In a retrospective 18-month study — which looked at CIS school incident data collected from surveys, the CIS operations center, the CIS incident response team and other sources — more than 5,000 K-12 organizations collectively experienced over 9,300 confirmed cyber incidents from July 2023 to December 2024. Cyber threats that relied on human error outnumbered other attack techniques by 45 percent.
The report says “malvertisements,” or online ads that entice users to click on malicious links, were the source of 63 percent of school malware attacks during the study period, leading all other attack methods.
In addition to other branches of CIS, some of the data in the study came from K-12 members of the Multi-State Information Sharing and Analysis Center (MS-ISAC), a CIS program that allows public entities to share information about cyber threats and receive free or low-cost support for incident prevention, response and remediation.
The report says one free MS-ISAC service, Malicious Domain Blocking and Reporting, blocked more than 1 billion attempts to connect to malvertisement domains and 320 million attempts to connect to phishing domains during the 18-month study period.
It adds that these and other K-12 cyber threats spiked during busy, high-pressure periods such as exam weeks — a sign that cyber criminals understand how critical technology is at these times and are using school calendars to plan their attacks.
Other data in the report stems from 286 K-12 school districts that completed CIS' 2024 Nationwide Cybersecurity Review, an annual assessment of cybersecurity maturity for public entities. The average cybersecurity score in these districts was 3.76 on a scale from one to seven, and 86 percent of them reported having five or fewer employees with cybersecurity duties.
To step up school cybersecurity, the report recommends a “human-first approach,” creating open lines of communication around cyber concerns and making sure all staff members understand they have a vital role to play in protecting school systems and services.
The 25-page document, which was created in conjunction with the Consortium for School Networking, lays out a list of best practices for schools that includes multifactor authentication, automatic backup systems, secure network design and endpoint detection services. The report also stresses the importance of building staff expertise through professional development and provides tips for technical planning to maintain essential school services during cyber incidents. Randy Rose, CIS vice president of security operations and intelligence, said the latter is especially important due to the number of critical services schools provide, from student meals to special education support, most of which depend on technology.
“The long-term impacts of stolen student and faculty data are only part of the story," Rose said in a public statement. “Schools are a vital part of our local communities and cyber attacks against these institutions can have real-world consequences that include missed days, canceled exams, wasted food and disruptions to child care, among other things.”
