Skip links
Cloud & More Logo horizontal
Menu

Is your cyber security strategy working?

Schedule a chat
Flat vector illustration showing phishing attacks targeting business, charity, primary school, and university buildings, with a central shield representing cyber protection and bar charts showing breach statistics from the Cyber Security Breaches Survey 2025

What the Cyber Security Breaches Survey 2025 means for your business

What do 43% of UK businesses, 60% of secondary schools, and 85% of further education colleges have in common?

They’ve all faced cyber attacks in the last 12 months.

The Cyber Security Breaches Survey 2025, just released by the Department for Science, Innovation and Technology, confirms what we see every day at Cloud & More: the cyber threat hasn’t gone anywhere. It’s just evolving.

So, let’s break down the findings. Behind the percentages is a story of improvement in some areas, serious risks in others, and a few persistent cyber villains refusing to retire (yes, phishing, we’re looking at you).

Are things improving?

Let’s start with the good news.

Reported cyber breaches among UK businesses have dropped. In 2025, 43% of businesses reported an attack or breach, down from 50% in 2024. That’s encouraging—but not a reason to switch off.

Charities reported fewer incidents too, with 30% affected.

However, the education sector is still very much in the firing line:

  • 44% of primary schools

  • 60% of secondary schools

  • 85% of further education colleges

  • 91% of higher education institutions

Worse still, 30% of further and higher education institutions are breached weekly, and 40% reported serious consequences, including compromised systems and accounts used for criminal activity.

Phishing: the cyber criminal’s favourite tool

Phishing continues to dominate the threat landscape, responsible for the majority of breaches across all sectors:

  • 97% of further and higher education institutions

  • 89% of primary and secondary schools

  • 86% of charities

  • 85% of businesses

If it feels like phishing is everywhere, it’s because it is. It’s low-cost, low-effort, and it works.

Other attack methods are still making their mark too:

  • Impersonation attacks: 34% of businesses, 68% of further and higher education institutions

  • Malware (excluding ransomware): 18% of businesses, 42% of further and higher education institutions

  • Denial of Service (DoS) attacks: 5% of businesses, 36% of further and higher education institutions

Cyber criminals aren’t reinventing the wheel. They’re just waiting for someone to forget an update or click the wrong link.

What are organisations doing about it?

There’s plenty of progress, especially in the education sector. The 2025 stats show:

  • Over 80% of educational institutions now have a formal cyber security policy

  • Incident response plans are more common in schools and universities than in businesses

  • Penetration testing is on the rise, with primary schools jumping from 15% in 2024 to 23% in 2025

  • Staff training and risk assessments are becoming standard practice in higher education

Technical controls are also improving, with more organisations using Cyber Essentials as a benchmark:

  • 100% of further education colleges have up-to-date malware protection

  • 91% of higher education institutions patch systems within 14 days

  • But only 48% of primary schools meet that same patching standard

Progress is happening, but it’s patchy—literally and figuratively.

What this means for your business

If you’re thinking, “We’ve not had any issues, so we must be fine,” let’s pause there.

The absence of a breach doesn’t mean you’re secure. It might just mean you’ve been lucky.

And cyber security isn’t about luck. It’s about being ready.

Here’s what we recommend based on this year’s data:

  • Run a phishing simulation. If phishing is the most common attack vector, your people need to know how to spot it.

  • Check your patching strategy. Make sure your systems are updated quickly—especially if your team works remotely.

  • Stop relying on antivirus alone. It’s like locking your front door but leaving the windows open.

  • Build an incident response plan. Even if you never need it, having one in place could save your business.

  • Involve your whole team. Cyber awareness isn’t just for IT. It’s a business-wide responsibility.

Why cyber security needs to be more than a policy

Cyber criminals don’t target specific sectors because they enjoy disrupting schools or charities. They go where the gaps are.

And those gaps? They’re often human. Untrained staff, missed updates, poor password habits, and outdated tech create opportunities.

At Cloud & More, we work with businesses across the Home Counties, London, and Bristol to close those gaps. From 24/7 monitoring to one-on-one cyber awareness training, we don’t just tick boxes. We tailor what we do to your business.

Because you don’t just need IT support. You need to know someone’s got your back.

“Cyber security isn’t just an IT issue anymore. It’s a business essential.
The businesses we work with want peace of mind, not panic every time there’s a new threat.
That’s what we focus on, keeping things simple, safe, and sorted.”
Adam Whatford, Cloud & More

 

Need help making sense of your cyber risks?

We’re not here to scare you. We’re here to support you.

Whether you’ve never had a breach or you’re still recovering from the last one, we’ll help you build a cyber strategy that actually works for your business.

More articles

Add Your Heading Text Here

Share the Post: