Dive Brief:

• K-12 has experienced 1,331 reported cybersecurity-related incidents since 2016, according to the fourth annual report on The State of K-12 Cybersecurity released Thursday by nonprofit K12 Security Information Exchange, which works to protect K-12 schools from cyberattacks. 
• The nonprofit’s K-12 Cyber Incident Map tracked 166 school cyber incidents affecting schools in 162 districts across 38 states in 2021, down 59% from the number of publicly disclosed incidents in 2020 — a record-breaking year with 408 public incidents reported. 
• School district vendors were “responsible,” as the entry point, for 55% of K-12 data breaches between 2016 and 2021, the K12 SIX report found. In 2021, ransomware attacks were the most frequently disclosed type of cyber incident to impact schools, making up 37% of incidents.

Dive Insight:

While K-12 cyberattacks show a decrease since 2020, there's likely “an undercount of what is actually going on,” K12 SIX National Director Doug Levin said Thursday during the Second Annual K-12 Cybersecurity Leadership Symposium. 

“We have a limited view into the actual experiences of school districts across the country,” Levin said during the online summit. “We wouldn’t be surprised if there were 10 to 20 times more incidents occurring than we’re able to present information about.”

The K-12 Cyber Incident Map pulls a lot of its tracking data from local journalists and security researchers, Levin said. Public disclosure laws on K-12 cyber incidents vary by state, but overall these laws are still “quite weak,” he said. 

The U.S. Department of Education is starting to make some progress on revising K-12 cybersecurity guidance as requested by the Government Accountability Office in November, said one department official during the online summit, StateScoop reported.

There’s a need for more and better information sharing of K-12 cyber incidents, Levin said. Though it “may feel scary or counterintuitive,” sharing information about school cyberattacks can help law enforcement prosecute criminals, in addition to informing research, policymaking and cybersecurity defense tools, Levin said.  

Disclosing cyberattacks can also help other districts understand how to protect themselves from copycat cyberattacks, he said.

It’s critical that K-12 vendors and online suppliers improve their own cybersecurity practices, too, considering they were the source of a significant portion of K-12 cyber incidents since 2016, Levin said.

“While students and school staff generally have little recourse under the law for a data breach incident (no matter the root cause), stockholders and other investors in education companies are granted greater protections in cases where those companies are negligent or materially misstate the potential impact of cyber incidents on their current or future operations,” the K12 SIX report said.

Interestingly, the K-12 and higher education sector outperformed most other industries in simulations for cybersecurity readiness, according to a recent report by Immersive Labs, a U.K.-based cyber threat preparedness company. However, the education sector was still the most likely to pay ransoms in hypothetical situations, with 25% of teams giving in to ransom demands, the Immersive Labs report found. 

Levin’s assumption that there are more cyberattacks than publicly known echoes fears voiced earlier this year by experts who expect K-12 cyberattacks to worsen in 2022, because districts appear vulnerable to cybercriminals and may be considered easy prey for ransomware attacks. 

To make matters worse, Russia’s invasion of Ukraine suggests there’s an increased likelihood schools and others will face a higher risk of cyberattacks. 

“It’s not a question of really if you will experience an incident, but when you will experience an incident,” Levin said.