What K–12 schools need to shore up cybersecurity

What K–12 schools need to shore up cybersecurity

Crumbling infrastructure. Gaps in curriculum. Antiquated devices. Difficult COPPA laws. Lack of funding. Those are just a few of the obstacles facing K–12 schools looking to adopt technology into their 21st century learning initiatives.

Now add security concerns to the list, and you can see why many schools struggle not only to keep up with consumer technology trends, but also protect against threats that target them.

Despite the uphill battle, schools know the importance of securing their students’ data, and many have found ways to safely incorporate cybersecurity awareness, as well as affordable technologies, to protect that data. We talked with members of the school board, administrators, educators, and security directors to discuss the cybersecurity challenges specific to K–12 schools (both private and public), and what can be done to overcome.

The challenges

In our 2019 State of Malware report, we found education to be consistently in the top 10 industries targeted by cybercriminals. However, when we zoomed in to look at the major threats that dominated in 2018, including information-stealing Trojans and more sophisticated ransomware attacks, schools were even higher on the list, ranking as number one and number two, respectively.

In addition to K–12 school systems, key academic services, such as the SAT and ACT, are susceptible to data breaches, which can undermine the legitimacy of the college admissions process.

US schools are data-rich targets for cybercriminals, including the names, Social Security Numbers, and email addresses of students, their academic and health records, financial information, and more. According to EdWeek, US K–12 schools have experienced 425 publicly-reported cybersecurity incidents since January 2016; the real number is likely much higher.

Digging into this data, presented on an interactive map from the K–12 Cybersecurity Resource Center (pictured below), schools were most impacted by data breaches (purple flags), phishing attacks (blue), and ransomware infections (yellow).

Map courtesy of the K–12 Cybersecurity Resource Center

Knowing they’re a target for threat actors, which major hurdles must schools jump over in order to shore up their cybersecurity?

The first is lack of professional development. Teachers, administrators, and support staff have access to highly-confidential student data that is housed online, and because they don’t know enough about cybersecurity, they can inadvertently allow for a breach. Yet, professional development is nearly always related to changes in curriculum adoption, school events, and the occasional technology training course on how to use a particular software program or Internet-connected classroom device, such as a smart board.

In a related issue, while students are typically far more tech-savvy than their teachers, they are often not taught fundamental cybersecurity awareness at home.

“We might assume that when students get devices from home, such as phones or tables, there are restrictions put in place or guidelines given, but very often, there are not,” said Tami Espinosa, Principal of Luigi Aprea Elementary School in Gilroy, CA. “We need to be sure to address how to properly use technology, because it is and will be such an integral part of their lives.”

Even if filters or other restrictions are put in place, many students are able to find ways around them, compromising security in the process. If they knew their actions could lead to their student records being accessed and changed, would they be so reckless?

Another challenge for shoring up cybersecurity in K–12 is a lack of funding. In a nutshell, there is none—or at least very little. What is available is usually applied directly to instruction and curriculum, as many in the school community don’t support diverting funds away from core subject areas.

“Cybersecurity isn’t a tangible item that directly impacts instruction, so many staff and community members wouldn’t support money going towards it, especially when facilities need to be fixed, curriculum needs to be purchased, and more support staff is needed,” said Tami Ortiz, a San Francisco Bay Area educator. “Cybersecurity is vital, but invisible.”

In fact, because the district or federal funding often doesn’t come through for cybersecurity, schools looking for funds often have to apply for grants or host fundraising events to subsidize.

Finally, updating infrastructure is a massive obstacle for schools hoping to tighten up security. Pubic schools especially struggle in this area, as it’s expensive to overhaul hardware every few years and requires support staff that can manage and secure not only the devices, but also any data stored on premise or in the cloud. From operating systems to specialized educational software that needs updating, vulnerabilities are rampant and can be easily exploited—and that’s without including negligent staff who might open an unwanted email and infect their machine.

The solutions

To help persuade community members and staff to divert funds, the severity of the situation must be impressed upon them. According to The 2018 State of K–12 Cybersecurity report, nearly half of the reported breaches of the year were caused by students and staff, and 60 percent of them resulted in student data being compromised.

This tells us that awareness is a key factor in combatting breaches, but also that technologies must be deployed in order to safeguard from tech-savvy students looking to get around the protections put in place.

