Reach us at: (212) 334-6481

A Guide to Cybersecurity for K-12 Schools


Don't even think about creating a technology plan before you see this!

Topics Covered in this Article

What is cybersecurity?

Cybersecurity is the act of protecting your network and systems from digital attacks aimed at accessing and compromising sensitive data and disrupting normal operations. The primary goal of an effective cybersecurity solution is to protect your network from outside intrusion and ensure the confidentiality and availability of your information as well as provide a defense against issues such as hardware and software failure and power outages.

Why is cybersecurity so important for schools?

Virtually no industry is safe, but K-12 schools are especially vulnerable to cybersecurity attacks, with the education vertical as a whole absorbing ~23% of all Ransomware attacks according to a recent study by Kasperksy.

According to recent data breach reports, the education sector ranked sixth overall in the US for the total number of reported “security incidents” this past year. Education systems have access to tens of millions of records on children and young adults, making them perfect targets for identity theft. Yet most schools are ill-prepared to face the mounting threats posed by hackers.

Created to build a data-based awareness of the scope and variety of digital security and privacy threats facing public schools and districts, the K-12 Cyber Incident Map provides an excellent visual representation cyber attacks happening across the US.

What types of cybersecurity threats should I be aware of?

Ransomware is one of the more popular and insidious types of cyberattacks out there, but the laundry list of various cybersecurity attacks is long – and unfortunately keeps growing as hackers get more and more sophisticated and diverse in their efforts. Below is a list of the most common types of cybersecurity threats that your K-12 organization may face:

  • Advanced Persistent Threat Attack [APT]: a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period.
  • Brute-force Cracking: a trial and error method used by application programs to decode encrypted data such as passwords or Data Encryption Standard (DES) keys, through exhaustive effort (using brute force) rather than employing intellectual strategies.
  • Credential Reuse: Once attackers have a collection of usernames and passwords from a breached website or service (easily acquired on any number of black market websites on the internet), they know that if they use these same credentials on other websites there’s a chance they’ll be able to log in.
  • Distributed Denial of Services [DDoS]: an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources.
  • Drive-by Download: a program that is automatically downloaded to your computer without your consent or even your knowledge.
  • Malware: refers to various forms of harmful software, such as viruses and ransomware. Once malware is in your computer, it can wreak all sorts of havoc, from taking control of your machine, to monitoring your actions and keystrokes, to silently sending all sorts of confidential data from your computer or network to the attacker’s home base.
  • Network-probe: a probe is an attempt to gain access to a computer and its files through a known or probable weak point in the computer system.
  • Phishing: When internet fraudsters impersonate a business to trick you into giving out your personal information. Phishing Attacks are the primary vector for malware attacks and are usually comprised of a malicious e-mail attachment or an e-mail with an embedded, malicious link.
  • Ransomware: a type of malicious software designed to block access to a computer system until a sum of money is paid.
  • Session Hijacking and Man-in-the-Middle Attacks: The session between your computer and the remote web server is given a unique session ID, which should stay private between the two parties; however, an attacker can hijack the session by capturing the session ID and posing as the computer making a request, allowing them to log in as an unsuspecting user and gain access to unauthorized information on the web server.
  • SQL Injection Attack: uses malicious code to get a server to divulge information it normally wouldn’t. This is especially problematic if the server stores private customer information from the website, such as credit card numbers, usernames and passwords (credentials), or other personally identifiable information, which are tempting and lucrative targets for an attacker.

How should K-12 schools protect themselves from cybersecurity threats?

Often the elephant in the room, cybersecurity involves many moving parts, including training, assessments, monitoring, and incident responses, etc. K-12 schools need to address all of these items in order to develop a comprehensive cybersecurity program.

Security awareness training for staff must be provided on a recurring basis, and a security assessment of the network must be completed at least annually. This approach should include assessments of the current end-point security software to determine if a change is needed based upon current incidents and new threats.

For more specifics on how to protect your school, be sure to watch our on-demand webinar: 5 Ways to Protect Your School or District from a Cybersecurity Attack and sign up for a Free Cybersecurity Audit.

How do I train my students and staff on cybersecurity awareness?

If you look at cybersecurity breaches across the board, it’s clear that people represent the single most important point of failure in terms of vulnerability. In the past, organizations could train employees once a year on cybersecurity best practices. But with threats becoming more rampant, cybersecurity awareness and training must be done on an ongoing and consistent basis. Below is a 7-step process to begin making cybersecurity a part of your school’s culture.

  1. Get buy-in from top administration – A good cybersecurity plan requires line items in the budget for people, hardware, and software – which means getting the principal, CIO, Operations Manager, and any other top-level decision-makers on board.
  2. Perform live simulations and training exercises with students and staff – The best training today is one in which users undergo a simulated attack specific to their job or role. Follow up any training by testing how well the lesson was learned. Send out occasional phony phishing emails to check how many employees still fail to recognize the threat.
  3. Conduct evaluations – Don’t be afraid to perform evaluations of both employees and systems to find out how vulnerable your organization is to attack. Present users with a realistic type of cyber-attack and include a follow-up meeting for end users and IT personnel to discuss the results of the campaign and how to avoid scams in the future.
  4. Communicate – Don’t opt for scare tactics. The goal is to build a culture of cyber awareness. Start small with a few videos or infographics to kick things off. Don’t waste time sending out long memos that will only get ignored. Keep it fun, keep it short.
  5. Create a formal plan – IT teams should develop a formal, documented plan for cybersecurity training that is reviewed and updated often with the latest information on attack vectors and other risks.
  6. Stress the importance of security at school and at home – Tech leaders should help employees understand the importance of cyber hygiene not just in the workplace, but also at home, Pollard said. “Teach users about privacy, security, and how the lessons learned at work can apply at home and in their personal lives to give them a ‘what’s in it for me’ they can apply all the time, not just at work,” he added.
  7. Reward users – Reward users that find malicious emails, and share stories about how users helped thwart security issues. IT leaders should also empathize with people who make mistakes. Include posters, contests and other reminders to drive home an easy-to-understand message that security is everyone’s personal responsibility.

In conclusion…

There is no “one size fits all” approach to cybersecurity for K-12 schools, but it should be a key foundation in your organization’s information technology infrastructure.

Unfortunately, cybersecurity threats will most likely only escalate in the future as schools become more reliant on technology. With organizations adding new staff, relocating and expanding locations, and updating their technology infrastructures on a regular basis, ensuring that your data remains safe must become a top priority.

Below are a few resources to help you get started:


Check out our recent blog posts about cybersecurity...