Your Guide to Understanding and Reducing K-12 Cybersecurity Costs

A look at how best practice cybersecurity efforts can reduce your overall costs and lessen disruption to student learning

When a cyberattack successfully infiltrates your school or district, what are the impacts?

Most K-12 institutions suffer a twofold effect. They pay financially through ransomware or other costs, and their students pay educationally when they abruptly lose days or months of learning.

Preventative costs are rising with increased cybersecurity insurance premiums and the impacts of ransomware attacks and lawsuits over data breaches. And possibly more importantly, students pay the price of lost learning and paused school operations.

According to the U.S. Government Accountability Office’s report, “Critical Infrastructure Protection: Additional Federal Coordination Is Needed to Enhance K-12 Cybersecurity,”:

Loss of learning following a cyberattack ranges from three days to three weeks
Recovery time after a cyberattack takes two to nine months
Financial impacts range from $50,000 to $1 million due to expenses caused by a cyberattack, including the replacement of computer hardware and improving cybersecurity to prevent another attack

In the 2022 CoSN State and Federal Education Cybersecurity Policy Developments report, the organization states, “Routinely, cyberattacks compromise confidential student and employee information, disrupt classroom instruction and administrative functions, and rob taxpayers. The problem plagues the entire education sector, including schools located in the smallest rural communities and the most sprawling suburban and urban areas.”

While education and technology leaders can’t wholly stop cybersecurity threats and attacks, there are ways to help prevent them and reduce the associated costs. In this blog, we’ll look at the impact of those costs, and highlight practical preventative measures you can start today to help save education and financial losses at your school or district.

Why K-12 Schools and Districts Are Prime Targets for Cyberattacks

Education is a growing target for cybercriminals. Typically, schools and districts don’t have enough budgeting and staff resources to adequately harden their cybersecurity defenses against sophisticated attacks and threats. With human error as the top factor in K-12 cyberattacks, educators often rely on untrained administrators, teachers, parents, and students to fortify their “human firewall.”

Students also possess unblemished social security numbers and other personally identifiable information (PII), which presents tempting targets for bad actors. According to the Department of Education, a student record on the black market can be worth between $250 and $350.

“Target-rich and resource poor; (schools and districts) present lucrative sources of personal data that can be used by threat actors, but lack the necessary expertise, modern technology and funding to protect themselves against increasingly sophisticated threat actors,” says David Jones in a Nov. Cybersecurity Dive brief.

As a result, 1,331 cybersecurity incidents have impacted schools since 2016. At least 45 U.S. school districts suffered ransomware attacks in 2022, and when combined with higher education, 1,981 individual schools were attacked by ransomware last year.

Financial Costs Impacting Educators

For schools and districts saddled with strict, limited budgets, extra and unexpected cybersecurity costs can be devasting. Schools have reported monetary losses between $50,000 to $1 million because of cyber incidents. And throughout the COVID-19 pandemic, the average overall cost of data breaches across all industries was a staggering $4.24 million.

In U.S. schools, ransomware is the most common type of publicly disclosed cyber incident, accounting for 30% of breaches. In a recent example this past December, an Arkansas school district agreed to pay $250,000 to a ransomware attacker to regain access to its stolen data.

Another cost schools may not consider is from the potential for lawsuits filed by those affected by a data breach. Requirements are loosening for schools and districts to be held accountable for stolen private data, making it easier and more likely for individuals to sue their district.

“Cyber coverage” insurance policies can help mitigate costs associated with cyberattacks. But in alignment with the growing number of attacks, insurance premiums are also rising. According to a Business Insurance article, cyber insurance rates have increased by 25% to 300% between 2021 and 2022.

Some school districts even reported paying as much as 334% more for cybersecurity insurance in 2022.

These insurance premiums are either fully an individual school or district’s responsibility or shared between schools in a consortium or other type of group organization.

PowerSchool customers have stated that their insurance policies are dictating their security practices. With increased ransomware attacks targeting K-12 institutions, a shortage of insurance capacity, and increased costs for coverage, insurers are diving deeper with their questions for district tech directors to gauge their level of security. And because cyber incidents can’t be entirely controlled, many insurers have fled the marketplace for schools.

