Preparing for the Top 5 Cybersecurity Challenges Facing K–12

June 8, 2022
Back to Blog

It may sound scary, but it’s true: schools are increasingly being targeted by malicious cyber threats. To combat this, tech teams everywhere are taking preventative measures to secure high-level accounts and protect student data. Preparing for cybersecurity challenges, however, doesn’t have to be a daunting task.

In this blog, Ryan Cloutier (President, SecurityStudio) walks us through the Top 5 Cybersecurity Challenges Facing K–12 and how to prepare for them.

1. Loss of learning time due to a cybersecurity event

Cybersecurity events have the potential to cut into crucial instructional time.

Common causes:

  • Phishing attempts
  • Ransomware
  • Class/meeting interruptions
  • Vendor disruption
  • Student-caused security event
  • Hacktivism
  • DDOS, DOS attacks
  • Defacing of district websites and social media

2. Evolving insurance coverage requirements

More school districts have begun requiring specific insurance coverage in regard to cybersecurity.

Common requirements include:

  • Multi-Factor Authentication (MFA, Two Factor, Dual Factor)
  • Airgap backups
  • Risk Assessments (Current and Roadmap)
  • Incident Response Plans
  • Disaster Recovery Plans
  • Vulnerability management
  • Naming a person responsible for security and privacy
  • Security professional on staff or security service in use

3. Keeping up with risk and vulnerability management

Staying vigilant against cybersecurity threats means managing risks before they happen.

Incorporate frequent checks of the following into your team’s routines:

  • Incomplete or missing asset inventories (Hardware, software, cloud/SaaS)
  • Third-party maintenance systems
  • SIS, HR/FIN, HVAC, Food Service, Transportation, etc.
  • Multiple Operating Systems
  • Many different apps in use
  • Legacy systems
  • Off-campus devices
  • Bring Your Own Device (BYOD) Programs

4. Security culture, training, and awareness

Several factors can impact a district’s ability to provide adequate cybersecurity protection, including:

  • The perception security is an IT problem
  • Infrequent training with limited time and resources
  • User assumptions or misinformation about tech (MFA, 5G, etc.)
  • Fear-based training
  • Lack of personal connection
  • Inaccessible tech speak, fear, and fatigue

5. Student privacy

Protecting student data is at the core of the work tech teams complete. However, the following can create security challenges:

  • Complex landscape of unstructured and structured data
  • Open sharing
  • Unclear ownership
  • Confusion over private vs. public data
  • Unclear policies and procedures
  • Changing rules based on student age and location

These cybersecurity challenges facing K–12 may be common, but that doesn’t mean you shouldn’t make a change. Moving forward, even with small changes, is defensible. Staying still in the face of potential security risks is not.

What You Can Do Now

  1. Implement MFA for all administrative accounts, then expand to staff accounts.
  2. Backup critical systems using the 3-2-1 method.
  3. Draft board-level and tech-level cybersecurity policies. Use this free template from SecurityStudio to get started.
  4. Begin a Learning Impact Analysis and create a Learning Continuity Plan.
  5. Conduct a risk and vulnerability assessment.

Learn more about cybersecurity from Ryan! Watch his cybersecurity presentation from CLON (ClassLink's customer conference). You can watch the video here if you attended CLON or register for on-demand access at


Education Leaders

About the Author

About the Authors

Ryan Cloutier




Ryan Cloutier is an experienced IT/cybersecurity professional with more than 15 years of experience developing cybersecurity programs for Fortune 500 organizations. Ryan is a virtual Chief Information Security Officer for K–12 districts across the country, is a Certified Information Systems Security Professional CISSP®, and is proficient in cloud security, Dev-Ops, and Sec-Ops methodologies, security policy, process, audit, compliance, network security, and application security architecture.