Security

Cloud Security for Schools Requires All Hands on Deck

Districts are adopting recurring cybersecurity drills and role-based training programs as cloud-based learning systems create new security risks tied to everyday user behavior.

Nathan Eddy

Nathan Eddy works as an independent filmmaker and journalist based in Berlin, specializing in architecture, business technology and healthcare IT. He is a graduate of Northwestern University’s Medill School of Journalism.

School districts are facing a growing reality: With K–12 environments increasingly dependent on cloud-based systems, small mistakes can quickly become major security incidents.

Ransomware attacks against K–12 institutions jumped 92% in between 2022 and 2023, while phishing attempts continue targeting students, teachers and administrators through email, collaboration platforms and classroom applications.

Technical defenses remain essential, but many districts are finding that firewalls and endpoint protection alone cannot stop attacks rooted in human behavior.

Cybersecurity awareness training is becoming a larger part of how schools approach cloud security, with phishing simulations, tabletop exercises and digital citizenship programs increasingly treated as routine operational safeguards rather than occasional IT initiatives.

Click the banner below to learn how districts can optimize every stage of the cloud lifecycle.

na-2024cloudreport-animated-clickhere-desktop

na-2024cloudreport-animated-clickhere-mobile

Cloud Security’s Weakest Link Is Human Behavior

Helen Patton, cybersecurity executive advisor at Cisco, says cybersecurity challenges in K–12 are increasingly tied to organizational culture rather than technology alone.

Schools are focused primarily on teaching and learning, she says, which means cybersecurity is often not “a first concern or even a second concern” for nontechnical staff. At the same time, the widespread use of software as a service (SaaS) platforms and cloud-based software has created confusion around security ownership.

“When they think about cloud they think they’re not responsible for the cybersecurity risk of that cloud provider or the data that sits in their cloud,” Patton says.

That misunderstanding can create gaps in awareness and accountability across districts increasingly dependent on cloud-based learning management systems, HR platforms and physical security tools.

Cybersecurity Training as School Culture

Patton says cybersecurity awareness programs in K–12 schools often begin as compliance exercises focused on regulations such as the Family Educational Rights and Privacy Act (FERPA) and basic incident reporting obligations.

Early training typically centers on helping staff understand what actions they are legally obligated to take if they click a malicious link or suspect student data has been compromised. More mature programs move toward role-based training tailored to different groups inside the district.

What administrators need to know differs from what teachers, IT staff or students need to understand, Patton says, particularly because schools must account for age-appropriate instruction for children.

“The challenge in K-12 is that you’re dealing with children, and you have to have age-appropriate training for students,” she says.

Patton notes that districts also must train educators and administrators differently based on their responsibilities, particularly when handling student records, financial systems, HR data or other sensitive information.

Click the banner below for the latest K-12 IT and cybersecurity insights.

Security Drills Become Routine

Ed Skoudis, president of the SANS Technology Institute, says cybersecurity awareness programs in education need to function more like recurring safety drills than annual compliance exercises. Schools should build regular practice into daily operations through phishing simulations, tabletop exercises and short, repeated training modules tailored to different audiences.

“Doing that regularly, as opposed to just doing it at onboarding or Cybersecurity Awareness Month is critical,” Skoudis says, arguing cybersecurity training should become routine rather than occasional.

For administrators and leadership teams, he recommends quarterly tabletop exercises focused on ransomware response, business email compromise, public relations scenarios and decision-making under pressure.

Faculty training should focus on protecting shared cloud documents, recognizing phishing attempts and using multifactor authentication through “very short micro training modules” only a few minutes long.

Skoudis also says schools should embed cybersecurity reminders directly into everyday student experiences, from login portals to common gathering areas, reinforcing safe behavior continuously rather than relying on one-time instruction.

“You need to do it in very short form,” he says.

K-12 Districts Turn to Partners for Security Support

Patton says cybersecurity awareness and preparedness serve different purposes in K–12 environments, particularly when schools are working with younger students.

“Awareness looks different,” Patton says, noting that for younger children the focus is less on incident preparedness and more on how they navigate the digital environment in a safe way, including basic online behavior and digital citizenship skills.

Patton says the responsibility for broader cyber resilience ultimately falls on teachers, administrators and district staff, particularly as many K–12 districts lack dedicated cybersecurity personnel.

She adds vendors can help fill those gaps by providing training resources, curriculum support and guidance around cyber threats, school architectures, and risk exposure for educators and administrators.

That support is increasingly important because even districts with dedicated security staff are often consumed with operational responsibilities such as monitoring and incident response rather than awareness training.

“There is a very big role for vendors to play, including Cisco and others, in supporting the resilience of a school,” Patton says.

skynesher/Getty Images