What factors impact a school or district’s cybersecurity budget?

Incident response costs, or how much you’re likely to have to pay to notify those affected by a cyber breach at a school, along with fines and penalties from government entities
Information technology security and forensics costs for things like securing a breached network or asset and investigating incidents
Cybercrime costs for damages from ransomware and theft of funds and records
Systems damage and business interruption costs for restoring an out-of-operation computer system due to an attack, as well as lost productivity

Educational Costs for Students

When a school or district’s technology systems are attacked, it becomes practically impossible to continue operations in today’s digital-dependent landscape. While financial costs are clear, the price students pay in the form of closed campuses, locked-down devices, and loss of learning may not be as quickly evident.

In January 2023, Iowa’s largest school district had to cancel two days of classes and student learning because of a cybersecurity incident. Also in January, a Massachusetts’ school district canceled classes because of a ransomware attack.

As stated above, a single cyberattack creates a loss of student learning of up to three weeks. The overall recovery time for cyberattacks, in general, is up to nine months, and the average recovery time for a ransomware attack is 287 days.

How to Reduce the Costs of Cyberattacks

Implementing best practices for improving your school cybersecurity and reducing the associated costs is a continuing process.

General steps schools and districts can take to reduce the cost of cyberattacks include (but aren’t limited to):

Get 24-hour protection to monitor networks.
Create strong backups.
Harden network defenses.
Gain awareness aware of what’s stored on the network.
Feature a ransomware response plan in hardcopy format.
Conduct a security audit at least every six months. A third-party audit gives you a holistic view of how your technology is laid out and how to take appropriate actions when needed.
Document plans for dealing with any situation in an “all hazards” or “safety and security” plan.
Communicate with all your staff, parents, and students about how to avoid and report phishing attempts. Training should include how to minimize disconnected systems and logins for individuals.
Follow an established schedule for updates, backups, and patches.
Switch hosting of core edtech systems to your software vendors to reduce risk—with benefits like 24/7/36 monitoring, specialized data security, and advanced security technologies.

You can improve your school cybersecurity through partnerships, memberships, and participation in key groups, such as CoSN, the Consortium for School Network.

K-12 tech directors and district leaders can also bolster security by partnering with edtech vendors with the following industry-leading qualifications and capabilities:

Compliance with all applicable state, province, and federal data privacy regulations, including Family Education Rights and Privacy Act (FERPA), Children’s Online Privacy Protection Rule (COPPA), Breach Laws, Data Residency Laws, the Digital Millennium Copyright Law, and the Sarbanes-Oxley Act
Holder of privacy certifications from industry leaders such as TrustArc and Privo; signatory of the national Student Privacy Pledge
Achievement of ISO/IEC 27001:2013 certification, renewed each year, and compliance with the SOC 2® (Security Operations Center) examination
Depend on a Security Operations Center
ISO 27001 certified, outlining standards with annual, third-party audits that evaluate processes, training, and more
Interoperability between a vendor’s edtech products through standards that ensure secure data sharing

To improve cybersecurity insurance standing and rates, insurers typically look more favorably in terms of quoting and renewal at educational institutions that better manage cyber risks. As a rule, cyber risk awareness training is the most important risk management tool, along with vulnerability testing that depends on sophistication and the school’s financial resources.

Read more cybersecurity tips for K-12 technology leaders, principals, and superintendents.

A Continual Quest for K-12 Cybersecurity Improvements

Since it appears cyber threats and attacks are not decreasing anytime soon, it’s important to never let up in the effort to improve your cybersecurity. In 2022, legislators introduced 232 cybersecurity bills across 36 states focused on the education sector, compared to 170 bills introduced in 2021 and 87 in 2020. These bills and continuing efforts to stay vigilant against cyberattacks will help improve your cybersecurity. Schools and districts need to make it an ongoing priority to strengthen cybersecurity efforts, which can lessen your costs and disruption of student learning.