Lessons from the 2025 cyber security breaches survey for higher education
On 10 April 2025 the government published its annual Cyber Security Breaches Survey, which aims to explore the policies, processes and approach to cyber security, for businesses, charities and educational institutions.
Consistent with the findings of previous surveys, the 2025 survey of 32 higher education institutions found that they were more likely to be affected by cyber breaches and attacks on a frequent (weekly) basis (30%) compared to primary schools (9%) and secondary schools (16%).
91% of higher education institutions attacked
Overall, 91% of higher education institutions surveyed had experienced a cyber attack during the previous 12 months and 40% of those affected experienced a negative outcome as a result.
The following types of breaches or attacks in the last 12 months were found to be most common for higher education institutions (in descending order):
- Phishing attacks.
- Impersonation.
- Viruses, spyware or malware.
- Denial of service attacks.
- Ransomware.
- Takeover of organisation’s user accounts.
- Unauthorised access by students.
As in previous years, many educational institutions expressed low awareness of government guidance like the National Cyber Security Centre’s (NCSC) 10 Steps to Cyber Security and Board Toolkit, certification schemes like Cyber Essentials, and communications campaigns like Cyber Aware.
Further, although higher education institutions scored well on matters such IT architecture and configuration, awareness and training, and the logging and monitoring of incidents, the survey showed there was still work to be done around supply chain security and the management of risks, incidents and assets.
Supply chain vulnerabilities
These are matters that can have a significant impact on an institution if neglected. There has been a significant increase in cyber-attacks as a result of vulnerabilities within supply chains in recent years, which can lead to expensive and long-term consequences for institutions.
Available support
We recommend higher education institutions make use of the helpful guidance published by the NCSC and ICO to help to alleviate these risks.
Our data protection team are experts at advising higher education institutions of the steps they can take to boost their cyber security and protect the personal information they hold amid the growing threat of cyber-attacks.
Please don’t hesitate to contact us if you have any questions around data security, supply chain security and risk management.
Discover more
You may be interested in
Legal Update
Lessons from the 2025 cyber security breaches survey for higher education
Published Article
Cloud Computing guide 2024
Legal Update
EDPB guidelines: Processing personal data in the context of AI models
Press Release
Education predictions: What does 2025 have in store for schools, trusts and universities?
Legal Update
The future of university regulation
Legal Update
Understanding the ICO's new fining guidance
Legal Update
Cyber-attacks in UK universities: Why failing to prepare is no longer an option
Legal Update
Data protection in higher education: what to expect in 2024
Legal Update
Knowledge exchange and intellectual property
Opinion
The UK’s Data Protection and Digital Information Bill (No. 2): For universities
Press Release
Law firm picks up record breaking sixth Education Investor Award
Browne Jacobson’s education team has been named as winner of the ‘Legal Advisors to Education Institutions’ category at the Education Investor Awards 2022 for a record sixth time.
Press Release
Thousands take part in virtual careers event to help increase diversity in the legal profession
Over 3000 young people from across the UK and Ireland took part in a virtual legal careers insight event, aimed at making the legal profession more diverse.
Legal Update
Facing the threat of cyber security breaches
Universities and colleges are not immune from deception by unscrupulous bad actors. The extent to which educational institutions can manage and control risk not only depends on financial management and internal controls, but also the robustness of security and processes which can be exploited from outside the organisation.
Legal Update
Data reform in the UK
Since the UK left the EU and are now able to move away from the EU data protection regime, the UK government have implemented a national data strategy with the aim of reducing the burden on organisations but maintaining a high data protection standard.
Legal Update
be connected newsletter for higher education - May 2022
In this edition we provide you with the latest in legal updates, news and insight from the higher education sector.
Press Release
Browne Jacobson’s C-suite exec level coaching team appoints two new education specialists
National law firm Browne Jacobson has grown its team behind its dedicated Space + Time executive coaching programme with the addition of two more qualified coaches who will work with clients in the education sector.
Legal Update
be connected newsletter for higher education - February 2022
In this edition we provide you with the latest in legal updates, news and insight from the higher education sector.
Legal Update
be connected newsletter for higher education - November 2021
In this edition we provide you with the latest in legal updates, news and insight from the higher education sector.
Press Release
Browne Jacobson hosts UK’s largest virtual legal careers event to boost access to careers in law
Legal Update
Steps to take following a data breach: reporting, criminal charges and injunctions
Student and staff files will be full of personal data, much of which may be particularly sensitive such as health information (known under the data protection legislation as “special category” data).
Legal Update
be connected newsletter for higher education - April 2021
In this edition of our higher education newsletter, we provide you with the latest in legal updates, news and insight from the higher education sector.
Legal Update
be connected newsletter for higher education - January 2021
In this edition we provide you with the latest in legal updates, news and insight from the higher education sector.
Legal Update
Health care apps – Part 1 of 2: Exploring the ins and outs of intellectual property (IP)
Published Article
Top tips for implementing ‘Data Protection by Design & Default’
The GDPR requires all businesses to implement ‘Data Protection by Design & Default’ but what does that mean in practice and how can businesses practically comply?