School kids sat at desks

Do cyber regulations actually make K–12 schools safer? Navigating compliance while securing school and student data

Over the last decade, K–12 schools have made great strides in employing technologies that facilitate learning—especially since the onset of pandemic-induced distance education. While students have long since returned to the classroom, digital platforms for instruction, collaboration, and homework continue as a mainstay. Unfortunately, so do cyberattacks.

In a perfect storm of lightning-quick edtech adoption with limited IT support, cybercriminals have seized on the opportunity to launch an unprecedented number of strikes against schools—21 ransomware attacks in January 2023 alone—straining resources and impacting the delivery of critical education services across the US.

To safeguard learning continuity in this environment, US lawmakers have passed legislation aimed at mitigating security and privacy risks for the K–12 community. In the article below, I highlight recommendations from key security standards, including the most recent state and federal laws passed to help school districts navigate compliance requirements, all while ensuring students, staff, devices, and data are safe.

More cyberattacks on K–12 schools trigger legislative crackdown — will tougher regulations be enough?

A combination of limited technical support, outdated systems, and an increase in digital adoption has led to an unprecedented rise in cyberattacks on K–12 schools. The Cybersecurity and Infrastructure Security Agency (CISA) found that K–12 cyberattacks more than tripled over the pandemic, from 400 reported incidents in 2018 to over 1,300 in 2021.

The deluge in attack volume and severity is largely thanks to outdated and fragmented digital infrastructures supported by understaffed IT teams. This strain on resources was exasperated by the move to swiftly adopt all-digital curriculum and instruction during the pandemic, much of which carried over after distance learning requirements expired.

According to the 2022 State of EdTech Leadership Report, only one in five school districts (21 percent) have a dedicated cybersecurity professional on staff. Technicians are often dwarfed by the number of students, teachers, and devices under their charge, with IT to student ratios of 1:100+ or even 1:1,000+. With limited IT and IS personnel, educational institutions struggle to manage complex digital environments and protect networked devices without compromising the learning experience.

Adding to schools’ elevated cybersecurity risks are the students and teachers themselves, many of whom lack basic cybersecurity awareness or bring their own unsecured devices to connect to school networks. Compounding the problem further is the fact that students’ personal data is especially valuable on the dark web because kids are far less likely than adults to monitor for fraud.

Top K-12 cyberthreats

Exploits and backdoors hammered the education sector over nearly a two-year period from January 2021 through June 2022, leading to rampant ransomware attacks in the final quarter of 2022. By January 2023, education had claimed over 80 percent of all global malware incidents—a staggering lead that has held since 2020. And it should come as no surprise that the cyberthreat doing the most damage to education is ransomware.

In 2021, 56 percent of K–12 schools and 64 percent of higher education institutions reported being hit by some type of ransomware. In fact, 57 percent of all ransomware incidents disclosed to the FBI involved K–12 districts at the start of the 2020/2021 school year, compared to just 28 percent the year prior.

According to Bleeping Computer, ransomware struck 89 US educational institutions last year, including 45 school districts and 44 universities and colleges, with data stolen in at least 58 attacks. Malwarebytes found that globally, education experienced 12 ransomware incidents in November, 20 in December, and a whopping 21 in January 2023 alone.

Behind the majority of these attacks: the ransomware gang known as Vice Society, a Russian-based group linked to multiple K–12 data breaches, including LA Unified, the second-largest school district in the nation. After observing Vice Society disproportionately targeting education, the FBI and CISA issued a joint Cybersecurity Advisory in September, warning about an increase in anticipated ransomware attacks over the 2022/2023 school year.

Where in previous years districts hit by ransomware might “only” worry about being frozen out of systems or losing important data, recently, double-extortion threats that have become commonplace in the private sector are spilling over into education. Schools hit by ransomware this year should not assume threat actors will refrain from publishing stolen data just because it contains sensitive student information.

After LA Unified refused to pay the ransom (a move we support, as only 2 percent of districts that pay actually recover all of their data), Vice Society published its stolen data in early October 2022, which included confidential psychological assessments of students, legal documents, business records, and contractors’ social security numbers.

Across all industries, education paid the highest price to recover from ransomware attacks—an average of $2.73 million—48 percent higher than the global average. Recovery expenditures include staff time, device and network costs, ransom, and downtime, which to K­–12 districts represents the costliest expense, as students aren’t learning when systems are down and schools are closed. In fact, an October 2022 Government Accountability Office (GAO) report found that loss of learning following a cyberattack ranged from three days to three weeks, with recovery time taking anywhere from two to nine months.

Retaining security staff: show them the money

Cybersecurity as an industry suffers from a retention problem. A study from the Kapor Center estimated that high turnover has cost the technology sector more than $16 billion annually. At the heart of such turnover: toxic workplace culture. Nearly 40 percent of employees surveyed said that unfairness or mistreatment played a major role in their decision to leave their company.

