they should be explicitly factored into continuity and safeguarding plans.
The Cyber Security Breaches Survey 2025/2026 is, on balance, a study of constancy with sharp local ruptures: steady national headline figures mask faster deterioration in cyber resilience among small businesses and a pronounced increase in breaches across public education. Those contrasts — between a stable aggregate picture and acute, sector-specific deterioration — are the report’s central message.




