K-12 cyber maturity improving, but still lags behind other sectors

A report from the Center for Internet Security found that K-12 schools are getting better at identity management, but still have a long way to go in improving their cyber postures.
student looking at screen with skull and crossbones
Several school districts around the U.S. have been hit with ransomware as a difficult school year begins. (Getty Images / Scoop News Group)

Cybersecurity capabilities across K-12 schools improved slightly during the 2021-22 school year, with many districts focusing more acutely on identity management and cyber hygiene training, according to a report published Monday by the Center for Internet Security.

But even with those gains, the education sector’s cyber maturity still lags behind most other parts of government and the economy, with schools continuing to face a glut of ransomware attacks and dearths of funding and personnel. Nearly one-fifth of K-12 districts nationwide commit less than 1% of their overall technology budgets to cybersecurity, and many districts are still not availing themselves of low-cost and free services that could fill the gaps, the report found.

“We know based on experience, schools are an attractive target for ransomware, because it can be so impactful. The cyber criminals are looking for those kinds of targets,” said Karen Sorady, vice president for member engagement at the Multi-State Information Sharing and Analysis Center, which is run out of CIS’s offices in Upstate New York.

Sorady told StateScoop that K-12 schools are still the fastest-growing part of the MS-ISAC. About 4,500 districts have joined, accounting for roughly 30% of the organization’s membership. That growth has led to the formation of a K-12 working group and greater participation in the MS-ISAC’s services — like a malicious domain blocking and reporting tool — but there’s still a long way to go, she said.


While thousands of school districts have signed up for the MS-ISAC, just 677 had signed up for the MDBR service during the 2021-22 school year, blocking more than 423 million malicious DNS requests for those entities.

“We’re trying to bring something to school leaders on how big the problem is and what they can do to protect themselves,” said Sorady, a former New York State chief information Security Officer. “The problem is they don’t know about them. I don’t think there’s hesitancy.”

Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency, said earlier this month that ransomware and other cyber threats targeting primary and secondary schools are “here to stay.”

Despite the education sector’s relatively low cyber maturity, Sorady pointed to signs of improvement, especially around identity management, which she said could be an effect of the rampant fraud against financial relief programs during the COVID-19 pandemic.

“Large amounts of fraud and identity impersonation in other government agencies brought that to light,” she said.


Still, figures in the report leave much to be done: Eighty-one percent of districts surveyed had not fully implemented multi-factor authentication, while 29% had not implemented the process on any systems. And 37% of the MS-ISAC’s K-12 members said they did not have an incident response plan.

While Sorady said she expects to see continued improvement this year, it’s “hard to say” if there will be a decline in successful cyberattacks against the K-12 sector, which is reeling from a September ransomware incident at the Los Angeles Unified School District, the nation’s second-biggest school system.

“We need to be right about everything all the time and the bad guys need to be right once,” she said.

This story was featured in StateScoop Special Report: Ransomware Attack Maps

Latest Podcasts