K-12 Cybersecurity 2018 Year in Review

Part I: Introduction


There is a particular strand of folklore about public schools that suggests they have changed little over time. [1] While the basic structure of elementary and secondary schools remains recognizable, one of the most significant ways schools have changed from the past has been via the massive infusion of technology. In fact, U.S. K-12 schools are increasingly reliant on technology and sophisticated IT systems for teaching, learning, and school operations.

Consider: The number of U.S. K-12 students with access to the broadband they need for ‘digital learning’ in schools and classrooms grew from 4 million in 2013 to 44.7 million in 2018. [2] Millions of mobile PCs – notebooks/Macs, netbooks, tablets, and Chromebooks – are being purchased by U.S. K-12 schools every year, with the penetration of mobile PC devices used by U.S. teachers and students now above 50 percent. [3] School telephone systems are migrating to VoIP (voice-over-IP) services; point-of-sale systems are deployed in school cafeterias; HVAC and lighting controls are centrally managed via IP networks; student information systems offer real-time insights to administrators, teachers, and parents; internet-connected surveillance cameras are being deployed in the name of school safety; and school district human resource offices manage hiring, payroll, and benefits via online portals. [4] While uneven, the scope and speed of technology adoption by U.S K-12 schools has been remarkable.

Indeed, the K-12 education technology market has grown to become very big business. [5]

Please accept YouTube cookies to play this video. By accepting you will be accessing content from YouTube, a service provided by an external third party.

YouTube privacy policy

If you accept this notice, your choice will be saved and the page will refresh.

While the benefits of technology in education may be great, its adoption also introduces new risks. As security expert Bruce Schneier writes:

“It’s no secret that computers are insecure. Stories like the recent Facebook hack, the Equifax hack and the hacking of government agencies are remarkable for how unremarkable they really are. They might make headlines for a few days, but they’re just the newsworthy tip of a very large iceberg.” [6]

While reports of data breaches and cybersecurity incidents experienced by businesses and government are shockingly frequent, [7] what do we know of the cybersecurity risks being introduced to schools with this influx of technology? What threats and vulnerabilities might students and teachers be facing, and how well prepared are school leaders to manage these new risks?

What little data we have on the state of cybersecurity risk management in U.S. K-12 public schools does not paint a promising picture. Of the 18 sub-sector peer groups investigated by the Multi-State Information Sharing & Analysis Center (MS-ISAC) in their 2017 review, local K-12 schools were reported to have the least mature cybersecurity risk management practices of any state, local, tribal, or territorial government agency. [8] Likewise, a November 2017 Education Week article concludes:

The country’s K-12 information-technology leaders are likely underestimating the dangers they face. Most don’t see cybersecurity threats such as ransomware attacks, phishing schemes, and data breaches as a significant problem….Even more troubling, many school technology leaders are failing to take basic steps to secure their networks and data. [9]

This report, “The State of K-2 Cybersecurity: 2018 Year in Review,” is designed to shed light on the threats and risks facing K-12 schools, students, and educators due to the misuse and abuse of school technology. Based on cyber incident data cataloged on the K-12 Cyber Incident Map, it offers data and insights on the actual threats and risks that were experienced by schools during 2018. Part II provides information on the data sources assembled for this report, while Parts III and IV present findings from analyses of cyber incidents and affected school districts, respectively. It concludes in Part V by suggesting lessons to be drawn from this work.

^^ Home   …   Part II: K-12 Cyber Incident Data >>


[1] See, e.g., “XQ is taking over TV to make the case that high school hasn’t changed in 100 years. But is that true?” and “The Invented History of ‘The Factory Model of Education’.”

[2] See ‘2018 State of the States: Expanding digital learning to every classroom, every day.” The ‘digital learning’ standard for broadband connectivity applied by Education SuperHighway in their analyses became a matter of federal policy in 2014 with the Federal Communication Corporation’s adoption of the E-Rate Modernization Order.

[3] See “Global Demand for Mobile Computing Devices in K-12 Grows, Powered by U.S. Market” and “The US K-12 Education Market Beats Forecast in Q3, But Stock Issues Spell Uncertainty for Next Year.”

[4] See, e.g., “Software solutions can streamline school operations, saving time and money,” “The Internet of Things (IoT): The Art of the Possible,” and “K-12 School Districts Drive Innovation with New Technologies.”

[5] See, e.g., “ISTE 2018 Conference Highlights” and “How Silicon Valley Plans to Conquer the Classroom.”

[6] See “Internet Hacking Is About to Get Much Worse.”

[7] Publications devoted to reporting on cyber incidents include Dark Reading, Naked Security, and ThreatPost among many others.

[8] See “Nationwide Cybersecurity Review: 2017 Summary Report.”

[9] See “Schools Struggle to Keep Pace With Hackings, Other Cyber Threats.”


The publication of the 2018 report was made possible with the generous support of Core BTSManaged Methods, and PC Matic PRO.