TCEA 2026: 3 Top Security Takeaways for K–12 Environments

Incident Response and Recovery Must Be Well-Drilled

"If something happens to you out of the blue that's causing some form of stress reaction, you're going to fall back to your training," said Tom Ashley, senior national K–12 cybersecurity strategist at CDW. "If you created a playbook and a checklist but never practiced it, you're more likely to revert back to even more of a basic reaction: freeze or run, typically."

Ashley emphasized that comprehensive incident response plans aren't what teams reach for during active incidents. Instead, districts need actionable playbooks: concise, step-by-step guides for specific scenarios.

"The playbooks are those actionable steps that you would go to and say, 'OK, I'm hit with ransomware. Let me go to my ransomware playbook,’” Ashley said. "Every second counts."

His framework centers on five incident types most likely to impact K–12: ransomware attacks, social engineering, data breaches, insider threats and distributed denial-of-service attacks. Each playbook should include severity classifications, communication protocols and designated response team members crossing functional areas.

Ashley shared a free Cybersecurity Incident Response Plan template that districts can download and customize.

Recovery is also crucial for K–12 environments.

"If you don't have a lot of resources, you have to invest in the solutions that make the biggest bang for your buck," he said. "Recovery is one of those areas that I highly recommend you utilize your valuable, limited resources. Look at your backup and recovery infrastructure."

Districts must plan for clean restoration of their backups. Bad actors often attempt to compromise backups and will wait months or years before triggering attacks, ensuring that multiple backup generations are corrupted. The solution, Ashley said, is to systematically monitor, scrub and evaluate backups during restoration to catch corrupted data before it spreads.

Ashley also stressed the importance of user awareness, and how simply picking up the phone to ask a question or talking to the person next to you can save a lot of strife. He provided an example of a situation in which an issue could have been solved with just a single question: Did you send this email?

"The fix did not cost tens of thousands of dollars," he said. "It was a people, person and procedure fix."

WATCH: Experts discuss four key security trends for 2026.

Physical Security Is Still Priority No. 1

In August 2006, when Bryan Krause was the principal of Platte Canyon High School in Bailey, Colo., his school conducted an active shooter drill. Less than a month later, a 53-year-old gunman took an honors English class hostage before killing 16-year-old student Emily Keyes. More lives could have been lost were it not for the drill. When SWAT arrived, Krause immediately directed them to room 206, and they knew exactly where that was without having to be told.

Now senior national school safety strategist at CDW Education, Krause advocates breaking down silos between cybersecurity, physical security, prevention programs and social-emotional learning. 

"IT doesn’t just own cybersecurity, and the safety and security department doesn’t just own physical security," he said. "It should all work together."

He outlined three critical technology categories that districts should prioritize: video surveillance systems, access control and environmental sensors. Environmental sensors represent a particularly innovative advancement, allowing districts to monitor spaces that were previously difficult to supervise, such as bathrooms, locker rooms and special education classrooms, without invasive cameras. These sensors can detect unusual sounds, temperature changes or other environmental anomalies that might indicate an incident.

One session attendee from Cisco noted that sensor technology can now track congestion patterns and student movement, providing school resource officers with real-time intelligence beyond what cameras alone can provide.

Modern access control systems also enable real-time monitoring of who enters buildings and when. Combined with emergency alert systems, these technologies create layers of protection and can notify thousands of people instantly, rather than relying on just a few campus supervisors. They do, however, cost money and require integration support from IT.

For funding these types of initiatives, Krause pointed to the federal School Violence Prevention Program grant, which covers cameras, intercoms, intrusion detection and training. The grant requires law enforcement sign-off, forcing collaboration. Applications are typically due in March or April for the following year.

Beyond technology, Krause highlighted three “free,” albeit difficult, measures: law enforcement collaboration, culture-building campaigns such as "Keep Doors Closed" stickers that engage staff and students, and regular drills that include cyber incident scenarios.

"You react how you drill in the real situation," he said. "Having lived in a real situation, I was super happy that I drilled."

DIVE DEEPER: Physical security in schools requires a holistic strategy.

Supervised AI Can Be an Invaluable Asset

"AI can be your greatest ally or your biggest threat in cybersecurity," Ashley said during a session.

On the threat side, artificial intelligence is making attacks more sophisticated. Phishing campaigns are better written, and deepfakes are more convincing. Bad actors use AI to identify vulnerabilities faster than ever. 

But the defensive applications are equally powerful. AI-driven tools provide real-time monitoring, anomaly detection and automated incident response that human teams simply can't match.

"We don’t have full-time, dedicated security professionals in most districts," Ashley noted. "That real-time anomaly detection algorithm is something tools should be able to do. None of us have time to sit all day long and just look at logs."

Ashley also said that AI can be used to help train people. During his presentation, he demonstrated how Google NotebookLM can help technology leaders quickly synthesize complex security documentation, create training materials and develop communication strategies for nontechnical audiences. 

Click the banner below for more information about K–12 ed tech solutions.

He also highlighted agentic AI tools that can actively respond to threats, not just report them. These systems can detect unusual patterns such as a Word document attempting to open a command prompt, and even immediately block the process without waiting for human intervention.

"If I had to wait for an alert and for me to stop it, it’s way too late," Ashley said. 

While this level of automation can work for lower-level tasks, maintaining human oversight remains crucial for most cybersecurity functions. 

"Don't over-rely on AI to protect you solely," he said. "Keep the human in the loop. Keep consistent, professional-level oversight."

MORE FROM TCEA: Get practical guidance for AI preparedness in K–12 education.

To ensure you don’t miss a moment of TCEA event coverage, keep this page bookmarked and subscribe to our newsletter to get all of our articles sent to your inbox.