Back to Basics: The 4 ‘Rs’ in Education - Reading, Writing, Arithmetic, and Resilience

The education sector is a frequent target of threat actors because of the sensitive nature of associated data and its social importance. Year after year, education institutions at all levels increase reliance on technology for instruction, homework, communications, and record keeping. And, as is the case with all industries, inadequate security measures can lead to critical cyber incidents that disrupt operations and result in tremendous amounts of data theft, learning loss, and financial hardship. Despite this understanding, the educational sector is relatively unprotected against tumultuous and sophisticated cyber threat actors.

As risks continue to grow, particularly regarding cyber, educational establishments are at the forefront of its impact. According to the risk rating agency 穆迪分析 , “Global cyber risk scores for education…bumped up from ‘moderate’ to ‘high’ between 2022 and 2024,” with the primary reasons being digitization and a general lack of strategic cyber programs (1). Education, as an organizational sector, is late in adopting cyber defenses as the prioritization of resources is earmarked for classroom-centered, teacher- and student-focused services related to learning, not behind-the-scenes software. The problematic nature of this lack of cybersecurity makes itself known all too often.

A Case Study

In December 2024, education technology (edtech) corporation PowerSchool , whose software helps schools and parents track student records, became aware of a significant breach. In the following weeks, they warned customers about data theft that exposed highly sensitive information, including Social Security numbers, grades, and the medical information of millions of students.

Like most, this incident began with the threat actor stealing legitimate credentials and then moving laterally in the software application through the customer support portal, where they were able to exfiltrate the data and extort the victims.

According to numerous resources, the extensive nature of this breach is estimated to have impacted in some way 62 million individuals and “appears to be the largest breach of American children’s personal information to date” (2). It should go without saying that educational institutions, given their critical societal function and handling of the sensitive data of minor children, should be at the forefront of cyber innovation. Unfortunately, this is not the case.

If you think your organization has been impacted by the PowerSchool breach, or any other vendor, SpearTip has created a cybersecurity checklist to guide you in taking the proper next steps. It can be accessed here: https://www.speartip.com/cybersecurity-checklist-for-powerschool-breach/

Education and the Cyber Landscape

A report from the Cybersecurity and Infrastructure Security Agency (CISA) supports this recognition, saying that too many schools are “target rich [and] cyber poor…due to the extensive data kept on school networks, often without the proper protection” (3). In fact, more than one incident impacts schools per day.

These cyberattacks, while originating in a plethora of ways, are dominated by two types of incidents: phishing campaigns (30%) and vulnerability exploitation (29%) (4). While it is simple to identify such problems, solving them at scale has been a demonstrable challenge. A meaningful starting place, however, should be precisely where school districts step in. Clever Inc. Cybersecure 2024 report Exploring the Intersection of People, Partnerships, and Technology in K-12 Cybersecurity noted several troubling findings: only 50% of districts evaluate or require multi-factor authentication; 39% encrypt their data, 36% utilize access controls, 30% have an Incident Response Plan, and 28% conduct audits or compliance reviews (5). With so many poor cyber policies and processes in place, it is no wonder schools are among the favorite targets of threat actors.

Joe Hoosech , Vice President at SpearTip , an organization with nearly two decades of experience responding to cyberattacks, provides insight into why Education is not as resilient as it could or should be: “SpearTip has responded to numerous incidents in the education sector; even in sharing all of the reports and articles during conversations with stakeholders, they thought it would never happen to them.?It was only after the cyber incident that they took Cyber Security seriously and commented – why didn’t we do this before? Parents should actively engage with the school board and stakeholders to ensure their child’s information is adequately protected.”

Implementing a Sustainable Solution

Any hope of defending educational providers against cyberattacks, whatever their origination, will require an all-hands-on-deck approach involving school district leaders, technology support teams, educators, students, their families, third-party service providers, cybersecurity firms, and elected officials.

Conversations about educational services—which arguably should now include cyber solutions—will inevitably focus on funding and budget. According to a Coro report, “schools spend less than 10% of their IT budget on cybersecurity,” which is relatively low considering most students, regardless of district or age, use technology in service of their learning. This allocation is complicated to understand, given that almost 50% of schools affected by ransomware paid the requested ransom to have the stolen data returned without it being made public (6). Such a high ‘success’ rate for threat actors only emboldens them and highlights schools as targets.

The consequences of not prioritizing cybersecurity can be seen in other eye-opening statistics, as well. One of the more disconcerting findings, published by ThreatDown in its 2024 State of Ransomware in Education, was an increase of “92% in K-12 attacks” over the previous year (7). Further demonstrating the impact of insufficient cyber resilience throughout the education sector, each ‘successful’ cyberattack causes schools to lose approximately 12.6 days of downtime (learning) and costs $548,185 per day, an astronomical sum, principally when compared to the annual cost of a robust cybersecurity program (8). These losses and all data-related fallout should be a call to parents, taxpayers, and all education stakeholders that more needs to be done to protect schools and their students.

