CIS Study Finds 82% of K-12 Organizations Experienced Cyber Threat Impacts in the Past 18 Months

A new report from the Center for Internet Security highlights the increasing sophistication, frequency, and impact of cyber attacks against K-12 schools. The 18-month study collected data from more than 4,600 schools and districts, including responses to CIS's 2023 and 2024 Nationwide Cybersecurity Review, MS-ISAC member feedback, services data, direct reporting data from the CIS Security Operations Center, data from CIS Cyber Incident Response Team engagements, and threat data from the CIS Cyber Threat Intelligence Team.  

Eighty-two percent of reporting K-12 organizations said they had experienced cyber incidents in the past 18 months. Nearly 14,000 security events were observed, with 9,300 confirmed incidents. Notably, attacks surged during high-stakes periods like the beginning of the school year or exams — times when restoring services is most critical. "The timing of attacks may demonstrate increasing sophistication of cybercriminals and a move toward strategic targeting K-12 organizations during the academic calendar's pressure points," the report said.

Attacks targeting human behavior exceeded other techniques (such as exploiting technical vulnerabilities) by at least 45%. Malvertisement — using deceptive ads to lead users to malware or phishing scams — was the top malware infection vector, representing 63% of attack methods. "The trend toward attacks that target human vulnerabilities highlights the adaptability of threat actors, who are now exploiting the inherently supportive and trusting characteristics of educational settings," the report noted. "Teachers, administrators, and support staff, whose primary focus is helping students succeed, now find themselves on the front lines of cybersecurity defense."

The report's cybersecurity recommendations reflect the importance of the human element. In addition to implementing technical controls and frameworks, institutions must empower users, boost security awareness, and foster community resilience, the report emphasized.

"Our research shows that K-12 organizations can achieve significantly better security outcomes when they … foster an environment where every individual understands their vital role in protecting their school community," the report asserted. "While cybersecurity measures often focus on the technical aspects of securing the environment, integrating a human-first approach to security mirrors what K-12 organizations are already doing to address types of threats such as tornadoes or fires. K-12 organizations should develop environments where everyone who accesses the network — from administrators to substitute teachers — feels they are a crucial part of the security team."

The full report is openly available on the CIS site

About the Author

Rhea Kelly is editor in chief for Campus Technology, THE Journal, and Spaces4Learning. She can be reached at [email protected].

Featured

  • Two figures, one male and one female, stand beside a transparent digital interface displaying AI symbols like neural networks, code, and a shield, against a clean blue gradient background.

    Microsoft-IDC Report Makes Business Case for Responsible AI

    A report commissioned by Microsoft and published last month by research firm IDC notes that 91% of organizations use AI tech and expect more than a 24% improvement in customer experience, business resilience, sustainability, and operational efficiency due to AI in 2024.

  • group of educators working on computer

    Improve Teacher-Student Satisfaction by Removing Procurement Obstacles

    Intuitive tools help teachers gain flexibility and control over purchases, and more time back for doing what they love.

  • abstract geometric pattern of glowing interconnected triangles, hexagons, and circles in blue, gold, and white, spread across a dark navy-to-black gradient background

    OpenAI Introduces 'Operator' AI for Performing Web Tasks

    OpenAI has announced "Operator," an AI agent designed to perform web-based tasks autonomously using its own browser. Currently available as a research preview for Pro users in the United States, the tool aims to automate everyday activities such as filling out forms, ordering groceries, and even creating memes.

  • horizontal stack of U.S. dollar bills breaking in half

    ED Abruptly Cancels ESSER Funding Extensions

    The Department of Education has moved to close the door on COVID relief funding for schools, declaring that "extending deadlines for COVID-related grants, which are in fact taxpayer funds, years after the COVID pandemic ended is not consistent with the Department’s priorities and thus not a worthwhile exercise of its discretion."