The 2026 Cyber Security Breaches Survey Just Landed. Here's What UK Schools and Smaller Businesses Should Actually Do With It.

The Department for Science, Innovation and Technology released the Cyber Security Breaches Survey 2025/2026 yesterday — 30 April 2026 — and like every year it is the most useful single document for understanding what is actually happening to UK organisations on the cyber front. It is also the most easily ignored, because the headline numbers move slowly and the press cycle reaches for the most alarming chart. The interesting findings this year are not in the headline; they are in the small movements and the gaps between organisation sizes.

Below is the plain reading for the audiences we work with most: smaller businesses, charities, schools and multi-academy trusts. What changed, what stayed worryingly the same, and the short list of things worth doing in the next quarter as a direct response.

The headline, briefly

Forty-three percent of UK businesses identified a cyber breach or attack in the previous twelve months — broadly flat on last year and equivalent to roughly 612,000 organisations. The figures for charities sit a little lower; the figures for medium and large businesses sit much higher (around 67% of medium businesses and 69% of large). Phishing remains the dominant attack type by a wide margin, ransomware has become less frequent but more damaging, and the financial impact of incidents has roughly doubled year on year.

If the only thing you take from the survey is that headline, you would conclude not much has changed. That conclusion is wrong, and the rest of the document explains why.

Phishing is no longer just the most common attack

The report shows phishing involved in the overwhelming majority of cyber crimes affecting both businesses and charities — somewhere in the ninety-percent range across both groups. That has been the pattern for years, but two things make this year's number sharper than the last.

First, the survey explicitly notes that AI-assisted phishing is making campaigns more targeted and more convincing — fewer obvious spelling errors, better impersonation of internal senders, more accurate use of context lifted from public sources. The signals staff have been trained to spot for years are now harder to spot.

Second, fewer than one in five organisations reported giving staff any form of cyber security training in the last twelve months. That number has barely moved despite phishing dominating every threat list the government publishes. In other words: the attack is getting better and the only really effective defence — humans who know what to look for — is barely being maintained.

If you do nothing else this quarter, do this: book one hour of phishing training for every member of staff who has an inbox, including governors, trustees, finance and external contractors with email accounts in your tenant. The expensive simulators are useful, but a single live walkthrough of three real recent phishes — read out, dissected, with the giveaway tells highlighted — outperforms most of what is sold as 'training'.

The supply-chain numbers are quietly the most worrying part

A finding the headlines tend to skip: only about 15% of UK businesses formally review the cyber risks posed by their immediate suppliers, and only about 6% look at the wider supply chain. For charities those figures fall to roughly 9% and 4%. The gap by organisation size is even starker — around 11% of micro businesses, 21% of small, 32% of medium and 45% of large.

That gap is the story. Almost every modern incident response report includes at least one supplier or sub-processor as a contributing factor — a compromised IT support firm, a payroll provider with weak access controls, a SaaS vendor whose own breach exposed downstream tokens. The smaller the organisation, the less likely it is to even be looking at that risk surface.

Concretely, this means most schools and SMBs are flying blind on a category of risk that produces a meaningful share of real-world breaches. Reviewing your top ten suppliers is not a particularly sophisticated exercise — what data they hold, where it sits, what authentication protects it, and what the recovery plan looks like if they are the ones who go down — and it is the cheapest single risk reduction available.

Ransomware: less common, more painful

The frequency of ransomware incidents in the survey is down from where it sat two years ago. Read past the frequency, though, and the impact has gone the other way. The cost of incidents, where they happen, has approximately doubled year on year. That is consistent with what is visible in the broader threat landscape: fewer, more targeted compromises, with more leverage applied per victim — particularly through data-extortion variants where the attacker exfiltrates first and encrypts later.

For UK public sector organisations the picture is shifting faster still. The Government has already signalled a targeted ban on ransomware payments by public bodies, regulated critical national infrastructure operators, and — critically for our audience — schools, NHS bodies and councils. If you sit inside that scope, your incident response plan needs to assume that paying is not an option, with or without the budget. The recovery path has to work on its own.

Education: high attention, frequent attacks

The education sub-report is the one most ReadyToday school clients should read in full. Higher education institutions reported being hit by some form of cyber attack in roughly 91% of cases, with around 30% experiencing incidents weekly. Primary and secondary schools sit lower than that — around 9% and 16% respectively for weekly attacks — but the negative-outcome rate is high enough across the board that the question is not whether you will be targeted but whether the next attempt will land.

A bright spot: senior leadership engagement in education is genuinely high. Almost every educational institution surveyed reported cyber security as a high or very high priority for governors or senior management — at least 96% in higher education, materially better than the equivalent number for businesses overall. The boards are paying attention. The gap is between attention and operational follow-through, and that is where the practical work sits this term.

Governance is moving — slowly

A small but real positive: board-level responsibility for cyber security in UK businesses has crept up from around 27% to 31% year on year, and sits at 68% in large businesses. That is not a number to celebrate, but it is moving in the right direction, and it correlates with the organisations that are also doing the basics — written incident response plans, formal supplier reviews, regular staff training. Governance that names a single accountable person at board level is one of the few interventions the survey associates consistently with better outcomes.

What to actually do in the next ninety days

A short, prioritised list — none of these are exotic, all of them respond directly to something the survey flagged:

1. Run the phishing hour. One session, every staff member with an inbox, three real recent examples, with the AI-assisted tell-tales highlighted. Repeat in six months.
2. List your top ten suppliers and rate them. What data do they hold, who has admin in their tenant, what is the contractual obligation if they are breached, and how long would your operations survive their downtime. Box-ticking is fine; the act of writing it down catches most of the gaps.
3. Pressure-test the recovery plan, not just the backups. Backups exist almost everywhere now. Tested restores from clean backups, with documented runbooks and named owners, do not. Pick one critical system and time a real recovery drill this term.
4. Confirm board-level accountability. Name a single person at board, governor or trustee level whose job it is to ask the cyber question every meeting. Add cyber to the standing agenda. The survey is consistent that this single change moves outcomes.
5. If you hold or are pursuing Cyber Essentials, layer it onto our Danzell readiness piece. The new auto-fail rules — 14-day patching and MFA on every cloud service — directly answer two of the failure modes the breaches survey keeps flagging.

Why this report is worth more attention than it gets

The Cyber Security Breaches Survey is one of the few pieces of cyber data that is methodologically serious — random-probability sampling, around two thousand businesses and a thousand charities interviewed, the eleventh annual edition — and is freely available to read. It is not a vendor white paper. The findings deserve to drive the next quarter's IT and risk planning, particularly for organisations small enough that nobody else will do that planning for them.

If you want help turning any of the above into a concrete plan — phishing programme, supplier review, recovery drill, governance routine — get in touch through our Cybersecurity & Resilience service page, or book a discovery call and we will walk through where the survey's findings actually apply to your environment.