Cybersecurity recommendations for K-12 schools

Current threats and recommendations on how schools can prevent or mitigate cyberattacks are outlined in the report Protecting Our Future: Partnering to Safeguard K-12 Organizations from Cybersecurity Threats, released in January by the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).

Schools have been subject to ransomware and denial of service attacks, email compromise scams, data breaches, defacement of website and social media accounts and invasions of online classes and meetings.

Attacks are happening at an escalating rate, according to CISA, with cyber incidents involving schools’ systems taking place across most states since 2018. In 2018, 400 incidents were reported compared to 1,300 by 2021. The introduction of more technology in recent years due to the pandemic has brought on heightened risks and consequences that can include monetary losses and learning disruption.

Under the K–12 Cybersecurity Act of 2021, CISA was directed to study cybersecurity risks for K-12 schools, create recommendations including cybersecurity guidelines and look at challenges schools have in securing information systems among other tasks like gathering stakeholder input on related matters. The agency consulted with teachers, principals, superintendents, school administrators, and various federal and non-federal entities that have experience in education.

Four primary points of concern emerged through the engagement efforts, including “significant resource and staffing challenges” associated with hiring cybersecurity professionals in the K-12 sector.

“Leaders expressed a need for increased cybersecurity budgeting and support mechanisms across the community. In particular, participants stressed that funding must be specifically earmarked for cybersecurity; otherwise, hiring a cybersecurity resource will always compete with hiring a teaching resource or other priorities — particularly challenging in a time when overall budgets in many school districts are increasingly strained,” the report states.

The majority of districts do not have a full-time cybersecurity staff member and smaller local educational agencies don’t always even have full-time information technology (IT) staff.

“Participants further noted that many cybersecurity staff who are currently employed by schools do not have up to-date training or experience, in part due to limited resources for professional development. If a school is fortunate enough to have a security expert on staff, this individual may not get leadership support to implement critical controls such as multifactor authentication,” according to the report. “Participants further observed that many districts experience extreme disparity in talent availability and funding, with a clear divide between larger and smaller districts.”

Other findings include a desire for clear and actionable guidance, sample cybersecurity plans for adoption, prioritization of a centralized governance role in planning and advising on resource allocation, and more effective oversight and accountability.

The report provides recommendations for LEAs but notes that “change must come from the top down. Leaders must establish and reinforce a cybersecure culture. Information technology and cybersecurity personnel cannot bear the burden alone.”


To make improvements with limited resources, CISA suggests investing in the most impactful security measures first while building toward a more comprehensive cybersecurity plan by implementing the highest-priority security controls, prioritizing near-term investments to align with CISA’s Cross-Sector Cybersecurity Performance Goals and, in the longer term, developing a unique plan leveraging the National Institute of Standards and Technology’s Cybersecurity Framework.

Recommended first steps including the use of multifactor authentication, patch management, creating and testing backups, and creating training and awareness campaigns for users.

LEAs can recognize and work to address IT and cybersecurity capacity by working with their state planning committee to utilize the State and Local Cybersecurity Grant Program, using free or inexpensive services to make improvements, expecting and calling on technology providers to utilize strong security controls by default for free, and by minimizing “the burden of security by migrating IT services to more secure cloud versions.”

To address threats, vulnerabilities and risks, CISA advises LEAs to focus on collaboration and information sharing by joining collaborative groups like the Multi-State Information Sharing and Analysis Center (MS-ISAC) and K12 Security Information Exchange (K12 SIX); working with information-sharing organizations like state school safety centers or state or regional agencies and associations; and building a relationship with regional cybersecurity personnel from CISA and the Federal Bureau of Investigations. California is part of CISA’s Region 9.

“Going forward, CISA will continue to partner with the K–12 education community, and work with technology providers to encourage provision of free or low-cost security tools and products that are secure by default and design,” the report states. “Cybersecurity is a continuously evolving challenge. This report is only a first step toward an environment in which our nation’s schools are secure and resilient against cyber threats.”