IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Opinion: Urgency Needed for K-12 Security Governance Policies

School cybersecurity governance requires being proactive: develop a response plan, designate a security coordinator, audit and update systems, train staff on best practices, stay apprised of the latest resources, and advocate for legislative support.

shutterstock_technology security
The main thing education technology leaders tell me keeps them up at night is worrying about cyber attacks in their districts. According to a recent Microsoft Security Intelligence report (2022), K-12 school districts are the No. 1 target now for malware and cyber attacks. The United Sates alone had over 4 million devices affected in the last 30 days, according to their research.

Source: Microsoft Security Intelligence

Even several years ago, the federal Cybersecurity and Infrastructure Security Agency (CISA) was warning that K-12 school districts were quickly becoming “targets of opportunities” for malware, denial-of-service attacks, video conferencing disruptions and phishing schemes. The rush to get devices in the hands of students during COVID-19 lockdowns only increased security vulnerabilities because of lack of investment and long-term planning. Schools are feeling that sense of urgency about how important the security of their technology environment is to the operations of their district.

Student data can be very lucrative on the dark web if hackers obtain medical records or personal information for identity fraud. Since minor students do not have credit history, these types of fraudulent activities may not be discovered until they become adults. Districts have the responsibility of protecting the privacy and security of student/employee data and building a culture of trust and transparency among stakeholders. Now with new cybersecurity legislation across the country, schools are required to be compliant with the new laws. It is imperative that security steps are taken as soon as possible to shore up district networks and protect end-user devices, but also delineate the ongoing policies that will govern them. This article will highlight some steps that education technology leaders need to take in order to keep their districts safe.


This is not just a technology department issue — this is everyone’s problem. Almost every major system in a district is now run using technology which may hold sensitive data about students and staff. Districts are required to protect this data according to the laws of their state. As a technology leader, you need to help school administrators and the school board understand the threats and need for more security around these systems. Be transparent about the current status of your network and systems in the district and the gaps that need to be addressed. Update your board policies and technology procedures to reflect what you would do for an incident response. Decide up front whether or not the district will pay ransoms, where to obtain digital currency, and where to find an experienced broker to help with such a transaction. Write this in a board policy so everyone will be on the same page. Don’t wait until an emergency happens!


What gets monitored gets done. Having a dedicated person to oversee all security matters in a district is now imperative. Many districts are now finding the money to hire security personnel to help oversee network and system security in their districts. These employees are very difficult to find, as the need is great not only in K-12 education but also in the tech industry. You may already have an eager employee who would like to increase their skills and achieve a chief information security officer (CISO) certification. The National Initiative for Cybersecurity Careers and Studies (NICCS) can provide information about the knowledge and skills needed for this certification. This position may also cross over to the physical security side of a district, since much of maintaining the physical security of campus buildings is now technology-driven. Districts need to invest in their people and find someone to manage these new threats. Work with your administration and school board to gain their support and fund these important positions.


There are many self-assessment tools, such as the Cyber Security Evaluation Tool: Ransomware Readiness Assessment from CISA (2021), that districts can use to look for vulnerabilities in their network. Or districts can hire a third-party company to assist with stress tests of school systems. Third parties can be objective outsiders who can find where the gaps are in your network and security practices, but these assessments may come at a cost. Either way, it is critical to evaluate your current systems, find out how well your district could handle an attack, and learn from current best practices to prevent future ransomware threats. Now is a great time to add periodic reviews to make sure your systems stay up to date.


Take the recommendations from your audits and implement as much as you can to close the gaps. Make various backups of data, with some of them offline. Schools are not open 24/7, and hackers don’t stop attacks on weekends or in the evenings. Subscribe to an alert list for known vulnerabilities, such as the ones from CISA, so you can stay abreast of the latest attacks and protect your district from new malware.


Recent research has shown that end users continue to remain the greatest vulnerability for any organization, with attackers gaining access to systems and information through phishing emails. Recent FBI public service announcements state that email compromise through social engineering is one of the most financially damaging online crimes and has increased 65 percent over the past two years. Some believe that it is not a matter of if, but a matter of when your district will get hacked.

