K-12 Cybersecurity 2018 Year in Review
Part V: Lessons for 2019 and Beyond
Evidence assembled to maintain the K-12 Cyber Incident Map reveals that school districts have not been immune to the same types of data breaches and cybersecurity incidents routinely plaguing even the most technologically advanced and well-resourced corporations and government agencies. During 2018, the misuse and abuse of school technology and IT systems resulted in 122 publicly-disclosed K-12 cybersecurity incidents. This equates to a rate of about one new publicly-reported incident every three days.
While it may be tempting to dismiss this number as being relatively insignificant given the magnitude of the U.S. K-12 enterprise, keen observers would not draw that lesson. First, one should not mistake publicly-disclosed incidents with the universe of all K-12 cyber incidents that occurred during the calendar year. Many incidents go unreported, and – unless school districts have a strong cybersecurity risk management program in place – there may also be a considerable gap between when school districts experience an incident and when (or if) they become aware of that fact.
Second, cyber incidents do not seem to discriminate by school location, community type, or size. Indeed, if school technology is accessible over the internet, mistakes can and do occur; malicious actors can and are taking note.
Third, the impact of publicly-reported K-12 cyber incidents is significant. During 2018, such incidents resulted in the theft of millions of tax payer dollars, stolen identities, tax fraud, altered school records, website and social media defacement, and the loss of access to school technology and IT systems for weeks or longer. Due to such incidents, parent, educator, student, taxpayer, and policymaker trust in education technology is being placed increasingly at risk.
As we look to 2019 and beyond, we can expect schools to continue their reliance on technology and in so doing increase their cyber risk profile. To the degree schools broaden their data collection and sharing efforts to include even more sensitive data – such as personal communications,  biometric data,  and social/emotional and affective data  – the impact of any potential cyber incident is magnified. Moreover, given the centralization of data systems and platforms, future cyber incidents have the potential to impact ever larger numbers of students and educators across district and state lines. This is particularly concerning, because issues of K-12 cybersecurity have largely been overlooked by policymakers, regulators, and school leaders, despite greater attention to issues of student data privacy.
Ultimately, the goal of K-12 stakeholders must be to reduce and better manage the cybersecurity risks facing increasingly technologically-dependent schools, but make no mistake: keeping K-12 schools ‘cyber secure’ is a wicked problem – one that is assured to get worse until we take meaningful steps to address it. It won’t be solved solely by an infusion of money, new technologies, new policies and regulations, or a cybersecurity awareness campaign; all are likely necessary, but how they are implemented and evolve over time to meet the specific and idiosyncratic needs and constraints facing public K-12 schools will matter most of all. 
Enhancing the capacity of the K-12 community to share timely information, build a knowledge base, and identify and promulgate promising policies and practices is why the K-12 Cybersecurity Resource Center was launched. This report is only a small, but necessary step in a much longer journey toward building the will and capacity to act.
 See e.g., “Schools are using AI to track what students write on their computers.”
 See, e.g. “How Affective Data Could Change Learning Outcomes.”
 See “How Should We Address the Cybersecurity Threats Facing K-12 Schools?” for further thoughts on the elements of a meaningful framework for address emerging K-12 cybersecurity threats.