CIS Study Finds 82% of K-12 Organizations Experienced Cyber Threat Impacts in the Past 18 Months

• By Rhea Kelly
• 03/19/25

A new report from the Center for Internet Security highlights the increasing sophistication, frequency, and impact of cyber attacks against K-12 schools. The 18-month study collected data from more than 4,600 schools and districts, including responses to CIS's 2023 and 2024 Nationwide Cybersecurity Review, MS-ISAC member feedback, services data, direct reporting data from the CIS Security Operations Center, data from CIS Cyber Incident Response Team engagements, and threat data from the CIS Cyber Threat Intelligence Team.  

Eighty-two percent of reporting K-12 organizations said they had experienced cyber incidents in the past 18 months. Nearly 14,000 security events were observed, with 9,300 confirmed incidents. Notably, attacks surged during high-stakes periods like the beginning of the school year or exams — times when restoring services is most critical. "The timing of attacks may demonstrate increasing sophistication of cybercriminals and a move toward strategic targeting K-12 organizations during the academic calendar's pressure points," the report said.

Attacks targeting human behavior exceeded other techniques (such as exploiting technical vulnerabilities) by at least 45%. Malvertisement — using deceptive ads to lead users to malware or phishing scams — was the top malware infection vector, representing 63% of attack methods. "The trend toward attacks that target human vulnerabilities highlights the adaptability of threat actors, who are now exploiting the inherently supportive and trusting characteristics of educational settings," the report noted. "Teachers, administrators, and support staff, whose primary focus is helping students succeed, now find themselves on the front lines of cybersecurity defense."

The report's cybersecurity recommendations reflect the importance of the human element. In addition to implementing technical controls and frameworks, institutions must empower users, boost security awareness, and foster community resilience, the report emphasized.

"Our research shows that K-12 organizations can achieve significantly better security outcomes when they … foster an environment where every individual understands their vital role in protecting their school community," the report asserted. "While cybersecurity measures often focus on the technical aspects of securing the environment, integrating a human-first approach to security mirrors what K-12 organizations are already doing to address types of threats such as tornadoes or fires. K-12 organizations should develop environments where everyone who accesses the network — from administrators to substitute teachers — feels they are a crucial part of the security team."

The full report is openly available on the CIS site.