The 73% Problem: When The Numbers Make Your Argument For You

The 60-second Briefing

• Secondary school breach rates rose from 60% to 73% in a single year. 88% of further education colleges and 98% of higher education institutions reported breaches in the last 12 months.
• Phishing dominates: 96% of secondary schools that experienced a breach were hit by phishing.
• Supply chain security is the weakest area in the 10 Steps framework – fewer than half of primary, secondary or further education establishments cover it.
• Only 14% of primary schools and 23% of secondary schools have implemented all 10 Steps to Cyber Security.
• The survey explicitly excludes private education businesses from the education annex. The independent sector has no equivalent data on itself.

The Cyber Security Breaches Survey 2025/2026 landed on April 30, commissioned by DSIT and the Home Office. If you have been trying to force a serious conversation about cyber risk in your school, the timing is fortunate. Whatever else you had planned for the next SLT meeting, I would suggest moving it to make room.

The headline finding is the kind of single number that does the work of an entire memo. The proportion of secondary schools that identified a breach or attack in the last 12 months has jumped from 60% in 2024/2025 to 73% this year. Further education colleges sit at 88%. Higher education institutions are at 98%, which is to say almost universal. Around three in ten universities and a quarter of further education institutions report being attacked at least weekly.

For comparison, the figure for businesses overall is 43% and has been broadly stable. The education sector, in other words, is taking heavier and more frequent fire than the average UK business, and the gap is widening rather than narrowing. As A New Front Line: AI & 'The Com' noted earlier this year, schools have always been soft targets. The data now has a number on it.

Phishing dominates. Among educational institutions that identified a breach, 96% of secondary schools, 90% of primary schools and 96% of further and higher education combined cited phishing. The qualitative interviews in the annex include a detail worth pausing on: many institutions have stopped recording the volume of phishing attempts because they are simply too constant. One higher education institution put it bluntly: "It doesn't matter if 3,000 emails come in, as long as we have the processes in place to block them."

That is the right operational mindset, but it carries a hidden risk. If you stop counting the volume, you also stop being able to demonstrate the trend to your board. The annex itself flags that AI is making phishing emails more convincing and harder to detect. The DfE has handed us – through the updated digital and technology standards discussed in The End of the Black Box – the leverage to make this a board-level concern. Use the leverage. Print this survey, take it to the next meeting, and show the trajectory.

The detail that should worry every IT lead, though, is buried further down. The 10 Steps to Cyber Security framework is the government's standard for what good looks like. Across the entire sector, supply chain security is the weakest area. Fewer than half of primary schools (44%), secondary schools (48%) or further education colleges (48%) cover it. Only 14% of primary schools, 23% of secondary schools, and 33% of further education colleges have implemented all ten of the 10 Steps. Higher education does better at 45%, but even that is below the figure for large UK businesses. Most of the sector is doing five steps well and the other five not at all.

Supply chain risk matters because almost every school of any size now runs on a stack of third-party services. Your MIS, your safeguarding platform, your CPD provider, your payroll system, your cloud backup, your finance package – each one is a potential entry point. The annex includes a quote from one university IT lead admitting they were "75% confident" in supplier cyber practices, with "no check, we just ask them. There's no auditing done." That is, frankly, where most schools sit. We trust our suppliers because we have to, not because we have evidence we should.

There is a related warning the annex makes a single sentence of, but which deserves much more space. One university reported removing approximately 150,000 dormant alumni accounts after they were exploited in attacks. For independent schools running active development offices – particularly those of us who, after the DUAA's soft opt-in change, are now actively engaging warm alumni audiences for fundraising – that is a sobering image. The same alumni databases that the Data Use and Access Act has just made more useful for fundraising are also a live attack surface, and the longer they sit unmanaged, the bigger the surface gets.

Now to the part of this that will not make headlines but should. Read the methodology section of the education annex carefully and you will find this line: "Privately run educational institutions are included in the business sample." That is not an oversight. It is policy. The CSBS surveys 273 primary schools, 222 secondary schools, 33 further education colleges and 49 higher education institutions across the state sector. It does not survey independent schools as a distinct category. There is no equivalent data on us.

That has two consequences worth noting. The first is that we cannot benchmark. When a state secondary head asks how their cyber posture compares to peers, they have a national figure to point at. When an independent school bursar asks the same question, the honest answer is "we don't really know." The second consequence is more practical. State schools enrolled in the DfE's Risk Protection Arrangement get cyber cover as standard, alongside a 24/7 incident response service. The DfE says about 9,900 institutions, roughly 52% of eligible schools, are on the scheme. Independent schools are entirely outside it. We negotiate our own commercial cyber cover, and insurers – as I noted in A New Front Line – are increasingly demanding audit-level proof of privileged access governance before they will quote.

So the independent sector has the same risk profile as the state secondary schools the survey measures, plus we have no public data on our own posture, plus we have no government-backed insurance backstop. If you are an IT Director or a bursar reading this, that is a gap in your risk register that needs to be closed by Friday, not next term.

A few specific recommendations land naturally from the annex. First, the survey shows just 45% of primary schools and 62% of secondary schools have a 14-day patch management policy in place. Patching is genuinely boring and genuinely high-impact. If you do nothing else this term, get this written down, agreed by SLT, and audited quarterly. Second, supply chain security needs a formal review programme. Start with your top ten suppliers by data sensitivity. Ask each of them for evidence of Cyber Essentials certification or equivalent. If they cannot produce it, escalate or replace. Third, if you have not already done so, the Cyber Governance Code of Practice gives boards a clean framework for taking responsibility – and the NCSC's accompanying training materials are free.

One last note on tone. It is tempting, after a survey like this, for IT staff to take a lap of honour. The numbers vindicate everything we have been saying. But a victory lap is the wrong move here. The point is not that we were right; it is that the threat landscape has measurably worsened in twelve months and the data is now public. Use it constructively. Use it to fund the things that actually matter – staff training, supply chain audits, FIDO2 keys for the inner circle, table-top exercises with SLT. Do not use it to score points.

The survey has done the rhetorical work for you. Spend the political capital on the substance.

See you in the digital staffroom.