11 2.1 Cybersecurity ranked 1st inherent, ranked 2nd residual Risk findings: Almost all institutions in our sample include a specific cybersecurity risk in their strategic risk registers, and we continue to encourage every institution to do so. The average inherent risk score for cybersecurity risks has increased this year compared to 2024/25, while there is no major difference in the average residual score. This may reflect concerns about the increased likelihood of a serious incident, irrespective of investment in controls. We also note a wide variability between institutions in the confidence they have in their controls. This is likely to be a reflection of significant differences in size, mission, organisation, the age and complexity of the digital estate, and the countries in which they operate. Core controls increasingly reflect business norms, incorporating: network design; segmentation; configuration; improved patch management; continuous monitoring and detection solutions; encryption, access and authentication controls; proactive supplier management; compliance with standards and frameworks; and investment in employee training, testing, backup solutions and incident management. Balancing the needs of staff and students for access to data and systems from a wide range of devices and locations while minimising cybersecurity risks remains a live debate. Risk commentary and recommendations: As demonstrated by high profile cyberattacks on UK and global businesses, the cybersecurity threat landscape is constantly evolving. Attacks can result in major disruption to operations and significant financial losses. Threat actors are highly organised, increasingly using AI to deploy convincing impersonation strategies, automate attacks and target weaknesses in supply chains and outsourced services. Universities are targeted in order to steal identity or financial information or intellectual property, for ransomware purposes, or to disrupt research and business activities. Institutions are vulnerable, typically having decentralised structures and (often) aging infrastructure, large and transitory groups of students, staff, and visitors with unmanaged devices, and open networks geared to collaborative working. The government’s cybersecurity statistics for 20252 report that 91% of HE institutions reported cybersecurity breaches or attacks in the previous 12 months. Phishing attacks were reported by 97% of institutions in the government survey, with impersonation, malware, and denial of service attacks increasingly common. Maintaining effective cybersecurity defences that embrace people, culture, partner and supplier policies and processes as well as technology, coupled with well-designed and tested incident management and disaster recovery plans, are essential for organisational resilience and success. Yet the depth and frequency of reporting to the audit committees and governing bodies on cyber risks varies widely. Governors need to satisfy themselves that they are receiving sufficient assurance about the identification and management of cyber risks in light of organisational objectives and evolving threats. The NCSC Cyber Security Toolkit for Boards3 provides guidance and resources to help governors to ask the right questions, and we recommend that audit committees should: • have at least one committee member with a high-level of IT expertise; • ensure that cybersecurity risks and controls are adequately differentiated and documented in strategic and operational risk registers; • understand the core controls in place for managing cybersecurity risks (including with third party suppliers and partners), how threats are monitored, and how controls are being developed and strengthened, including through training for staff and students and regular testing; • regularly discuss cyber risks, informed by reporting and KPIs (e.g. on preparedness against attack, incidents, incident management and resolution data, patching standards, compliance with training and test results); • seek assurance on the robustness and testing of plans for managing incidents, IT disaster recovery and business continuity; and • ensure that there is an ongoing programme of cybersecurity audit to provide assurance on the effectiveness of controls, incident management and disaster recovery. 2 https://www.gov.uk/government/statistics/cyber-security-breachessurvey-2025/cyber-security-breaches-survey-2025-educationinstitutions-findings 3 https://www.ncsc.gov.uk/collection/board-toolkit
RkJQdWJsaXNoZXIy NTI5NzM=