Panel says LEAs need emergency plans in place as cyberattacks increase in public schools

Cybersecurity is in flux across the public sector, with traditional processes and tools proving inadequate for today’s global threats. Some school districts and county offices of education are at particular risk since they currently lack the internal resources, capacity or expertise to mount an effective defense against cyberattacks.

CSBA hosted a panel discussion on cybersecurity at the May 20 Delegate Assembly meeting in Sacramento to discuss the evolving threats to schools and how they can be addressed. The panel featured Jeremy Koellish, director of IT for the San Luis Coastal Unified School District; Kim Lewis, director of Government Relations at Corporation for Education Network Initiatives in California (CENIC); Tony Nguyen, CENIC senior vice president and CIO; and Martin Gavin, senior program and portfolio manager at Carahsoft Technology Corp., which CSBA has recently partnered with to provide districts with competitive rates when purchasing products for their technological needs.

Concerning trends

“Whether you know what DDOS [Distributed Denial-of-Service] attacks are or not, your schools have probably been a victim of DDOS attacks,” said CENIC’s Nguyen. “A DDOS attack is when someone launches an attack by sending massive amounts of traffic to a target until it overwhelms the host and crashed services.”

In 2022, cyberattacks grew by 150 percent, with the average attack lasting 66 hours. Cyberattacks against the education sector increased by 36 percent. “To help deal with this growing threat, CENIC implemented a DDOS Mitigation Service. The service monitors district traffic and if it finds abnormal or malicious patterns, it notifies the relevant county office of education to look into it and decide if “scrubbing” should be implemented. Scrubbing reroutes traffic to a server that can sort through the bad traffic and eliminate, while sending “clean” traffic back to the school server.

San Luis Coastal USD’s Koellish explained how the district was able to use the DDOS Mitigation Service successfully and mitigate a recent risk within hours. That wasn’t always the case — the district was hit by a cyberattack in May 2022 that compromised sensitive staff health information stored on the servers. You can read more about the attack, how the district handled it, and other district experiences and resources in the spring issue of California Schools magazine.

CENIC’s Lewis said that phishing email scams — the fraudulent practice of sending emails or other messages purporting to be from reputable companies in order to induce individuals to reveal personal information — are getting more intrusive and sophisticated. “It doesn’t matter how strong our firewalls are or how well our systems work — it also comes down to our people, and people need constant training and education on this evolving issue.”

While ransomware payouts decreased last year, K-12 is experiencing these attacks more frequently than in the past. “K-12 is an easy target,” Koellish said. “We have to look at not just getting the right tools in place, but also leaning on our state and federal partners and know what tools are out there that we can use for free so we can help augment those shortcomings in our budget.”

How to prepare

First steps recommended by the panel include having an emergency plan in place should a cyberattack occur — and testing that plan repeatedly, just as schools do with fire drills. Also imperative is checking your local educational agency’s insurance to verify you have cybersecurity coverage — and consulting with the chief business officer and IT staff on how much that amount should be.

“These plans aren’t one and done,” said CENIC’s Lewis, “especially because technology is changing so quickly.” She recommended regular testing to try to identify any holes in the plan and having a regular review of the plan built into your routine to evaluate what needs adjusting as time goes on.

Lewis spoke about Assembly Bill 2355, signed by Gov. Gavin Newsom in September 2022, that requires LEAs to report cyberattacks to the California Cybersecurity Integration Center (Cal-CSIC) if more than 500 people are impacted. Cal-CSIC’ mission is to reduce the number of cyberattacks and assist in responses, and it is tasked with creating a database to track the incidents and submit a report to the Governor and “relevant policy committees of the Legislature” annually by Jan. 1.


CENIC’s backbone of service is 8,000 miles of fiber with presence in all 58 counties in California, and all county offices of education are connected directly. About 88 percent of school districts and 82 percent of schools connect to CENIC. The organization also runs the two largest E-rate programs in the country, that for K-12 and for public libraries. CENIC also helped to ensure uninterrupted service for the more than 567,000 students taking California Assessment of Student Performance and Progress (CAASPP).

CENIC has been working to identify schools in need of a fiber connection through its Broadband Infrastructure Grant. The program is currently accepting new applications for the E-rate cycle that begins this summer.

In partnership with the California Association of School Business Officials (CASBO), CSBA will soon be announcing a partnership with Carahsoft, which provides about 3,000 solutions for public schools’ technology needs — from software solutions, student devices and hardware for infrastructure to training and consulting needs at a competitive price.

Other resources recommended by panelists:

Cybersecurity & Infrastructure Security Agency (CISA): Lead for federal cybersecurity and the national coordinator for critical infrastructure security and resilience, designed for collaboration and partnership.

Center for Internet Security (CIS): Their mission is to develop, validate and promote timely best practice solutions that help people, businesses and governments protect themselves against pervasive cyberthreats.

Research & Education Networks Information Sharing & Analysis Center (REN-ISAC): Serves over 700 member institutions within the higher education and research community by promoting cybersecurity operational protections and response.

Questions for board members to consider:

Where do we stand in terms of preparedness for a cybersecurity attack? 

What does the board need to know about disaster recovery? 

How long will it take the LEA to recover from an attack? 

Do we have adequate cybersecurity insurance? 

How long do we have to retain data? How often do we purge sensitive files?  

Questions for your IT staff:

What do you need to secure the LEA?  

Can you review the Instant Response Plan with the board? 

Does our plan align with our insurance carrier requirements? 

Who can the LEA turn to for an IT security audit?