It is important to remember that the survey can only measure the breaches or attacks that organisations have identified. There are likely to be hidden attacks and others that go unidentified.
with the types of attacks:
| Type of breach or attack | Businesses | Primary Schools | Secondary Schools | Further education colleges | Higher education institutions |
|---|---|---|---|---|---|
| Phishing attacks | 84% | 92% | 89% | 97% | 100% |
| Others impersonating organisation in emails or online | 35% | 29% | 58% | 78% | 90% |
| Viruses, spyware or malware (excluding ransomware) | 17% | 14% | 21% | 32% | 77% |
| Hacking or attempted hacking of online bank accounts | 7% | 1% | 5% | 8% | 10% |
| Denial of service attacks | 5% | 3% | 14% | 41% | 40% |
| Takeover of organisation’s user accounts | 8% | 4% | 5% | 11% | 20% |
| Unauthorised accessing of files or networks by staff | 1% | 4% | 11% | 19% | 27% |
| Ransomware | 6% | 3% | 2% | 8% | 10% |
| Unauthorised accessing of files or networks by outsiders | 1% | 1% | 3% | 0% | 20% |
| Unauthorised listening into video conferences or instant messages | 1% | 0% | 0% | 3% | 3% |
| Any other breaches or attacks | 3% | 2% | 3% | 16% | 47% |
As in previous surveys, there were still many educational institutions that had not heard of the various government guidance, initiatives and communications campaigns on cyber security.
Cyber security training or awareness raising activities were less common in schools (albeit majorities) than further education colleges and higher education institutions, although both primary and secondary schools had increased since 2023.
Under half of primary schools (44%) and even less secondary schools (36%)reported having cyber security cover as part of a broader insurance policy. It is worth noting that almost half of the individuals in cyber roles that were interviewed in primary and secondary schools did not know whether their school had this kind of insurance.
The following table shows the percentage of organisations that take the following actions, or have these measures in place, for when they experience a cyber security incident:
| Action taken | Businesses | Primary schools | Secondary schools | Further education colleges | Higher education institutions |
|---|---|---|---|---|---|
| Inform directors/trustees/governors | 77% | 79% | 75% | 79% | 84% |
| Keep an internal record of incidents | 54% | 78% | 78% | 86% | 84% |
| Assessment of the scale and impact of the incident | 53% | 64% | 65% | 81% | 81% |
| Formal debriefs to log any lessons learned | 50% | 67% | 68% | 72% | 74% |
| Inform a regulator | 44% | 62% | 50% | 42% | 39% |
| Attempt to identify the source of the incident | 45% | 50% | 63% | 67% | 90% |
| Roles and responsibilities assigned to specific individuals | 37% | 77% | 86% | 88% | 94% |
| Written guidance on who to notify | 32% | 76% | 80% | 91% | 90% |
| Guidance on when to report incidents externally | 29% | 68% | 76% | 81% | 84% |
| Formal incident response plan | 22% | 57% | 71% | 81% | 87% |
| Communications and public engagement plans | 15% | 48% | 48% | 65% | 68% |
| Inform the cyber insurance provider | 11% | 29% | 20% | 28% | 13% |
| Used NCSC approved incident response company | 13% | 12% | 13% | 21% | 16% |
The full report can be read: Cyber Security Breaches Survey 2024 (Educational Institutions Annex)