It follows, then, that creating fair policies for workload, promotion, and pay—plus treating all employees with dignity and respect—can help businesses hang onto talented security staff. Other strategies include:

  • Having a succession plan in place so employees can envision and make reality their career growth within the business.
  • Establishing a mentoring program to allow junior personnel to shadow senior staff and picture what the next stage of their career might look like.
  • Offering security staff opportunities to be involved in the planning stages of projects so they feel their voice is heard.
  • Giving employees ample time off for well-being, including mental health and personal days, to avoid burnout.
  • Allowing flexible in-office hours, including a hybrid or remote work schedule to keep competitive offers at bay.

Finally, of critical importance to attract and retain quality employees is offering a competitive salary. Currently, the median salary for cybersecurity professionals in the US is $135,000, according to (ISC)². The study also shows that 27 percent of security workers enter the sector for the high earning potential and strong compensation packages.

Salaries should increase to keep up with both market trends and increasing responsibilities related to the growing sophistication and frequency of cyberattacks. Between 2020 and 2021, some cybersecurity salaries jumped by more than 16 percent to well over six figures, according to a 2021 report from Dice, a tech recruiting platform.

Cybersecurity and privacy laws

After years of escalating K–12 cyberattacks, legislators have responded with a series of state and federal regulations shoring up both privacy and cybersecurity in schools. These will be layered on top of several existing federal protections, including:

1974 Family Educational Rights and Privacy Act (FERPA): Gives parents the right to access their children’s education records, have the records amended, and exert some control over the disclosure of personally identifiable information. When students turn 18, those rights are transferred to them.

1984  Protection of Pupil Rights Amendment (PPRA)Protects student privacy during specialized surveys and requires prior notification and consent from parents or guardians.

1998  Children’s Online Privacy Protection Act (COPPA): Limits operators of websites and online services from collecting personal data on children under 13 without parental consent.

2000 Children’s Internet Protection Act (CIPA): Requires K–12 schools to restrict children’s exposure to obscene digital content, monitor the online activity of minors, and educate students about appropriate behavior on the internet.

State laws

Since COPPA, most state education departments and legislatures have developed stricter policies to better protect student privacy online. According to the Data Quality Campaign, 45 states and Washington, DC, enacted new student privacy laws between 2014 and 2020. In fact, more than 1,000 student data privacy bills have been introduced in US states over the last 9 years, with 130 of them signed into law.

While heavy focus has been paid to state privacy regulations, policy response to cybersecurity was deemed “still insufficient” by the Consortium for School Networking in a report analyzing education-related security bills introduced in 2022. Legislators in 36 states proposed 232 security regulations last year—more than twice the amount in 2020—and 37 were adopted. However, most of the new laws focused on cybersecurity training, with little attention paid to establishing standards for securing school networks, devices, and applications, or developing consistent protocols for breach notification.

In September 2022, California became the first state to require its public school districts to report any cyberattack impacting more than 500 pupils or personnel, even if a data breach has not occurred. Currently, there are no other state or federal requirements for public schools to report security incidents—even breaches of young students’ sensitive information.

Federal laws

Despite the recent frenzy of privacy and security regulations passed at the state level, the federal government has remained mum for more than 20 years, passing its first-ever K–12 cybersecurity legislation in 2021: the K­–12 Cybersecurity Act.

The K–12 Cybersecurity Act required CISA to study the cyberthreats confronting public schools, such as ransomware, as well as the challenges faced in implementing security protocols and protecting student and staff data. After evaluating school districts’ capacity to prevent and mitigate attacks, CISA was to report back to Congress with suggestions for appropriate solutions.

In January 2023, CISA released a comprehensive report titled Protecting Our Future: Partnering to Safeguard K–12 Organizations from Cybersecurity Threats. The report provides school districts with insights into the current education threat landscape and guidelines to address systemic cybersecurity risks, along with simple steps school leaders can take to strengthen their security posture.

While it’s encouraging to see the federal government taking action on the growing number of cyberattacks against schools, there is still much work to be done. Two years prior to the release of Protecting Our Future, CISA partnered with the FBI to publish recommendations for schools to defend against ransomware, and the problem has only escalated since then. Ultimately, the advice offered by CISA is still voluntary—schools are not yet required to comply.

The K–12 Cybersecurity Act sets the stage for a measured approach to implementing standardized cybersecurity requirements in American public schools. And because federal policymakers promise this legislation is just the first step in addressing heightened K–12 security risks, it’s a good idea to stay on top of CISA recommendations and get ahead on compliance while aligning with security best practices.