However difficult schools may be to secure, numerous funding sources and strategies beyond the standard budget are available to improve cybersecurity, some of which are explained here. For one, the US Department of Homeland Security , through its State and Local Cybersecurity Grant Program, has $1 billion earmarked for such efforts (9). Additionally, numerous districts have engaged in bulk purchases of services and solutions that reduce per pupil or user costs of implementing meaningful cybersecurity (10). This allows rural or under-resourced schools to have effective cyber programs.

Money is not a panacea to this problem and cannot itself buy cyber resilience.

Bringing Cyber into the Curriculum

Resilience requires embedding security awareness and education into the fabric of school curriculums without regard to subject or grade level. Students, teachers, vendors, and district personnel—among others—must understand the gravity of the landscape and know how to maintain effective security. Less than 40% of K-12 students are provided cybersecurity education as part of a curriculum despite more than 90% adoption rate of technology in the classroom (11). Digital literacy and cybersecurity awareness programs are as readily available as e-books and can serve as a gateway to generate interest in a growing sector of the economy.

If kids are going to be required to use, and often take home, school-issued technology in support of their education, cyber awareness and training must become part of the curriculum. (The same should hold for adults!) Organizations like KnowBe4 provide supplemental materials teaching “students about things like phishing, ransomware, and other cybersecurity-related topics” that help impress the importance of cyber safety (12).

The bottom line is that resources are available to all stakeholders in education to create resilient and sustainable cybersecurity that protects the sensitive information of all students. Because attacks against schools are so lucrative, it makes sense that they will continue until something is done to stop the malicious threat actors.

We must implement solutions based on the lessons learned from years of devastating cyberattacks impacting schools and their students. The time to act is now.

Sources

1. https://www.k12dive.com/news/moodys-rates-education-sector-high-cyber-risk-2024/733342/
2. https://www.nbcnews.com/tech/security/powerschool-hack-data-breach-protect-student-school-teacher-safe-rcna189029
3. https://www.cisa.gov/K12Cybersecurity
4. https://www.forbes.com/councils/forbestechcouncil/2024/03/11/what-cybersecurity-threats-does-the-education-sector-face/
5. https://www.clever.com/wp-content/uploads/2024/01/Clever-Cybersecure-2024.pdf
6. https://www.coro.net/blog/navigating-k-12-budget-cybersecurity-constraints-for-schools
7. https://www.threatdown.com/blog/2024-state-of-ransomware-in-education-92-spike-in-k-12-attacks/
8. https://www.cybersecuritydive.com/news/ransomware-schools-2023/725808/
9. State and Local Cybersecurity Grant Program
10. https://edtechmagazine.com/k12/article/2023/04/cybersecurity-costs-rise-how-can-k-12-schools-ratchet-protection-budget
11. https://cyber.org/sites/default/files/2020-06/The%20State%20of%20Cybersecurity%20Education%20in%20K-12%20Schools.pdf
12. https://www.knowbe4.com/press/empowering-the-next-generation-knowbe4-releases-its-childrens-interactive-cybersecurity-activity-kit

The information in this newsletter publication was compiled from sources believed to be reliable for informational purposes only. This is intended as a general description of certain types of managed security services, including incident response, continuous security monitoring, and advisory services available to qualified customers through SpearTip, LLC, as part of Zurich Resilience Solutions, which is part of the Commercial Insurance Business of Zurich Insurance Group.? SpearTip, LLC does not guarantee any particular outcome. The opinions expressed herein are those of SpearTip, LLC as of the date of the release and are subject to change without notice. This document has been produced solely for informational purposes. No representation or warranty, express or implied, is made by Zurich Insurance Company Ltd or any of its affiliated companies (collectively, Zurich Insurance Group) as to their accuracy or completeness. This document is not intended to be legal, underwriting, financial, investment or any other type of professional advice. Zurich Insurance Group disclaims any and all liability whatsoever resulting from the use of or reliance upon this document. Nothing express or implied in this document is intended to create legal relations between the reader and any member of Zurich Insurance Group. Certain statements in this document are forward-looking statements, including, but not limited to, statements that are predictions of or indicate future events, trends, plans, developments or objectives. Undue reliance should not be placed on such statements because, by their nature, they are subject to known and unknown risks and uncertainties and can be affected by numerous unforeseeable factors. The subject matter of this document is also not tied to any specific service offering or an insurance product nor will it ensure coverage under any insurance policy. No member of Zurich Insurance Group accepts any liability for any loss arising from the use or distribution of this document. This document does not constitute an offer or an invitation for the sale or purchase of securities in any jurisdiction.

In the United States, Zurich Resilience Solutions managed security services are provided by SpearTip, LLC.

Copyright ? 2025 SpearTip, LLC