What Minimum Viable Cybersecurity Really Looks Like for K–12 Districts

Minimum Viable Cybersecurity Starts in the Cloud

“Minimum viable cybersecurity has fundamentally changed for all organizations and industries, and K–12 is no exception,” Sander says. Two forces are driving that change: the widespread move to cloud computing and the rapid advancement of artificial intelligence.

For school districts, cloud platforms such as Google Workspace for Education and Microsoft 365 now sit at the center of nearly everything, from instruction and communication to finance, operations and even building security. Yet many districts are still securing those environments as if they were on-premises systems.

“The top thing I see districts skipping that creates the most risk is their cloud data risk management and protection,” Sander says. “Security at the cloud layer is now minimum viable cybersecurity. Full stop.”

Why Perimeter Security Isn’t Enough Anymore

Historically, districts have relied on network firewalls, secure email gateways and vendor-provided admin tools. But those defenses were never designed to fully protect cloud-based environments.

“Most districts are relying entirely on their firewall and vendor-provided, native admin tools to secure their data in the cloud,” Sander explains. “These technologies were not built to protect the cloud layer adequately.”

WATCH: Get four security trends to keep an eye on in 2026.

And the consequences can be dire given that sensitive information — including student records, health data, Individualized Education Programs and employee Social Security numbers — is now routinely stored and shared across cloud applications, often with limited visibility into how it’s accessed or used.

This gap in protection helps explain the surge in ransomware attacks against schools over the past five years. “Most ransomware attacks start with a successful phishing email,” Sander says. “Where are those phishing emails going? Gmail and Outlook, which are both cloud-based applications.”

Smarter Phishing Is Today’s Biggest Threat

Phishing remains the top threat facing K–12 districts, and it’s evolving fast. “The difference we’re seeing now compared with two or three years ago is just how sophisticated the phishing attacks have become thanks to AI,” Sander says. Attackers are now able to research targets and craft convincing, grammatically perfect messages at scale.

Another growing vulnerability is student accounts. As districts implement multifactor authentication for staff, attackers are increasingly targeting students, who often have fewer safeguards in place.

Sander also points to a newer tactic that many school districts overlook: phishing links embedded in shared Google Docs or Microsoft Word files. “End users are trained to be on guard for phishing emails, not necessarily shared documents,” he says. Because these files are shared using native collaboration tools, they often bypass traditional spam filters and are difficult for admins to remove.

How the Human Factor Threatens Cybersecurity

While cybersecurity training often focuses on teaching users not to click suspicious links, Sander argues that the bigger issue is mindset.

“The biggest human behavior weakness is believing that protecting everything on the network and at the perimeter will sufficiently protect the cloud environment,” he says.

That belief creates a false sense of security. Once an attacker gets past the perimeter, traditional tools offer little help. “The locks on the front door don’t do anything once the thief is in your house,” Sander adds.

What Good Visibility Looks Like

For districts, visibility means being able to quickly detect abnormal account behavior, malicious links, risky third-party apps and improper data sharing — whether intentional or accidental.

“We hear, ‘You don’t know what you don’t know,’ over and over again from our customers,” Sander says. Without visibility, school districts can’t protect what they don’t realize is exposed.

This is why regular audits are critical. When districts finally see detailed data on how files are shared or accounts are accessed, the gaps often come as a surprise. “That’s usually when that ‘You don’t know what you don’t know’ moment happens,” he says.

UP NEXT: A cyber resilience strategy can help K–12 districts address evolving threats.

Balancing Prevention With Response

Prevention still matters, but it can’t be the only strategy. “You can’t expect that your prevention and training is going to work perfectly 100% of the time,” Sander says.

With the right tools, districts can detect suspicious activity early and resolve incidents quickly (sometimes in under an hour) before they escalate into headline-grabbing crises.

“The whole point is to respond early and quickly enough that it doesn’t need to be dramatic,” Sander says.

A Realistic Path Forward for Overwhelmed Districts

For leaders feeling stretched thin, Sander’s advice is pragmatic: Don’t go it alone. Connect with peers, learn what’s working and start with a third-party security audit.

“If you don’t have the budget for a comprehensive audit, focus on the areas where your district stores the most data and uses the most digital services,” he says. Even free or low-cost audits can help districts prioritize risk without adding unnecessary complexity.

In today’s cloud-first reality, minimum viable cybersecurity isn’t about perfection. It’s about visibility, response and protecting the systems districts rely on most before attackers exploit the gaps.