Industry Trends

More Cybercrime Among K-12 Districts Requires a Comprehensive Approach to Security

By Bob Turner | December 27, 2022


Many K–12 school districts are racing to the head of the class when embracing digital transformation. From implementing eLearning to eSports and harnessing the cloud, districts increasingly prioritize ways to enhance student learning opportunities across distributed campuses. However, while this new level of connectivity benefits students, teachers, and staff, security implications need to be considered regarding personally identifiable information (PII), financial data, and other sensitive information shared digitally across the school’s network.

The reality is that cybersecurity in K–12 districts is often under-resourced, making schools prime targets for cybercriminals. School IT teams, many of which are understaffed, are constantly juggling multiple demands—from managing a myriad of devices to ensuring the campus is equipped with physical monitoring systems to keep students safe. This growing list of responsibilities makes it difficult for many IT staff to dedicate time to enhance cybersecurity measures. Additionally, according to the MS-ISAC K-12 Report: A Cybersecurity Assessment of the 2021-2022 School Year, the average school district spends 8% or less of its annual IT budget on security, with 18% of districts spending less than 1%.

While many school districts are taking steps to improve their cybersecurity capabilities, results from the Nationwide Cybersecurity Review (NCSR) risk-based assessment give K–12 schools a cyber maturity score of 3.55 out of 7. However, there are simple steps K–12 districts can take today to strengthen their security. From implementing the right technologies to educating employees on smart cyber hygiene practices, making a handful of key changes can go a long way in protecting against cybercrime.

Cyberthreats on the Rise Among K-12 Districts

It’s not surprising that cybersecurity incidents are on the rise across the education sector. Technology is an essential component of 21st-century education, yet is a double-edged sword for the IT teams responsible for monitoring and protecting school networks. For example, educational institutions are seeing an increase in students, faculty, and administrators connecting personal devices to the network for educational purposes, such as accessing remote tutoring resources on a smartphone. This expanded connectivity increases a school district’s attack surface and leaves it vulnerable to new threats.

In fact, 29% of K–12 respondents say their district suffered a cyber incident last year. Some of the most common incident types included ransomware and malware. The same report states, "Ransomware attacks are the most impactful cybersecurity threat in terms of total cost and downtime for K–12 schools and districts.” And when it comes to malware, bad actors have been using specific strains–including Shlayer and Coinminer—to target K–12 districts over the past several years opportunistically.

As a result, K–12 schools need to ensure their network connectivity is secure to safeguard their critical digital assets, along with sensitive information about students.

Security Awareness Training is Crucial for K-12 Districts

One of the easiest places to start when it comes to improving cybersecurity is by implementing ongoing security awareness training for faculty and staff. While IT teams play an essential role in protecting a school’s assets, cybersecurity is everyone's responsibility. All employees can and should be a strong line of defense—but this is only possible if they’re aware of and know how to identify the common methods used by cybercriminals.

"With an architecture specifically built to meet the needs of public and private school districts, security teams can save time and resources while delivering high-performance networking capabilities and industry-leading security."

In conjunction with the White House National Cyber Workforce and Education Summit in July 2022, we announced the launch of our free education-focused version of the Fortinet Security Awareness and Training service for all K–12 school districts and systems in the U.S. Our award-winning Training Institute develops the Security Awareness and Training service. With content incorporating threat intelligence insights from FortiGuard Labs, the service gives faculty and staff the latest knowledge, guidance, and tips to make smarter choices when confronted by cyberattacks and other risks to the organization. Numerous districts are already adopting the free training service, including an Arizona school district with more than 5,200 faculty and staff members.

The Benefits of a Comprehensive and Integrated Security Platform

In addition to cyber awareness training, using the right security technologies can offer K-12 IT teams a more efficient and comprehensive way to protect their school’s networks.

At Fortinet, we understand the challenges K–12 districts face in delivering engaging learning opportunities while maintaining network security and compliance. As schools adapt their IT infrastructure to support digital transformation, they also need to embrace a security transformation to protect their newly expanded attack surface.

The Fortinet Security Fabric delivers comprehensive, easy-to-manage solutions that address the physical and cybersecurity challenges of K–12 schools and districts. With an architecture specifically built to meet the needs of public and private school districts, security teams can save time and resources while delivering high-performance networking capabilities and industry-leading security. From taking advantage of FortiGate next-generation firewalls (NGFW) to using Fortinet Secure SD-WAN to enable secure collaboration and connectivity, school districts of all sizes rely on Fortinet security.

Find out more about how Fortinet's Training Advancement Agenda (TAA) and Training Institute programs—including the NSE Certification program, Academic Partner program, and Education Outreach program—are helping to solve the cyber skills gap and prepare the cybersecurity workforce of tomorrow.