Requirements and recommendations

What do K–12 schools need to do in order to be compliant with state and federal regulations in 2023? Most states require strong data privacy controls, which typically include encrypting any sensitive personal information of staff and students. Secure data storage is also a requirement of FERPA. To comply with CIPA, schools must certify they have an internet safety policy that blocks or filters access to pictures that are obscene, child abuse material, or other content harmful to minors.

While CIPA may help prevent students from accessing inappropriate content on the internet, it does not protect them from the full range of online threats. According to GAO, thousands of K–12 students had their personal information compromised in data breaches between 2016 and 2020. Compromised data included grades, bullying reports, and Social Security numbers, leaving students vulnerable to emotional, physical, and financial harm.

To protect students’ wellbeing, K–12 schools must do more than meet the basic minimum requirements for compliance. They also need to safeguard children against inappropriate online content, cyberbullying, scams, and other nebulous digital threats. A high percentage of children are exposed to unsafe online content, including:

  • Sexual content: 33 percent
  • Violence: 30 percent
  • Hate speech: 23 percent
  • Self-harm content: 18 percent
  • Suicide content: 15 percent

Beyond cyber safety and privacy considerations, there are few other requirements schools need to be compliant. However, federal policymakers promise the K–12 Cybersecurity Act is just the first step in addressing heightened security risks. Both state and federal legislators are ramping up on K–12 security regulations, so getting a jump-start on some of the recommendations from major government agencies is prudent both for compliance and protection.

Guidelines emerging from the K–12 Cybersecurity Act, for example, can help school leaders understand how to build, operate, and maintain resilient security programs. CISA provides three such recommendations in its 2023 report:

  1. With finite resources, K–12 institutions can take small steps to significantly reduce security risk in the near-term. Invest in the most impactful measures today and build toward a mature cybersecurity plan tomorrow by:
    • Implementing the highest-priority security controls first: e.g., multifactor authentication (MFA), patch management, data backups, content filtering, etc.
    • Prioritizing additional near-term investments that align with the full list of CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs).
    • Over the long-term, developing a unique cybersecurity plan that leverages the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
  2. Many school districts struggle with insufficient IT resources and cybersecurity capacity. Recognize and actively address resource constraints by:
    • Working with the state planning committee to leverage the State and Local Cybersecurity Grant Program (SLCGP).
    • Utilizing free or low-cost services to make near-term improvements in resource-constrained environments.
    • Calling for technology providers to enable strong security controls by default for no additional charge.
    • Minimizing the burden of security by migrating on-premises IT services to the (more secure) cloud.
  3. No K–12 entity can singlehandedly identify and prioritize emerging threats, vulnerabilities, and risks. Focus on collaboration and information sharing by:
    • Joining relevant collaboration groups, such as MS-ISAC and K12 Security Information eXchange (K12 SIX).
    • Working with other information-sharing organizations, such as fusion centers, school safety centers, and other regional and state agencies.
    • Building a strong relationship with CISA and FBI regional cybersecurity personnel.

In addition, the FBI and CISA recommend school network defenders apply the following mitigations to reduce the risk of ransomware compromise:

  • Maintain offline backups of data and ensure it is encrypted and immutable (i.e., cannot be altered or deleted).
  • Review the security posture of all third-party vendors. 
  • Implement policies for applications and remote access that only allow systems to execute permitted programs. 
  • Require all accounts with credentialed logins to comply with NIST standards for password policies.
  • Require phishing-resistant MFA. 
  • Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege. 
  • Segment networks to prevent the spread of ransomware.
  • Identify, detect, and investigate abnormal activity and potential traversal of ransomware with a networking monitoring tool.
  • Install, regularly update, and enable real-time detection for antivirus software. 
  • Secure and closely monitor remote desktop protocol (RDP) use.
  • Keep all operating systems, software, and firmware up to date. Districts should prioritize patching vulnerabilities on CISA’s Known Exploited Vulnerabilities catalog.

Education for educators

Recommendations, warnings, and guidelines issued from the major government agencies all come with a caveat: Change must come from the top down. K–12 school leaders must establish and reinforce a culture of cybersecurity within their districts and the education sector as a whole. IT and IS professionals simply cannot bear the burden alone.

To foster a sense of shared responsibility for cybersecurity, schools should invest in simple training materials—even if just posters hung around campus—that establish security awareness for teachers, administrators, and students. Basic hygiene, such as keeping passwords private, logging out of accounts on shared devices, and staying away from unknown websites can assist with K–12 cybersecurity efforts. In addition, adopting digital citizenship curriculum for students can enhance cyber safety initiatives, empowering minors to police themselves.

The problems of rampant ransomware, limited IT staff, and outdated digital infrastructures won’t be solved overnight. But with the same diligence adopted by the private sector, K–12 schools can follow regulation protocols to keep cybercrime at bay so that teachers and students remained focused on what matters: their education.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.



Marcin Kleczynski

CEO and Co-Founder of Malwarebytes

Likes long walks on the beach and hates fish.