Why Johnny Can’t Read (His Email): Navigating Cybersecurity Challenges in Schools

by | Opinion

Earlier this summer, the New York City Department of Education was forced to share the type of news that no administrator wants to deliver:

Dear Families and Staff: We have initial information to share about a recently identified security vulnerability…. Roughly 19,000 documents were accessed without authorization [including] approximately 9,000 Social Security Numbers….

This is bad news for any organization, but in the case of NYC, the news gets worse: this was the second significant security breach in recent years. It’s not just that the breach happened—it’s that it happened again!

Lumberton, Texas. Des Moines, Iowa. Little Rock, Arkansas. Rochester, Minnesota. Crawford County, Pennsylvania. These are just a few of the K-12 school systems hit by cyberattacks just in the past few months. And let’s not forget colleges and universities, which if anything are even more at risk, due to the large amounts of financial data they retain. Bristol Community College, Mount St. Mary’s, Southeastern Louisiana University, Truman State University…. there are too many to list.

Why Hack Schools?

At first it may seem surprising that schools are facing such a surge in attacks. Why bother attacking some random K-12 school system when so many for-profit companies handle so much more customer data?

The answer is pretty simple—big companies know they are at risk, and they take action (a lot of very expensive action!) to make sure their systems are as secure as possible. Schools, on the other hand, have limited resources and, until recently, reduced awareness of the risks. Hackers consider schools to be “soft targets” specifically because schools don’t pour the resources into cybersecurity that big companies do.

It’s not a bug, as they say—it’s a feature.

Bad guys also love the fact that there is so much turnover in educational environments. Every year, a new batch of students arrives, and another batch departs. This “churn” means that there is a near-constant flow of super-valuable personally identifiable information (PII) washing onshore of every educational institution.

Further, technology plays an integral role in contemporary educational settings—a role that expanded exponentially during the Covid-19 pandemic. By “role” I mean both in the management and administration of schools and as part of the teaching experience itself. Schools face a unique set of concerns and challenges when it comes to safeguarding their digital assets. Protecting sensitive student data, maintaining network security, and fostering a safe online learning environment have become critical priorities.

How are Schools and Students Under Threat?

Hackers may seek to exploit vulnerabilities in school networks or use phishing techniques to gain unauthorized access to sensitive information. Distributed Denial of Service (DDoS) attacks can disrupt online learning platforms, causing significant disruptions to the educational process.

Another big issue—one that the corporate world is painfully familiar with but is just becoming apparent in the educational setting—is the integration of outside vendors with internal networks. In the recent NYC hack, for example, the problem started not with the school network itself, but with an undisclosed vulnerability in a file-sharing software called MOVEit.

Last but not least, of course, are the ransomware attacks that have been getting so much media attention in the past few years. This is when malicious actors seize control of computer systems and demand payment in order to restore access. Alarmingly, more than a few school systems and city governments have weighed their options and decided it was easier to give in and pay than it would’ve been to fight.

Here are some of the most significant challenges of managing cybersecurity in an educational environment.

Student Data Privacy

One of the foremost concerns in the educational sector is safeguarding student data privacy. Schools collect a vast array of personal and academic information, ranging from student records and grades to medical and financial details. This sensitive data requires robust protection to prevent unauthorized access or potential breaches that could compromise student safety and confidentiality.

To address this challenge, schools must implement strong data protection policies and procedures. This includes secure data storage systems, encrypted communication channels, and controlled access to student information. Additionally, schools should conduct regular security audits, ensure staff members are trained in data privacy protocols, and comply with relevant data protection regulations such as the Family Educational Rights and Privacy Act (FERPA) in the United States.

Bring Your Own Device (BYOD) Challenges

The proliferation of personal devices being used in educational settings, commonly referred to as Bring Your Own Device (BYOD) policies, poses unique challenges for cybersecurity. While BYOD policies can enhance student engagement and access to learning resources, they also increase the risk of data breaches and unauthorized access.

Schools should establish clear guidelines for BYOD usage, including strong device security requirements, secure Wi-Fi networks, and the use of Virtual Private Networks (VPNs) for remote access. Implementing Mobile Device Management (MDM) solutions can assist in enforcing security policies and monitoring devices connected to the school network.


