Opinion Blog

Rick Hess Straight Up

Education policy maven Rick Hess of the American Enterprise Institute think tank offers straight talk on matters of policy, politics, research, and reform. Read more from this blog.

Privacy & Security Opinion

Why Are Schools a Target for Cyberattacks?

As schools have become more dependent on technology, the frequency of these attacks has increased
By Rick Hess — October 06, 2022 6 min read
Image shows a multi-tailed arrow hitting the bullseye of a target.
  • Save to favorites
  • Print

Last month, the Los Angeles school district was targeted in a massive ransomware attack (see Education Week’s story here). Just weeks ago, Michigan’s South Redford school district was targeted by a cyberattack that closed its schools for two days. Educators and policymakers are justifiably rattled by such attacks and their increasing frequency. But what can they do about them? To answer that, I reached out to Doug Levin, who co-founded the K12 Security Information eXchange (K12 SIX) in 2020 to help schools with their cybersecurity challenges. Doug has tracked this issue closely for decades, having helped craft national educational technology plans for the Clinton, Bush, and Obama administrations. Here’s what he had to say about how to protect schools from cybersecurity attacks in the future.


Rick: We’ve seen recent cyberattacks in Los Angeles and South Redford that have garnered national attention. For those of us who don’t usually track such things, what’s going on here?

Doug: The Los Angeles attack has captured our attention primarily because of the size of the district, but it is only the latest high-profile example of ransomware gangs victimizing school districts. Over the last few years, we’ve seen school systems of all sizes and types across all 50 states, including smaller districts like South Redford, fall prey to these attacks. Ransomware attacks are carried out by organized criminal groups operating overseas seeking to extort money from victims in exchange for the restoration of their IT systems and any sensitive data they may have been able to exfiltrate. They represent the single greatest cyber threat facing the K-12 sector.

Rick: How widespread is this kind of thing? And how big are the risks?

Doug: Ransomware attacks are just one of a range of cybersecurity risks for districts, given their reliance on technology and IT systems. Other common types of school cyber incidents include data breaches and leaks, phishing attacks, denial-of-service attacks, and the takeover and defacement of school websites, social media accounts, and email systems. These incidents have led to school closures, disruptions in teaching and learning, the loss of millions of taxpayer dollars, and identity theft of both students and school staff. Since 2016, we’ve documented over 1,300 publicly disclosed school cyber incidents, and—at least as far as we can tell—these incidents are growing both more frequent and more significant.

Rick: Is this something that all schools need to worry about, or just the biggest ones?

Doug: Frankly, cybersecurity risk management is an issue that any organization which relies on computers and IT systems for its operations needs to address. As schools have become more dependent on technology, they’ve introduced these risks to their communities. Having said that, it does appear that larger districts may be especially vulnerable. They manage more money, have more users, and manage far more devices and services than smaller districts—all of which increases their vulnerability to cyberattacks.

Rick: It seems like there should be more appealing targets for hackers. Given that, why go after schools?

Doug: This is among the biggest misconceptions held about school cyber incidents. Schools manage more than enough money to capture the attention of cyber criminals, to say nothing of the value of the data they hold. While most cyber criminals couldn’t care less about students’ algebra grades, it turns out that the identity information of minors is especially valuable to criminals interested in perpetrating credit and tax fraud. And, given that other kinds of organizations which may have more money or more valuable data tend to be much better protected, schools represent an attractive target for some criminal groups.

Rick: OK. So what makes a district more or less vulnerable?

Doug: The fact of the matter is that school district cybersecurity risk-management practices are highly variable from district to district. For all intents and purposes, there is no minimum cybersecurity standard for school districts. I’d hazard that parents, educators, and even superintendents themselves would be surprised at the gap between what experts recommend organizations should do to defend themselves and the actual practices of districts. For instance, the adoption of multi-factor authentication to protect against password compromise is a best practice that the K-12 sector has been slow to adopt. Some of this is a resource and capacity issue, but it also is an issue of priorities, culture, and governance.

Rick: How can district leaders strengthen their defense?

Doug: I can recommend a slew of cybersecurity technologies that would help, but this is mostly not a technical issue that the right firewall or anti-virus software can fix. This is not about district IT leaders needing to just “cyber” harder. Rather, we need to recognize that there are no 100 percent guarantees in cybersecurity, and this is an issue that the K-12 sector is going to be dealing with going forward. Just as schools deal with physical security risks on their campuses, they need to develop plans to prioritize and manage cybersecurity risks, resource these plans appropriately, and practice them. Over time, we can prevent many of these incidents, and the impact of those that still occur can be significantly muted.