Anyone who uses a device that is connected to your district network or the Internet should receive training. This includes teachers, paraprofessionals, central office staff, support staff, board members, and don’t forget students! Training should include how to protect themselves from falling prey to some of these phishing schemes. Hackers are getting very adept at making their phishing emails look legitimate.

An illustration of a flowchart depicting how phishing attacks typically play out.

Training should include how to respond to solicitors asking for information over the phone, not responding to unknown emails, examining email addresses, never downloading an attachment from unknown sources, and verifying information, payment or purchase requests by calling the person making the request.

Many states are now requiring such training through legislation. School districts should set policies based on state laws regarding what kind of training, how often it should be conducted, and how training completion should be documented and/or reported.


Once you have taken initial steps to make your environment as secure as possible, be proactive and document your policies and procedures in an incident response plan. Documenting governance policies should outline how current and future employees respond to incidents in an appropriate and timely manner. The National Institute of Standards and Technology (NIST), an agency operated by the U.S. Department of Commerce, provides a framework for an incident response plan. This framework includes establishing a response team and four main stages of handling cyber incidents: preparation, detection/analysis, containment/eradication, and recovery.

An NIST flowchart depicting the steps involved in preparing for and responding to a cyber incident.
Source: National Institute of Standards and Technology

You can search for plans that have already been created by universities or other districts so you can see what has worked for other institutions. It is important to share this plan with all departments and campuses so they will know what procedures to follow. Have your plan approved by your school board so they are kept in the loop about what will take place, and so they know that you have taken a proactive approach in dealing with incidents.

Putting that plan into action is also part of staying safe. Districts will find that practicing with a tabletop exercise is very beneficial as a dry run of how you would respond to an incident and practice the steps of your plan. There are many third-party vendor partners willing to assist districts with these exercises.


No matter how many resources districts can provide to protect their network and data, cyber attacks are occurring more frequently. It is imperative to notify authorities when cyber breaches occur. Time is of the essence when your district has been breached, especially if funds are involved. Contact your financial institutions and your local FBI field office immediately.

If student or employee data has been compromised, districts may be responsible for notifying parents and staff as soon as possible. While federal law, specifically the Family Education Rights and Privacy Act (FERPA), does not have a requirement of parent notification when student data has been breached, many states have enacted legislation that does require districts to provide notification. The National Conference of State Legislatures has a list of these here. Districts should follow their local policies and state laws about the procedures and format for notifying parents of such attacks, and timely communication is key to maintaining trust with the community.


Protecting your network and information systems may seem like a daunting task for school districts, especially on limited resources, but you need to start somewhere! The Consortium for School Networking (CoSN) has numerous resources to support districts, including risk assessments, toolkits, online courses, and even a leadership game to help district leaders address cybersecurity in their K-12 organizations.

Sign up for CISA alerts! CISA and some state agencies will post cyber threats and information about new malware as soon as they are aware of incidents in the U.S. As a district technology leader, you can get alerts sent directly to your email so you can be on top of these immediate threats and work to prevent any malware from coming into your environment.


Encourage your administration and school board to take this topic seriously and to take preventative actions as a district. Having current data will help support your cause. The U.S. Government Accountability Office recently published a report on the state of student data breaches and the harm they can have. Their data trends show the need is only getting worse and that districts must be prepared.

Schools have never been funded for bank-level security, especially small and rural ones, but they can still strive for multilayered protection. Talk to your legislators to provide more funding for your state. This is a national security issue that everyone needs to take seriously before their community is affected. For information about recent cybersecurity legislation around the country, check out CoSN’s policy report on all cybersecurity bills passed in each state.

Security will be a hot topic for education technology leaders for the foreseeable future. Take the steps needed to protect your district through prevention practices, training, policies and good governance. You will sleep better at night!
Alice Owen, Ph.D., CAE, CETL is senior partner at Visionary Technologies, LLC, an education technology consulting company.