Ensuring online safety and addressing cyberbullying are critical aspects of cybersecurity in the educational field. Students may encounter inappropriate content, online predators, or fall victim to cyberbullying, which can have detrimental effects on their well-being and academic performance.

To promote online safety, schools should develop comprehensive internet usage policies that define acceptable online behavior and provide guidelines for reporting and addressing cyberbullying incidents. Collaborating with students, parents, and educators to raise awareness about responsible digital citizenship and fostering open communication channels can help create a safe online learning environment.

(Lack of) Staff Training and Awareness

The human element plays a significant role in cybersecurity. Schools must prioritize staff training and awareness programs to equip educators and administrators with the knowledge and skills necessary to identify and mitigate potential cybersecurity risks.

Am I saying that teachers and staff need yet another set of meetings to be trained on yet another topic that is, at best, adjacent to what they do in the classroom?

Yep, that’s exactly what I’m saying.

The vast majority of cyber incidents begin with human error–someone opens an email they shouldn’t, or shares a password, or gets tricked into forwarding vital information to a bad actor. In the words of Rod Russeau, an IT director at a school system in Illinois: “You can invest billions of dollars in all of the highest-level, most sophisticated firewalls and detection mechanisms. And invariably, a phishing email is going to get through.” Training is everything.

Here’s the good news: you don’t have to be some sort of Internet guru in order to be cyberaware. Training programs cover topics such as recognizing phishing attempts, practicing strong password hygiene, identifying malware, and understanding social engineering. Regular training sessions, workshops, and the dissemination of educational resources will ensure that staff members remain up to date with the evolving cybersecurity landscape.

How Can Schools Protect Themselves?

As technology continues to reshape the educational landscape, cybersecurity has emerged as a critical concern. Although there is no way to completely eliminate risk, risk can be mitigated. Schools should implement robust cybersecurity measures. This includes regularly updating software and hardware, utilizing firewalls and intrusion detection systems, and employing strong password policies. Regular security awareness training for staff, students, and parents is also crucial to educate them about potential threats and best practices for online safety.

Addressing the challenges associated with BYOD policies requires establishing clear guidelines for device security, secure network connections, and device management. Promoting responsible digital citizenship and fostering open communication channels can contribute to creating a safe online learning environment that addresses cyberbullying and promotes online safety.

A recent article in Education Week covered a panel held by the International Society for Technology in Education. The panelists–Mohit Gupta, Elizabeth Hoover, and Merve Lapus–took a deep dive into cybersecurity in educational settings. Ms Gupta pointed out that schools need action plans in place for what should happen in case of an incident. And more than that, the need to practice enacting these plans, “like fire drills.”

Meanwhile, schools can’t afford to become complacent. As artificial intelligence becomes more and more important to cybersecurity, schools should not shy away from exploring the latest technological developments. As Mr. Lapus noted, administrators should try to be “thoughtful, not fearful” about AI and other evolutions in high tech.

That’s all good stuff, and if combined with the aforementioned policies, trainings, and software management, should go a long way to making school systems less attractive to hackers.

Easy for You to Say!

Here’s the rub: Who can possibly do all that??

Educators and administrators already feel there aren’t enough hours in the day to accomplish everything they want to. Meanwhile, school budgets are constantly under pressure. Business managers and superintendents give themselves migraines figuring out how to squeeze just one more teacher’s assistant out of their shrinking budgets. Or heck, forget assistants–how about just one more box of chalk?

Now Mr. Lapus wants them to budget for the latest AI cybersecurity system as well?

Unfortunately, the answer is yes. All that hard work that teachers put into lesson plans won’t be worth much if the school has to shut down due to a cyberattack. Furthermore, never forget that as a teacher or administrator, your data is most at risk. So rather than think in terms of time and resources being taken away, think of cybersecurity as a vital addition to the safety of your institution–to the students it serves, to the wider taxpaying community, and, yes, to your own benefit.

By implementing robust data protection measures, adhering to privacy regulations, and ensuring secure networks, schools can safeguard sensitive student information. Employing effective cybersecurity measures, such as updating software, implementing firewalls, and conducting regular security audits, will help protect against cyber threats and attacks.

If this sounds like more than your school or organization can handle alone, you don’t have to! Get in touch with us and let’s talk about how cyberCTRL can make your educational environment safer while also making your life easier. 


Submit a Comment

Your email address will not be published. Required fields are marked *