Cyber security in education

Cyber security has moved rapidly up the risk agenda for Further Education (FE) colleges and multi‑academy trusts.

What was once seen as a technical IT issue is now a major operational and safeguarding concern, driven by a threat landscape that is increasingly complex, fast‑moving and difficult to predict.

The ‘Cyber Security Breaches Survey 2025 – Education Institutions Findings’ report, published by the Department for Science, Innovation and Technology and the Home Office, provides an overview of how often education providers are targeted, the types of attacks they face, and how well placed they are to respond when things go wrong.

The prevalence of cyber attacks

The data makes it clear that cyber incidents are now a routine part of the education landscape, not isolated or exceptional events. In the 12 months covered by the survey:

• 44% of primary schools identified a cyber security breach or attack
• 60% of secondary schools identified a breach or attack
• 85% of FE colleges reported at least one breach

For comparison, only 43% of other UK businesses reported a cyber breach over the same period, indicating that secondary schools and post‑16 providers are particularly exposed, although primary schools are far from immune.

It is also worth noting that these figures only reflect incidents that institutions detected. Cyber-attacks that went unnoticed are not captured, meaning the true level of exposure is likely to be higher.

The frequency and severity of attacks

As institutions become more digitally complex, both the frequency and the impact of cyber-attacks increase.

Among the education providers that experienced breaches:

• 30% of FE and higher education (HE) institutions reported cyber-attacks occurring at least weekly.
• 40% of FE and HE institutions who reported an attack experienced a negative outcome, such as system disruption, data compromise or misuse of accounts.
• 22% of FE and HE institutios reported that compromised accounts or systems were used for illicit purposes, such as sending phishing emails or hosting malicious content.

While primary and secondary schools experienced fewer weekly incidents than FE colleges, the risks remain significant. Secondary schools, in particular, were more likely than primary schools to face repeated phishing attempts, and unauthorised access to systems or files by pupils.

What is the most common type of cyber attack on schools and colleges?

The report highlights that phishing is by far the most prevalent attack across all educational settings, but other threats increase in frequency in secondary and FE and HE settings.

The following heatmap provides a visual representation of the types of breaches or attacks experienced by institutions that identified a breach or attack.

Governance and leadership oversight

There is some positive news in the survey findings.

Governance engagement with cyber security across education is strong, and in many cases more advanced than in other sectors.

Across education institutions, 98% of primary schools, 95% of secondary schools and 98% of FE colleges said cyber security is a high priority for governors or senior leaders, and around eight in ten institutions have a named governor or senior leader with a specific responsibility for cyber security.

However, the report also highlights a recurring challenge at board level. While cyber security is taken seriously, understanding of cyber risk can be uneven across the board with members often depending on specialists to translate technical information.  As a result, boards may receive assurance without fully understanding what the risk means in practice for learners, staff and the organisation.

Preparedness

Most institutions have taken positive steps to strengthen their cyber resilience.  However, awareness of national guidance, such as the Cyber Security Core Standard, the National Cyber Security Centre’s (NCSC’s)  10 Steps to Cyber Security and the Cyber Assessment Framework remains inconsistent, particularly in smaller primary schools. This can lead to uneven practice and variable risk exposure across the trust.

The table below summarises the proportion of educational institutions taking action across each of the NCSC’s 10 Steps to Cyber Security, according to the Survey:

Cyber Essentials and the DfE’s cyber security standard

Cyber Essentials is a UK Government–backed cyber security certification scheme designed to help organisations defend against the most common cyber‑attacks. It focuses on five core technical controls for providers to self-assess themselves against:

• Firewalls
• Secure configuration
• User access controls
• Malware protection
• Patch management

Cyber Essentials Plus covers the same control set but requires an independent, hands‑on technical assessment to verify that controls are working in practice.

If you’re an FE college, Cyber Essentials is not optional.

The 2025/26 Accountability Agreement for Colleges requires FE colleges to achieve Cyber Essentials certification during the 2025/26 year. This obligation was also in place for 2024/25, and forms part of the wider compliance framework attached to government funding.  This means FE colleges must ensure that certification is maintained and renewed annually and that their cyber controls remain compliant with the scheme’s evolving standards.

Unlike FE colleges, Multi-Academy Trusts currently do not have a mandatory requirement to hold Cyber Essentials or Cyber Essentials Plus.  However, The Academy Financial Handbook states that Trusts should have an understanding of the extent to which they are meeting DfE’s Cyber Security Core Standard by 2030.

The Cyber Security Core Standard forms part of the DfE’s ‘Meeting digital and technology standards in schools and colleges’ guidance, which applies to schools and colleges in the UK. The Standard requires institutions to strengthen cyber resilience by implementing seven key measures:

• Conducting an annual cyber risk assessment
• Delivering a cyber awareness plan for staff and students
• Securing systems with anti‑malware and firewalls
• Controlling and securing user accounts and access privileges
• Ensuring all digital technology is properly licensed and kept up to date
• Developing an annually reviewed data backup plan
• Reporting cyber attacks

We’re here to help

Cyber security is now a core operational risk for education providers, and the DfE’s standards make it clear what schools, colleges and trusts need to have in place. Regular risk assessments, strong technical controls, secure access management and clear incident‑response processes are no longer optional; they’re essential to keeping systems, data and learners safe.

At Scrutton Bland, we can support you with this. Our qualified IT auditors can work with you to provide practical, independent assurance to help you understand how well your controls are working and where improvements may be needed.

So, whether you’re preparing for Cyber Essentials, reviewing compliance with the DfE standards, or simply wanting a clearer picture of your cyber risk, we can help. Even where organisations already hold Cyber Essentials Plus, we often identify important controls and development opportunities that strengthen cyber resilience further.

To find out more get in contact with Leisyen or one of the team by calling 0330 058 6559 or email hello@scruttonbland.co.uk