Doron Aronson, Vice President of the Cambrian School Board of Trustees, said that with their limited budgets, school boards look at technology holistically, with security being an important component. There are three main areas they consider when making funding decisions: infrastructure, hardware, and security; instructional practices and professional learning; and digital curriculum, tools, data and assessment. And while security is mentioned only as part of infrastructure, it can actually be incorporated into all three areas. Here’s how:

Infrastructure, hardware, and security 

One of the “easiest” ways that schools can combat data breaches and other cyberattacks is by selecting and deploying cybersecurity solutions that combat threats which have historically targeted schools. IT directors should look for programs with dynamic, behavior-based detection criteria that shield from ransomware, Trojans, and other active malware families. Firewalls, supplementary email security, and encrypted data storage/backup systems provide additional coverage against breaches, phishing, and ransomware attacks.

In addition, developing a cybersecurity policy and incident response plan will help prepare schools in the event of a breach. Bonus points for incorporating a layer of security with top remediation capabilities, so that the aftermath, including restoring backups and cleaning up computers, is relatively painless.

Instructional practices and professional learning

Convince leadership to provide outsourced IT and security services, especially for professional development. Start by partnering outsider trainers with those who know the most—the IT/tech department—and then move on to administration, staff, paraprofessionals, and aides.

Fresno-based educational consultant Alex Chavez advises schools to “get serious about security. Put it on the leadership meeting agenda next to school site safety. Collaborate with the outsourced security to keep up-to-date with the latest threats and best practices.”

If funding for outside awareness training is non-existent, designate or ask for a volunteer to be the cyber coordinator for the school. Look to your community for volunteers: tech-savvy younger teachers, or parents who work in technology or security would be a good place to start.

“Get some trusted outside help,” said John Donovan, Head of Security at Malwarebytes. “Designate someone on your staff to be an internal leader/point of contact, and give them some time and incentives to learn and bring that info to your school—especially if it’s a volunteer position.”

Do the same within your student body. Designate a classroom cyberhero, or select a few older students to be the cyber police for the school. Reward with extra credit, less homework, or a points system within the school for getting swag.

Once staff and volunteers have had some initial training, broaden that training out to the wider school and community by offering both formal and informal lessons, including assembly talks and workshops, and occasionally testing that knowledge through simple, fun exercises.

Digital curriculum, tools, data, and assessment

Putting the infrastructure in place, including the right antivirus software, cybersecurity policies, and support staff (volunteer or professional), plus providing professional development are steps in the right direction to shoring up cybersecurity in our elementary, middle, and high schools. However, perhaps the most important step is knowing what to teach students and teachers alike about cybersecurity hygiene, and how best to teach it.

“My advice would be to make sure there is a plan in place for the intentional teaching of cyber safety,” said Espinosa. “So often we think a lot of this is common sense, however, it is not.”

To that end, we suggest the following best practices, especially relevant to those in education:

  • Install security software on all endpoints in the school environment, including mobile devices teachers may use to check their emails during the day.
  • Beware of phishing emails and other social engineering, such as technical support scams or video game games, aimed at both teachers and students. Look at the sender’s email address and be hyper aware if there are attachments or links within the body of the email asking for personal information.
  • Student data should be backed up and encrypted end-to-end in storage and in transmission.
  • Use or create digital curriculum that is COPPA compliant.
  • Use password managers for any teacher, administrator, or even student accounts.
  • Keep all software and hardware updated regularly. Systems and software that have reached end of life (EOL) and are no longer supported with security updates should be purged and replaced.

How to teach it

  • Incorporate cybersecurity hygiene into digital citizenship discussions, as well as digital literacy learning.
  • Make cybersecurity part of curriculum that aligns to state standards for ELA or even math by assimilating knowledge about threats, hackers, or other online dangers into reading comprehension instruction, word problems, or even project-based learning activities.
  • Create gamified lessons, such as phishing tests.
  • Offer rewards for good cybersecurity hygiene, such as stars or points for logging out of accounts before closing browsers.
  • Assign cybersecurity as a research topic for reports.


Engaging students in cybersecurity: a primer for educators Malwarebytes Labs

Stop, Think, Connect US Department of Homeland Security

Stay Safe Online/National Cyber Security Awareness Month National Cyber Security Alliance

Privacy and Internet Safety Common Sense Media

Framework for Improving Critical Infrastructure Cybersecurity National Institute of Standards and Technology


Wendy Zamora

Editor-at-Large, Malwarebytes Labs

Wordsmith. Card-carrying journalist. Lover of meatballs.