Mar 17 2023

How Leaders Prioritize Education Cybersecurity to Protect Schools and Students

Ransomware attacks continue to target K–12 institutions, but schools can mitigate their risk with the right leadership.

As most criminals do, cybercriminals make a habit of targeting the most vulnerable. News headlines often highlight the dangers they pose in the context of nation-state threats or breaches that target the data of large enterprises. But in 2022, according to a recent report, 89 educational institutions were hit by ransomware, impacting nearly 2,000 schools in the U.S.

The most common time frame for an attack is at the beginning of the school year when K–12 IT professionals are already overwhelmed with tasks like updating passwords. IT personnel should not be expected to bear the security burden alone. A shared-responsibility model, in which everyone in the organization is aware of cybersecurity risks and does their part to remain secure, is crucial.

Attackers target schools because, when it comes to IT security, there is often a serious knowledge gap among staff at K–12 institutions. When education leaders get stuck on traditional processes and teams, they may find it hard to adapt to a new culture that prioritizes cybersecurity.

Click the banner below to learn how to keep your school secure by registering as an Insider.

K–12 Schools Need a Cybersecurity-First Culture 

True change always starts at the top, and it’s no different for K–12 institutions.

The K–12 Cybersecurity Act of 2021 charged the Cybersecurity and Infrastructure Security Agency with the task of providing recommendations for how these institutions can combat risk. The top finding from the resulting report: “Leaders must establish and reinforce a cybersecurity culture.”

In my own conversations with school boards, I’ve found that the people in charge of approving budgets and making decisions don’t have insight into the cyber risk their districts face.

Investments in cybersecurity often take a back seat to investments in other educational programs. However, the unfortunate reality is that these programs are impacted the most by cyber disruptions.

There can be no impactful education with the looming threat of a ransomware attack. The loss of learning following a cyberattack can range from three days to three weeks, with recovery time ranging from two to nine months, according to a recent report from the U.S. Government Accountability Office.

Top decision-makers must lose the mindset that cybersecurity is a last-minute conversation. K–12 institutions need a strong cybersecurity voice at the table when budgets are allocated and hiring decisions are made.

Schools often operate as islands, away from the rich sources of information shared in the broader cybersecurity community. To promote collaboration and bring IT staff into the fold, CISA recommends that schools participate in organizations like the Multi-State Information Sharing and Analysis Center and the K12 Security Information eXchange. These communities share best practices and offer peer support for K–12 security leaders.

RELATED: What do schools need to know to prevent a social engineering attack?

How to Strengthen Cyber Hygiene in K–12 Environments 

Many of the most damaging attacks start through neglect of simple cyber hygiene. Creating a cybersecurity-first culture should include strengthening best practices, and there are a few ways schools can start.

If your IT staff can implement multifactor authentication across the school’s systems, you’re pointed in the right direction. MFA provides an extra layer of defense that goes a long way toward hampering threat actors’ plans. Verizon’s latest Data Breach Investigations Report found that more than 80 percent of hacking-related breaches were caused by stolen or weak passwords.

Another simple best practice is to have a tool in place that continuously monitors for common vulnerabilities. Unpatched vulnerabilities are one of the biggest threats any organization faces. In fact, an organization is almost twice as likely to suffer from a ransomware attack due to old, unpatched vulnerabilities than from a newly discovered zero-day weakness. If K–12 IT departments focused on making sure these holes were patched, their attack surfaces would shrink considerably. 

Schools should focus on strengthening the simple fundamentals of cyber hygiene and encourage the entire staff — not just the IT department — to learn what everyone can do to protect themselves.

These healthy cyber habits trickle down from top decision-makers in K–12 education. Districts need cyber experts who are able and willing to advocate for their districts and accurately report on their cybersecurity posture.

Administrators Can Plan a More Targeted Investment

K–12’s No. 1 issue when it comes to cybersecurity — due in part to the lack of a strong cybersecurity culture  — is small budgets. It’s no surprise: Recent research reveals the average school delegates only 8 percent of its IT budget to security, and 20 percent of schools spend less than 1 percent on security. Other classroom priorities, such as new educational programs or technologies, almost always take precedence over cybersecurity spending.


The percentage of its IT budget that the average school dedicates to cybersecurity

Source: MS-ISAC, “A Cybersecurity Assessment of the 2021-2022 School Year,” November 2022

The COVID-19 pandemic demonstrated our deep reliance on technology, yet some schools still treat IT as a cost center rather than a strategic investment. As a result, cybersecurity is relegated to an add-on or patch in response to cyber incidents.

While the spike in application-based attacks such as Zoom bombing has leveled out, the threat of ransomware has accelerated. This is reflected in the rising cost of cyber insurance premiums, which were up 28 percent in the first quarter of 2022, compared with the last quarter of 2021.

Because school districts often find themselves needing to spend money on security or remediation after an attack, it makes more sense to reallocate already scarce funds toward prevention.

We need to start taking cybersecurity more seriously, especially before our institutions are actively under attack. An investment into a cybersecurity-first culture is an investment into our children’s future.

Kobus Louw/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.