Cybersecurity in K-12: Practical, possible and within reach
Whether it is a school board meeting, a budget and policy review, or the work in the classroom, mission-aligned conversations about achievement and student outcomes often take second stage. In the background, there are hundreds of operational decisions made every week. The light switch works, buses pass inspections, and students remain safe and secure.
Cybersecurity has shifted the conversation over the past decade. Instead of a simple consent agenda item around technology, districts are actively reviewing their IT security postures. A once abstract and foreign risk now has everyone in the organization asking, "Are we prepared?"
Data validates the need for these conversations. A 2025 Center for Internet Security (CIS) report found that 82% of K-12 schools experienced at least one cyber incident between July 2023 and December 2024, with roughly 9,300 confirmed incidents across about 5,000 institutions. A nationally representative RAND survey from October 2024 reported that 60% of principals saw at least one cyber incident across the 2023-24 and 2024-25 school years. And the Consortium for School Networking’s (CoSN) 2025 State of EdTech District Leadership report found that 71% of district tech leaders saw a change in their cyber insurance in the past year, with 59% seeing premium increases.
That data is not meant to alarm, but rather frame the landscape and better equip our communities to respond.
The budget reality
The challenge exists as boards know they can't ignore cyber risk, but they also weigh allocating funds in an already challenged climate. CoSN found that 61% of districts still pull cybersecurity dollars from general funds, competing directly with classroom needs. That pressure is real, and any honest conversation about K-12 cyber has to start there.
The empowering part is that the path forward doesn't require a blank check. It usually starts with clarity: knowing what you have, what's exposed and what your insurer actually expects of you. Attackers often have success through simple means that are easily avoidable when risks are known and addressed through reasonable policy and procedure.
PowerSchool and real third-party risks
If any single event should reshape how district leaders think about cyber risk, it's the PowerSchool incident. In late December 2024, a threat actor used a compromised credential to access PowerSchool's customer support portal. After basic controls were bypassed, the attacker exfiltrated data using the platform’s own export tool. PowerSchool disclosed the incident to customers on January 7, 2025.
In May 2026, a vulnerability in the widely used Canvas learning management system raised fresh alarms. This near miss reminded districts they weren’t simply watching a vendor’s problem unfold. They were watching their own ecosystem. That’s the uncomfortable truth third-party risk asks us to sit with: the attack surface doesn’t end at your own network perimeter. It extends to every vendor holding your data — the student information system, yes, but also the lunch payment platform, the athletics and events registration tool, the textbook publisher. These relationships rarely appear on a risk register, but they carry real exposure.
While a major event may be the result of an outsourced vendor action, even with contractual protections in place, constituents expect the district to accept responsibility for security.
The risk that doesn't transfer
One of the most common assumptions our cyber team encounters is that signing up for Google Workspace, Microsoft 365 or a major student information system exclusively transfers cyber risk to the vendor. It feels intuitive. The data lives in their cloud, so surely the liability does too.
Cybersecurity is often not a full transfer of responsibility, but instead a shared model. Vendors are responsible for the security of their platform and districts remain responsible for how the platform is configured, who has access, how accounts are provisioned and deprovisioned, and how incidents are communicated to families under state breach notification laws.
A risk readiness assessment helps district leaders see this more clearly. It maps what's actually in the environment, how it connects to third-party platforms, what contractual protections exist, where sensitive data flows and what your response plan looks like when something goes wrong. That clarity is valuable whether the next incident is an infrastructure within the halls of your building or a vendor action like PowerSchool.
It also changes how insurance renewals go. Underwriters may ask pointed questions about third-party risk management, processes and response plans. Being able to answer those questions with documentation, rather than intuition, aids in supporting a smoother renewal process.
A funding note for Iowa districts
In Iowa, there is a specific provision worth knowing. The district management fund — Iowa Administrative Code, at rule 281—98.62(2)(f) — explicitly lists "costs of a physical inventory or cybersecurity vulnerability study conducted solely for the purpose of insurance" as an appropriate use of management fund dollars.
In plain terms, when a cybersecurity assessment is tied to the placement or renewal of your cyber insurance, the management fund is a legitimate funding avenue worth investigating. For many districts, that single detail changes the conversation from "we can't afford to assess our environment" to "we can align this expense with a funding stream already built for insurance-related costs."
How districts can prepare
The strongest position a district can take is also one of the least dramatic: a current risk readiness view, documented controls aligned with a recognized framework such as the CIS Controls or National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) 2.0, a current inventory of third-party platforms that touch sensitive data, and an insurance program that matches the risk profile with controls and strategies already in hand.
A few questions worth reflecting on in your next cabinet meeting:
- When was our environment last assessed by a third party using a cybersecurity framework, and how did we act on any findings?
- Do we have a clear inventory of third-party platforms that hold student or staff data, and do we know what each vendor's security posture looks like?
- If a vendor we rely on announced a PowerSchool-style incident tomorrow, do we know what we're contractually entitled to, what we owe our community, what our responsibilities may be, and how quickly we can execute?
- Do we know the pre-breach services our current cyber policy includes, and have we activated them in either a simulated or live exercise?
If any of those questions surface a gap, let’s talk. We support districts with risk readiness assessments, incident response planning and tabletop simulations, and a fresh look at cyber policy coverages and options.
