Cybersecurity ranks as the No. 1 priority for K-12 technology leaders for the fifth year in a row, according to a new report from the nonprofit Consortium for School Networking.
A decade ago, cybersecurity was a low priority, ranking 13th out of 16 options, according to CoSN’s annual State of EdTech Leadership report, which surveyed more than 1,200 U.S. school district technology leaders between Jan. 10 and Feb. 28.
The findings suggest that K-12 technology leaders are still struggling to figure out how to solve cybersecurity problems, which are becoming more common and complicated. There have been 1,619 publicly disclosed cyberattacks on schools between 2016 and 2022, according to K12 Security Information Exchange, a nonprofit focused on helping schools prevent cyberattacks.
Cyberattacks can cause major disruptions to teaching and learning, and to administrative functions in a school district. The attacks can also put sensitive data about students and employees at risk. In fact, 43 percent of district technology leaders said their districts have been hit by a cyberattack that has caused some type of disruption, according to the CoSN report. In some cases, school districts have had to shut down schools for several days.
Though cyberattacks on schools are increasing, district technology leaders don’t feel adequately prepared to defend their networks. Less than a third of respondents (32 percent) said their district has sufficient cybersecurity resources to combat risks, while 46 percent said their district didn’t have sufficient resources, according to the report. And an overwhelming majority of district technology leaders (84 percent) said they are “extremely” or “very” interested in professional development related to cybersecurity.
Budget constraints are challenging
The lack of resources is tied to budget constraints, which continue to be a challenge for district technology leaders. Twelve percent of respondents said their district’s IT budget doesn’t allocate any funding for sustaining cybersecurity defense, the report found. A majority of respondents (64 percent) said their districts allocate 5 percent or less of their IT budgets for cybersecurity.
While “spending doesn’t necessarily equate to security, the lack of any budget for network security equipment or software to manage aspects like access and identity is alarming,” according to the report.
Because of inadequate funding, most districts (66 percent) do not have a full-time cybersecurity position, the report found. Thirty-four percent of districts distribute that responsibility across several jobs, 30 percent include that responsibility as part of an employee’s job, and 23 percent outsource the job.
“It would be nice to have a dedicated cybersecurity person,” said Keith Bockwoldt, the chief information officer for Hinsdale High School District 86 in Hinsdale, Ill. “But to get someone of quality, you’re going to have to pay that person [a lot] since there’s so much demand [for IT workers] right now.”
“It comes down to funds—having the money for the staffing is really what it comes down to,” said Bockwoldt, who served as treasurer for CoSN’s board of directors from April 2016 to March 2023.
To alleviate funding concerns, many in the K-12 community have been asking the Federal Communication Commission to modernize the E-rate program’s definition of “firewall”—which protects the network against unauthorized access or intrusions—so districts could use the money to upgrade their cybersecurity resources to meet current needs.
Right now, districts can only be reimbursed for “basic” protections. That means districts can’t use E-rate funds for more advanced firewalls, such as a virtual private network that creates a secure channel for data transmission and intrusion detection systems that stop network activity that violates predefined security policies.
The E-rate federal program was established in 1996 to help schools and libraries across the country with internet connectivity needs.
More training and buy-in needed
Despite the funding and staffing challenges, district technology leaders are implementing more practices to improve cybersecurity. For example, 76 percent of respondents said their district conducts IT staff training, an 11-percentage-point increase from 2022. And 61 percent of respondents require two-factor authentication for district accounts, compared to 40 percent last year.
But there’s still room for improvement. There are still districts that do not provide any cybersecurity training to their teachers (13 percent), administrators (12 percent), support staff (14 percent), and students (33 percent), which is a problem because schools can then become easy targets for cybercriminals if they don’t know how to spot scams, experts said.
“The humans are a big part of this. It’s not just the funding,” said Diane Doersch, who leads CoSN’s board of directors and is also the senior director of information technology for Digital Promise. “School districts need a structured way to provide professional learning for the IT staff and then also a structured way to get cybersecurity training to the end users.”
The challenge is finding time to conduct those trainings, especially for educators who have a lot of other professional development they are required to do, according to district technology leaders.
“We don’t want to overwhelm staff,” said Bockwoldt. “We can’t dismiss [the training] either. We have to make sure that everybody knows what’s going on. We’ve got to figure out where we can embed it.”
Doersch, who was chief technology & information officer for a Wisconsin school district from 2016 to 2019, said one method that works is using an automated system that provides just-in-time training. Staff and students would watch videos and answer questions at their convenience but with a due date.
Both Bockwoldt and Doersch also underscored the importance of having buy-in from senior leadership to ensure that everyone sees cybersecurity as a priority.
“It’s not going away. It’s only getting worse, so we have to continue to be on our feet,” Bockwoldt said.