Nearly 82 percent of K-12 organizations were the victims of cyber incidents between 2023 and 2024, according to a new study showing that schools are increasingly the target of cyber threat actors.
The Center for Internet Security (CIS) conducted a review of more than 5,000 K-12 organizations over an 18-month period and found that when cyberattacks occur at educational organizations, they impact more than just education but vital services that organizations provide.
“When a ransomware attack struck a district during midterm exams in the fall 2024 semester, it revealed a truth about school cybersecurity: these incidents affect far more than just technology,” CIS says in its report. “With systems inaccessible, students lost access to meals, parents were forced to arrange childcare, and graduating seniors likely worried about college application deadlines.”
“This scenario, and countless others like it, illustrates what protecting schools from cyberattacks really means — it means protecting communities,” CIS adds.
CIS reported a total of nearly 14,000 security events and confirmed that 9,300 of them were cyber incidents, also finding that threats targeting humans – such as phishing emails – exceeded other techniques by 45 percent.
Schools were most often hit during the beginning of the school year, the mid-term period, and the very end of the summer, according to the report. The report notes that the timing “could overlap with critical functions,” including new staff and student acclimation, exams, and summer network maintenance.
“The timing of attacks may demonstrate increasing sophistication of cybercriminals and a move toward strategic targeting K-12 organizations during the academic calendar’s pressure points,” said CIS.
The most successful cyber resilient practices among K-12 organizations are those that embrace collaborative approaches, leverage partnerships, and share community resources, explained CIS, who advocated for creating a culture of cyber empowerment and moving beyond traditional security awareness.
Developing collaborative relationships between IT security teams and educational staff, creating accessible cyber incident reporting channels, and demonstrating that security is a shared responsibility that can bolster an educational organization’s cyber posture.
Other steps CIS shared include developing technical frameworks, prioritizing the continuation of community services during cyber incidents, fostering community resilience through established communication channels, and identifying the most critical services.