Post

What Aon's 2026 risk report tells independent schools about cyber resilience

Aon’s 2026 Independent Schools Risk Report provides useful insights for Australian independent schools trying to manage a growing and increasingly connected set of risks.

The report draws on responses from 306 independent schools surveyed between January and March 2026. It is important to read the results as the views of participating schools rather than as a measure of every independent school in Australia. Even so, the findings provide a valuable sector-wide prompt for leadership teams and boards to compare priorities, challenge assumptions and test whether cyber preparedness is keeping pace with dependence on technology.

Read Aon’s 2026 Independent Schools Risk Report

Cyber risk remains the leading concern

Cyber risk was ranked first for the second consecutive Aon survey. Privacy and data breach was listed separately in fourth place, reinforcing how closely technology risk is connected to the sensitive information schools hold.

The report’s top ten risks for 2026 were:

  1. Cyber risk
  2. Ability to attract and retain talent
  3. Mental health of staff and students
  4. Privacy/data breach
  5. Changes to legislation and regulation
  6. Increasing competition/declining enrolments
  7. Economic slowdown/weak recovery
  8. Impact of brand and reputation matters
  9. Student safety and allegations of child abuse
  10. Uncertainty around future funding

These should not be treated as isolated issues. A cyber incident can disrupt teaching, communications, finance and student-safety processes while also causing privacy, financial and reputational consequences. That makes cyber resilience an operational and governance concern, not simply a technical one.

Reported attacks increased—and preparedness also improved

Aon found that 25% of participating schools reported cyber attacks in 2026, up from 20% in 2024.

Chart showing cyber attacks reported by participating schools increasing from 20% in 2024 to 25% in 2026 Source: Aon, 2026 Independent Schools Risk Report. Used with attribution.

At the same time, 76% reported having documented preventative measures in place, up from 66% in 2024. That is encouraging progress, but it also means almost one in four participating schools did not report documented preventative measures.

Chart showing participating schools with documented cyber preventative measures increasing from 66% in 2024 to 76% in 2026 Source: Aon, 2026 Independent Schools Risk Report. Used with attribution.

Documentation is only part of readiness. A plan must reflect the school’s real environment, have clear owners and be exercised. Backups need to be restored in a test, incident contacts need to be current, and staff need to know what to do when an account, payment request or device looks suspicious.

My key takeaway: outsourcing IT does not outsource risk

The finding that stood out most to me was the growing reliance on third parties. Aon reports that 81% of participating schools outsourced an IT function in 2026, up from 77% in 2024.

Managed service providers, cloud platforms and specialist education systems are essential to many schools, but appointing a provider does not transfer the school’s legal, operational or reputational responsibility. A provider’s assurance should be tested against evidence: contract terms, access controls, recovery arrangements, incident responsibilities, security reporting and the handling of student and staff data.

This does not mean every school needs a large internal security team. It means leadership and boards need enough independent visibility to ask whether controls are appropriate, operating and tested. The report captures this well in its broader message that proportionate preparedness matters more than trying to achieve perfect security.

Questions school leaders and boards can ask now

A useful first review does not need to begin with a major technology purchase. It can begin with a short set of practical questions:

  • Which systems would stop teaching, communications, finance or student-safety processes if unavailable tomorrow?
  • Who can administer Microsoft 365, Google Workspace, the student information system, domains, backups and network equipment?
  • Is multi-factor authentication enforced for staff, administrators and other high-risk accounts?
  • When was the last successful test restoration from backup?
  • Does the incident response plan identify decision-makers, technical contacts, legal support, insurers and communication responsibilities?
  • What evidence supports the cyber assurances made by managed service providers and cloud vendors?
  • How quickly is access removed when a staff member, contractor or volunteer leaves?
  • When did the board last receive a plain-language view of cyber capability, unresolved risks and tested readiness?

Cyber resilience is not a one-off project. It is an ongoing capability spanning people, governance, suppliers, technology and response planning.

For organisations looking for a practical starting point, Suburban Secure focuses on proportionate cyber security, Microsoft 365 hygiene, access, backups, networks and supplier review. It is a service line of Suburban Australia, supporting organisations with technology, risk and operational improvement.

The full findings, methodology and context are available from Aon’s 2026 Independent Schools Risk Report. Aon’s media release also provides a concise overview of the results.

This article is independent commentary on Aon’s published research. Aon is the source of the report data and charts; no affiliation or endorsement is implied.

This post is licensed under CC BY 4.0 by the author.