According to the 2018 State of K-12 Cybersecurity: Year in Review, 119 schools across 38 states experienced 122 cyber attacks in 2018, ranging from ransomware attacks and phishing scams to data breaches and denial-of-service attacks.

As the K-12 Cybersecurity Resource Center notes, this is primarily because “U.S. K-12 schools are increasingly reliant on technology and sophisticated IT systems for teaching, learning, and school operations.” And while the use of technology in our schools is increasing, little is being done when it comes to cybersecurity risk management.

According to a study by the Multi-State Information Sharing & Analysis Center (MS-ISAC), “K-12 schools were reported to have the least mature cybersecurity risk management practices of any state, local, tribal, or territorial government agency.”

So how can we make sure our children’s information is safe at school?

Considering:

  • Just over half (54%) of all digital data breach incidents in K-12 schools in 2018 were “directly carried out or caused by members of the affected school community, whether by staff or students”, and
  • Another 23% of data breaches were the result of “a loss of control of K-12 data by school vendors or partners”…

…it’s important that we first educate school staff, vendors, and students on how to better protect sensitive information.

The K-12 Cybersecurity Resource Center recommends enhancing the capacity of the K-12 community so that they can more effectively:

  • Build a knowledge base
  • Share timely information
  • Identify and promote promising policies and practices

This, alongside “an infusion of money, new technologies, new policies and regulations” as well as a cybersecurity awareness campaign can better prepare our schools for security breaches.

As for the remaining 23% of data breaches–those carried out by “unknown actors” with malicious intent–we need to implement sufficient baseline cybersecurity controls, including awareness of email phishing attacks, as these were the method of choice for most malicious third parties.