1 in 5 schools spend less than 1% of their IT budgets on security

"Results from the Nationwide Cybersecurity Review risk-based assessment have shown the K-12 sector is improving in its cybersecurity capabilities over time, though the sector lags behind other sectors when comparing cybersecurity program maturity," according to a report from the Multi-State Information Sharing and Analysis Center.

Despite the various efforts of federal agencies and lessons learned by large school districts across the country, K-12 schools continue to lag behind in cybersecurity preparedness.

In September, the Los Angeles Unified School District was hit with a ransomware attack, forcing the district to shut down computer operations and reset more than 600,000 individual passwords. In response, the Cybersecurity & Infrastructure Security Agency released a joint advisory letter warning school districts that further cyberattacks are highly anticipated.

However, education continues to fall short when it comes to security preparation.

The K-12 community earned a maturity score of 3.55 on a 1-7 scale, according to a report released on Monday by the Multi-State Information Sharing and Analysis Center.

“Results from the Nationwide Cybersecurity Review risk-based assessment have shown the K-12 sector is improving in its cybersecurity capabilities over time, though the sector lags behind other sectors when comparing cybersecurity program maturity,” the report reads.

According to respondents featured in the report, the insufficient rating stems from several factors:

  • Schools spend too little on security: On average, schools spend around 8% of their IT budget on cybersecurity. However, nearly 20% of schools don’t even spend as much as 1%.
  • Threats are becoming more complex: The frequency of cyberattacks against the education sector is increasing as nearly 30% of K-12 member organizations have reported suffering from a cybersecurity incident.
  • Poor response: Nearly 40% of K-12 respondents did not have a cybersecurity response plan in place.
  • Poor strategy: 81% of respondents say they have not fully implemented multi-factor authentication in their institutions. 29% say they have not implemented MFA on any of their systems.
  • The pool of eligible cybersecurity professionals is too small: Nearly 50% of K-12 schools report having between one and five cyber/IT employees.

More from DA: #Stressed: Ranking all 50 states on frustrations about education


Ransomware attacks are known to be the most impactful threat to K-12 education when it comes to financial risk and the downtime that comes with assessing and resolving the issue. As we’re nearing the middle of the school year, there’s little to no indication that districts should let their guard down.

“We assess that cyber threat actors are highly like to target K-12 school districts and associated data in the 2022-2023 school year, primarily as part of financially motivated cybercrime and secondarily via hacktivist-driven campaigns,” the report reads. “Many K-12 school districts are data-rich and resource-poor, making them attractive targets for financially motivated cyber threat actors, such as ransomware operators, and relatively easy targets for hacktivists, those who break into a computer system for politically—or socially motivated purposes, to grow their reputations and name recognition.”

Micah Ward
Micah Wardhttp://districtadministration.com
Micah Ward is a District Administration staff writer. He recently earned his master’s degree in Journalism at the University of Alabama. He spent his time during graduate school working on his master’s thesis. He’s also a self-taught guitarist who loves playing folk-style music.

Most Popular