Rick: Given that, I presume districts can’t do it all alone. So, how can districts work with external technology providers to strengthen security?

Doug: Over the last several years school districts have been decommissioning servers run on premises to take advantage of cloud-delivered software and services, whether for instructional, administrative, or operational purposes. And, while companies like Amazon, Google, and Microsoft—which operate the infrastructure that powers most education software and services—have far better IT security operations than schools ever will, not every vendor delivering their software via the cloud can say the same. For example, our cyber-incident tracking data has shown that ed-tech vendors—that are providing schools with custom instructional and administrative services—have been subject to a significant number of data-breach incidents affecting students and teachers. We’ve also seen K12 services interrupted because vendors have to respond to cyber incidents they’ve experienced themselves. Ultimately, it’s hard to see a way forward unless some of the responsibility for IT security services shifts to organizations that can work at scale. For this to take root, though, school leaders will need to demand better cybersecurity policies and practices from their vendors and suppliers.

Rick: What one or two things can policymakers do to help?

Doug: We need to enact disclosure requirements for school cyber incidents so there is a better research base about how and how frequently schools are being compromised and so potential victims can protect themselves in a timely manner from harms like identity theft and fraud. School districts and their vendors also need to be held to higher standards of cybersecurity risk management.

Rick: What else can we do?

Doug: The sector would benefit from more organizations that can provide schools with trusted, vendor-neutral advice on how to shore up their defenses. Moreover, unless we are willing to take something else off schools’ plates, districts would benefit from funding dedicated to helping schools develop and implement robust cybersecurity risk-management programs. Ultimately, everybody has a role to play. Use a password manager. Use multi-factor authentication. Keep your devices’ software up-to-date, and for Pete’s sake don’t click that dodgy link.

This interview has been edited and condensed for clarity.

Related Tags:

The opinions expressed in Rick Hess Straight Up are strictly those of the author(s) and do not reflect the opinions or endorsement of Editorial Projects in Education, or any of its publications.


This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Mathematics Webinar
Pave the Path to Excellence in Math
Empower your students' math journey with Sue O'Connell, author of “Math in Practice” and “Navigating Numeracy.”
Content provided by hand2mind
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Recruitment & Retention Webinar
Combatting Teacher Shortages: Strategies for Classroom Balance and Learning Success
Learn from leaders in education as they share insights and strategies to support teachers and students.
Content provided by DreamBox Learning
Classroom Technology K-12 Essentials Forum Reading Instruction and AI: New Strategies for the Big Education Challenges of Our Time
Join the conversation as experts in the field explore these instructional pain points and offer game-changing guidance for K-12 leaders and educators.

EdWeek Top School Jobs

Teacher Jobs
Search over ten thousand teaching jobs nationwide — elementary, middle, high school and more.
View Jobs
Principal Jobs
Find hundreds of jobs for principals, assistant principals, and other school leadership roles.
View Jobs
Administrator Jobs
Over a thousand district-level jobs: superintendents, directors, more.
View Jobs
Support Staff Jobs
Search thousands of jobs, from paraprofessionals to counselors and more.
View Jobs

Read Next

Privacy & Security 7 Data Breaches That Left Schools in the Lurch
K-12 schools are increasingly vulnerable to cyberattacks.
3 min read
Conceptual photo of blue locks and red locks that are "unlocked" and each placed in a honeycomb grid.
Privacy & Security Schools Are a Top Target of Ransomware Attacks, and It's Getting Worse
Eighty percent of school IT professionals reported that their schools were hit by ransomware in the last year, according to a Sophos survey.
3 min read
Conceptual illustration of computer with a pixelated lock on screen.
Nanzeeba Ibnat/iStock/Getty Images Plus
Privacy & Security Biden Administration Announces Cybersecurity Initiative for K-12 Schools
K-12 schools have become a big target for hackers in recent years and the cyberattacks are more sophisticated than ever.
4 min read
Special Report Cybersecurity
Privacy & Security Districts, Take Note: Privacy Is Rare in Apps Used in Schools
Not protecting students' data privacy can cause real-world harms.
4 min read
PC tablet with cloud of application icons floating from off the screen.