The cybersecurity threats facing K-12 schools are substantial, with a 393% rise in ransomware attacks since 2016 and continued breaches targeting student and administrative data. Added to this is a growing requirement for greater reporting and disclosure by IT departments with minimal cybersecurity budgets. Gregory Rodriguez, CISSP shares his first-hand experience of cybersecurity in the education sector.
Regardless of the industry, IT and cybersecurity staff, CIOs and CISOs regularly hear from their suppliers: “Buy this. Buy that. Product X is the latest and greatest thing that ensures your organization's protection, and I bet I will get the price down because you are so valued.” However, in most non-profits and in this case, public schools, decision-makers have to be incredibly selective to meet the security needs of the district, have enough room for other priorities that align with teaching and learning, along with needing to balance software and technical controls with at times a limited staff, limited or no skillset to support the control, or no staff in general.
According to K12 Security Information eXchange (K12 SIX), as reported in K-12 DIVE, from April 2016 to November 2022, there has been a 393% increase in ransomware attacks on public school districts. Stunningly, another 85 more ransomware have been reported since that study concluded in October 2024. IT staff, business administrators, and superintendents must remember that these are only ransomware attacks. As many cybersecurity decision-makers know, many other forms of attack, the mishandling of data and human error must also be considered when charged with protecting their district on a limited budget. According to Homeland Security’s Nationwide Cyber Security Review completed in 2022, schools spend 8% of their IT budget on cybersecurity, with one in every five schools spending less than 1%. This suggests school districts are ill-equipped to provide the best possible protection with existing budgets and resources.
Why is K-12 the Target of Attacks?
Schools do not have infinite budgets because most are funded by local and federal money. But do you know what school districts have a lot of? Data. School districts often store student and administrative data, including social security numbers and credit card information. Even cases like what Minneapolis Public Schools experienced where exfiltrated published data contained detailed cases of sexual assaults, abuse and student mental health crises, according to The 74. Whether the data is exfiltrated through ransomware, social engineering, mishandled and sent to the wrong entity, or extortion, consider the data already exposed and potentially open to the highest bidder.
In the case of successful ransomware attacks, victimized school districts not only have to consider the student and staff data out for auction if the ransom is not paid, but now they must repair and rebuild their systems while considering remediation and mitigation techniques. To a limited skilled and staffed IT department, incident handlers, security engineers and overall specialized skilled people are often not employed at the district level. Here comes, with a very expensive price, the phase that is dreaded and felt at every level of the district because all services can be paralyzed at that time.
How can I Stretch the IT Budget to Meet the District’s Needs?
Every IT and district administrator must ensure due care and due diligence for their school district. While technical controls like next-generation firewalls, advanced endpoint detection and response (EDR), and other artificial intelligence (AI) tools are outstanding, they often need to be more affordable, even with the educational discount often available. Here are some operational, managerial, and technical control recommendations.
- Top-Level Buy-in – Part of the job of a cybersecurity leader in a school district is to convince and persuade the superintendent and school board that IT is more than computers and projectors. Protecting and safeguarding student data through different types of controls is essential. Every operation runs on technology, from budgeting and classroom instruction to collaboration; protecting the most critical assets like personal identifiable information (PII) and health data should be a top priority as safeguarding student and staff information is crucial. Ensuring this support from the highest level of the district is the first step to securing your organization.
- Security Awareness Training – Start at the human level with this operational control. We make mistakes. We are the weakest link in any organization. Whether through phishing campaigns or social engineering, the lack of healthy skepticism and awareness needs to be addressed with education. These do not need to be expensive campaigns. As a district leader often seen as the subject matter expert, bring your show on the road and provide a broad overview of what staff can do to safeguard the district’s data and apply what they just learned in their personal lives. As a bonus, write a monthly newsletter that covers security tips. Knowing your audience and not complicating your presentation with jargon and acronyms is essential. This does not stop with you educating. Educate yourself with security certifications like the CISSP if you haven’t already.
- Create a Cyber Incident Response Plan – No coach worth their salt goes into a high-stakes game without a playbook. This managerial control needs to be written down as a starter of a cyber incident response plan. It also needs to be regularly tested. The National Institute of Standards and Technology (NIST SP 800-61) provides a framework and guidelines for a cyber incident response plan that is free and adaptable to any organization. Having a small table-top exercise will iron out some pain points. This should be printed and kept in a safe location so it’s accessible if systems are taken offline. Also, review and update it at least annually because best practices, technology and threats are constantly evolving.
- Invest in the Must-Have Technical Control – Some technical controls are non-negotiable since budgeting and selecting affordable solutions are the core of my focus. One of those technical controls is multi-factor authentication (MFA). Usernames and passwords are simply not enough anymore. MFA types include one-time passcodes (OTPs) using a smartphone authenticator application. SMS texts should be a last resort, as they generate on-going cost and phone numbers can be compromised. However, that is up to you as you need to assess the risk.
- Know What to Protect and How Much to Spend to Protect it – One way to lose district-level support is to invest in the wrong controls. Investing thousands to protect non-sensitive data is fiscal irresponsibility. Starting at the beginning and establishing a baseline of what needs to be protected is essential, which can be established through vulnerability assessment and/or penetration testing. This does not need to be an expensive endeavor. The Cybersecurity and Infrastructure Security Agency (CISA) offers free vulnerability testing services, including vulnerability scanning, web application scanning, and remote penetration tests. After these tests are performed and analyzed, informed decisions can be made about what resources should be dedicated to the most sensitive data.
Opportunities Where Obstacles Reside
Cybersecurity leaders and superintendents have an enormous responsibility to work collaboratively to safeguard their students and staff, as well as limit their threat vector with such a limited budget. With modest funding available, top-level support is needed to secure resources to enhance your school district's security culture. While the threat landscape is evolving, being prudent and resourceful will make your district that much more secure.
Gregory Rodriguez, CISSP is a K-12 IT director with expertise in information security and technology leadership. He holds a Doctor of Education and a master’s in information technology, specializing in cybersecurity.
Related Insights