Dive Brief:
- A startling majority — 82% — of K-12 schools experienced a cyber incident between July 2023 and December 2024, according to a report released Thursday by the nonprofit Center for Internet Security.
- During the 18-month period, over 9,300 confirmed cyber incidents occurred across an estimated 5,000 K-12 institutions studied, the report found.
- The top cybersecurity threats schools faced include ransomware attacks, phishing and social engineering, data breaches, denial-of-service attacks, and malvertisement — a malicious software usually disguised as an ad that infiltrates networks to steal information, according to the center, which developed the report in partnership with the Consortium for School Networking.
Dive Insight:
While scattered data has long signaled school vulnerability to cyberattacks, the CIS report confirms how widespread the problem truly is.
The data shows that schools are “prime targets for cybercriminals,” the center’s report said. And the fallout from K-12 cyberattacks often extends beyond data loss, with disruptions to school meal service, forced school closures or blocked access to crucial student services like special education and counselling, according to the report.
The report further shared cybercriminals’ latest tactics and patterns for targeting K-12 systems. For instance, they are increasingly focusing on attacks to the human element of network vulnerabilities through phishing and social engineering rather than on technical weaknesses. This is often done by tricking staff into revealing login credentials by posing as trusted officials.
Additionally, cybercriminals are worsening disruptions by targeting important academic events like exam weeks, or exploiting staff and students’ reliance on digital tools.
“Unlike corporations with dedicated information security teams, schools often lack adequate funding and expertise. Additionally, school environments promote collaboration and openness, making it easier for cybercriminals to exploit human trust,” the report said.
CIS also operates the Multi-State Information Sharing and Analysis Center, which works with schools and other government organizations to protect their computer networks.
During the Biden administration, officials began rolling out federal resources for K-12 cybersecurity in acknowledgement of the extreme risks schools face and their lack of funding schools to handle cyberattacks. Whether the new Trump administration will continue those efforts is unknown.
State legislatures also looked to address the issue last year with 28 K-12 cybersecurity bills introduced across 16 states, according to a separate analysis by the Consortium for School Networking.
School demand for cybersecurity defenses appears to be high given that last year the Federal Communications Commission received an overwhelming $3.7 billion in requests from school and library applicants for financial support from the agency’s $200 million cybersecurity pilot program.
Just over 700 schools, libraries and consortia were selected to participate in the pilot program, according to the FCC. To receive the funds, the commission said participants must now seek competitive bids for eligible cybersecurity equipment and services and submit requests for reimbursement.
CIS stressed in the report that it's crucial for K-12 schools to prioritize cybersecurity.
“With the right strategies in place, schools can build resilience against these threats,” the report said. “Schools that prioritize fostering environments where staff and faculty are empowered to be a key element of their cybersecurity defenses, equipping them with more than just security awareness training — through proactive cyber defense measures and strong partnerships — create a more resilient and adaptive security culture that can more effectively defend against evolving cyber threats.”
Dive Awards
