The prevalence of cyber breaches or attacks remained fairly steady, at 43% for businesses and 28% for charities. Medium (65%) and large (69%) businesses are still more likely to have experienced a cyber breach or attack in the previous 12 months, compared to small (46%) and micro (42%) businesses.

Phishing remains the most prevalent attack, affecting 38% of businesses and 25% of charities. Interestingly, ransomware attacks on businesses declined to 1%, compared with 3% the previous year.

For charities, impersonation attacks decreased to 7% from 11% in 2024/2025, while account takeover was down to 1% from 3%.

The proportion of businesses and charities experiencing a negative outcome from a breach or attack is consistent, although more businesses are reporting loss of revenue share value and reputational damage as impacts.

Roughly one-third of businesses and one-quarter of charities were using artificial intelligence (AI), in the process of adopting it or actively considering using it. Of these, around 25% reported having cyber security practices or processes to manage AI risks.

Looking at cyber security risk management more broadly, most businesses and charities had basic technical controls in place. However, only about 30% of businesses and charities conducted risk assessments. Just 25% of businesses and 19% of charities had formal incident response plans and very few were reviewing supply chain risks. Of those surveyed:

• 15% of businesses and 9% of charities confirmed they were reviewing their immediate supply chain risks, and
• 6% of businesses and 4% of charities were reviewing their wider supply chain risks. 

These governance gaps show the need to raise the cyber governance bar, particularly around the supply chain.

Education sector target of cyber attacks

Educational institutions are increasingly targeted in cyber-attacks. The cyber breaches survey includes an annex focussed on educational institutions. It shows that the sector had a higher proportion of breaches or attacks. In the 12 months prior to the survey:

• 98% of higher education institutions, 
• 88% of further education colleges and 
• 73% of secondary schools had experienced an incident. 

While this data is UK specific, it may reflect a bigger global trend.

Earlier this month, Instructure, parent company of Canvas, an open-source learning management system, was breached. Canvas is described as a system that “gathers all course content, daily lessons, assignments, tests/quizzes, feedback, and grading” and “handles student-educator communications and serves as a place for instructors and learners to meet virtually”.

The attack affected approximately 9,000 institutions across the US, Canada, Australia and the UK. To manage the attack, the system was taken offline, disrupting student exams and coursework. Stolen data was believed to include names, email addresses, student ID numbers and Canvas messages. There is concern that this data may be used to facilitate targeted phishing attacks.

The hacking group ShinyHunters, linked to the 2025 UK Jaguar Land Rover attack, claimed responsibility, threatening in ransom notes displayed on students’ and teachers’ screens to release the stolen data unless Canvas or the affected universities paid a ransom.

Later in the month, it was reported that Canvas’ parent company had paid a ransom to the attackers to delete and not publish students’ stolen data. This goes against advice from most law enforcement and national cyber security bodies, including the UK’s National Cyber Security Centre (NCSC), who say there is no guarantee that criminals have deleted the data.

Indeed, when the UK’s National Crime Agency cracked down on the LockBit ransomware group, stolen data was found to have been retained even after payments had been made. Instructure’s announcement of the payment on 11 May is also unusual; very few organisations publicly admit to paying a ransom.

The cyber breaches survey identifies personal data storage as a major vulnerability for educational institutions. It also notes that AI adoption in the education sector was significantly greater than in private sector businesses. This could indicate an area of additional vulnerability if cyber risks are not adequately managed. It may also be an opportunity for these institutions to use AI to boost defences.

AI and cyber security guidance

As covered in April’s cyber roundup, the use of AI to increase the scale and pace of identifying and exploiting known vulnerabilities, and unknown (zero-day) vulnerabilities, is an area of significant concern.

On 11 May, Google Threat Intelligence Group reported a threat actor using a zero-day exploit believed to have been developed with AI. Attacks such as this are likely to increase as relevant tools become more widely available. The report also mentions the use of AI to develop malware that can better avoid detection, and attacks that are more dynamic and autonomous.

The financial services industry is concerned about the impact of frontier AI on financial stability, market integrity and customer wellbeing. In a joint statement issued by the Bank of England, Financial Conduct Authority and HM Treasury, regulated firms are urged to “take action to plan for and mitigate cyber security risks posed by frontier AI”.

The statement highlights several areas, including:

• governance and strategy,
• managing vulnerabilities,
• third-party risks,
• protection, and
• response and recovery. 

This message aligns with experts, who are emphasising the importance of faster, risk-based patching and getting the foundations and basics right. The NCSC is running a survey to inform further guidance on frontier AI and how it can support cyber professionals and industry going forward. Share your views.

Finally, agentic AI is being increasingly integrated in various sectors, including critical national infrastructure. While it offers opportunities for automation, efficiency and cost saving, it can also introduce risks.

The cyber security bodies from Australia, the United States, Canada New Zealand; and the UK have co-authored guidance on the careful adoption of agentic AI Services.

The guidance explores key cyber security risks, including:

• privilege,
• design and configuration,
• structure and accountability, and
• best practices for securing agentic AI systems. 

It should be a useful resource for organisations looking to adopt agentic AI in a considered way.