Most schools are at risk of cyberattacks for reasons outside their control, according to one expert.
District Administration spoke with Tiffany Shogren, director of services enablement and cybersecurity education at Optiv, to learn about the state of cybersecurity preparedness in 2025 and how schools can educate students and staff.
Note: The following transcript has been edited for clarity and brevity.
How would you characterize the current state of K12 cybersecurity preparedness?
School districts know cybersecurity is a priority, but most are underprepared because of limited time, training and funding. Most in K12 recognize cybersecurity as a serious concern, but preparedness is uneven.
Larger and better-funded districts often have more resources and dedicated staff, while smaller schools often rely on already-stretched IT generalists. They’re doing the best they can with limited budgets and competing priorities they face. The gap isn’t usually awareness; it’s resources to put the right protections in place.
School safety experts often refer to “human factors” that weaken physical security. What are the most common human errors that lead to cybersecurity breaches?
In schools, the biggest cyber risks usually come from small shortcuts people take when they’re busy. The “human factors” in cybersecurity mirror what we see in physical security—small oversights with big consequences.
In schools, this often looks like: clicking on a phishing email that looks legitimate, reusing weak passwords across multiple accounts, sharing logins, leaving devices unlocked, and staff or students bypassing security steps because they feel inconvenient.
These are rarely malicious acts; they’re usually shortcuts people take in a busy school environment that open up the door to risk.
Students are aggressively targeted by criminals using phishing and other tactics to compromise their data. How can schools make cybersecurity training engaging and relevant?
If schools want students to care about cybersecurity, they need to make it relevant to their world. Students often tune out when teaching feels abstract or fear-based.
The best way to connect with students is by relating cybersecurity to actions in their world. Using real-life examples with technologies the students use frequently and giving them opportunities to practice spotting threats are ways to create this connection. When students see it as a life skill—not just a school rule—they engage.
To what extent can technology (like AI-based threat detection) compensate for human error?
Threat detection, AI or not, can be incredibly valuable, but it can’t prevent someone from handing over their password. Technology controls can be a powerful safety net if configured correctly, but tech can’t cover everything.
The moment a student or staff member shares their login credentials or downloads something risky, that very technology is playing catch-up. The strongest defense comes from layering people, process and technology—teaching people to avoid common traps while giving the system tools to spot what slips through.
How can schools, generally speaking, improve cybersecurity education?
Cybersecurity shouldn’t be a one-time assembly. It needs to be part of the school culture. The key is consistency and practice. In the same way districts approach practicing fire drills on a routine basis, they should be implementing cyber hygiene practices.
