K-12 School Incident Response Plans Fall Short - Dark Reading

Endpoint SecurityVulnerabilities & ThreatsRemote WorkforceCybersecurity OperationsCybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.K-12 School Incident Response Plans Fall ShortQuick recovery relies on three security measures.Arielle Waldman,Features Writer,Dark ReadingAugust 21, 20256 Min ReadSource: Roman Milert via Alamy Stock PhotoThis year's back-to-school essentials aren't all about books and backpacks. Effective incident response (IR) planning is becoming a must-have for K-12 educational institutions in light of increasing attacks, especially ransomware.The education sector is a popular target for attackers because K-12 schools often operate with outdated systems and hold highly sensitive student data. Attackers know that schools have limited IT resources and can't afford the downtime ransomware and other incidents can cause, increasing the likelihood that they would concede to attackers' demands and pay the ransom. Effective IR plans must address student and staff safety, data privacy risks, and ongoing communication with concerned parents.Schools that recover more quickly than those that struggle typically implement three security measures: an established plan in case of an attack, an IR retainer, and comprehensive cybersecurity policies. Responding fast relies on doing homework and setting up the infrastructure to enable that, says Jeff Williams, CTO and founder of Contrast Security. Related:CISOs Face a Tighter Insurance Market in 2026Concerning Ransomware Trends Ransomware frequency increased against schools during the COVID-19 lockdowns, and the threats have continued in the years since, according to several reports.Semperis' "2025 Ransomware Risk Report" found that 61% of IT and security professionals working in the education industry confirmed they were targeted by ransomware over the past 12 months. Forty-nine percent of the attacks succeeded, and 59% of respondents surveyed paid a ransom. Another study, the "2025 CIS MS-ISAC K-12 Cybersecurity Report," found that 82% of K-12 organizations experienced cyber incidents.The report detailed results of an 18-month long study covering July 2023 through December 2024. However, it wasn't the number of attacks and confirmed incidents that CIS found concerning, but the "significant increase in threat actors' sophistication and timing."Assume Your School Will Be TargetedReports on ransomware plaguing K-12 schools continue to emerge, but the biggest problem the sector faces may be naivete, warns Jeremy Deckert, vice president of sales at SentinelOne. "The greatest risk to K-12 institutions is ignoring cybersecurity threats and assuming that schools are not targets for cybercriminals," he says. "This mindset can leave organizations exposed to attacks."That mindset is commonplace among K-12 schools because limited funding often leads districts to adopt a "hope for the best" strategy, Deckert adds. Related:Cylake Offers AI-Native Security Without Relying on Cloud ServicesMartha Gamez-Smith, information security officer at Texas Computer Cooperative's Education Service Center, agrees about the widespread disconnect among superintendents and staffers who believe they're secure or don't know how secure their schools actually are. The truth is, K-12 schools face a cornucopia of security challenges from AI-powered threats that make social engineering attacks more convincing to persistent insider threats and third-party and supply chain risks. Schools rely on a growing number of EdTech and other vendors for student information systems and learning management platforms. Earlier this year, PowerSchool, a student information system, confirmed it decided to pay a ransom following an attack in December, in which the threat actor contacted "multiple school district customers" directly in an attempt to extort them using data stolen during the attack.  Direct Extortion ThreatsRecords theft and personal extortion demands are two of the biggest threats K-12 schools currently face, says Mike Hamilton, former CISO of Seattle and now field CISO of Lumifi Cyber. While an IR plan is important, preventative controls are imperative because attacks against schools are very likely to happen, he says, noting how profitable they are for adversaries.Related:Bug in Google's Gemini AI Panel Opens Door to HijackingIn addition to ransomware, schools are contending with record disclosure risks, theft, business email compromise, application attacks, info stealer-based attacks, extortion through denial-of-service attacks, being used as a third-party to attack others, and attackers forcing them offline just for the sake of it.  "You're not going to keep that out," Hamilton says. "You can still try and do everything it says, but they're still going to get you. They've gotten so good at what they do, and there's no way a school district is going to be able to fund, attract, and retain qualified practitioners."This rings particularly true for small to midsize school districts, which comprises Gamez-Smith's client base. In those cases, the superintendent could also be a bus driver, custodian, or teacher. Because the staff is constantly busy, phishing attacks — which she says is the prominent threat against K-12 — are often successful. That could lead to attackers gaining access to banking information; public schools cannot afford to lose money when resources are already scarce. "[Phishing is] not the most sophisticated, but it's persistent," Gamez-Smith says. "When someone is working under those conditions, they're more apt to click on a phishing email and don't realize that happened two weeks ago." Poor password hygiene also contributes to attacks. Many teachers save passwords by default, combined with no two-factor authentication securing the perimeter. Once attackers compromise the devices, they get credentials and use passwords, making it relatively easy to access applications. "[Attackers will] sit for a while and see how [the schools] do business, and then elevate their trajectory into the application," Gamez-Smith says.      Monitor, Monitor, Monitor To protect applications exploited by attackers, K-12 may need to take a different security approach. Security protocols must include IR, but monitoring is crucial to tackle the mountain of growing threats. Be prepared for things that are bound to go wrong, detect them quickly, and put them out, recommends Hamilton. Account compromises, network compromises, and credentials that have been shared elsewhere are all suspicious activities to watch for."Do tabletop exercises and ask all the hard questions, like, 'When that IT guy who knows everything is on vacation, what do you do?'" Hamilton says.Attacks against schools often cause disruptions or, more alarmingly, school closures. And some can last for weeks at a time. Part of the IR plan should outline how to redirect students in those scenarios, but that is challenging. "I haven't really heard of anyone doing that effectively," Hamilton says.    What More Can Be Done?To offset schools' lack of resources — staff and budgets — effective IR plans can leverage free tools, community resources, and partnerships with local law enforcement, advises Deckert. Communication is also critical. The plan must encompass a way to provide timely updates to parents, while avoiding panic and protecting the ongoing investigation simultaneously, he adds. But that balance is tricky. Attack transparency remains a contentious issue despite the prevalence of ransomware and other threats.Like Deckert, Gamez-Smith also believes communication plans are vital to an effective IR plan. If email is down, what is the contingency plan? "Any district will tell you, the most important thing at the end of the day, because it's attached to money, is making sure you continue teaching the students and that they are present," she says. "Our software is not working, but we have to at least get back to teaching. That means having a contingency communication backup plan in place."Additionally, ransomware often leads to data breaches, which puts a huge strain on the staff, students, and parents. "Schools handle a vast amount of sensitive student data, which is protected by regulations like the Family Educational Rights and Privacy Act," Deckert says. "The IR plan must include clear steps for protecting this data and notifying affected individuals and authorities in the event of a breach." On the other hand, IR plans can instill a false sense of security for school staff, Gamez-Smith says. No matter how well the IR plan was developed — it could include all the right tools and alerts — it won't work without practice. "It's a hard sell to [have them] spend time doing an exercise around it," she says. "And knowledge in terms of what does that look [like], until it happens, it's hard to buy in." About the AuthorArielle WaldmanFeatures Writer, Dark ReadingArielle spent the last decade working as a reporter, transitioning from human interest stories to covering all things cybersecurity related in 2020. Now, as a features writer for Dark Reading, she delves into the security problems enterprises face daily, hoping to provide context and actionable steps. She looks for stories that go past the initial news to understand where the industry is going. She previously lived in Florida where she wrote for the Tampa Bay Times before returning to Boston where her cybersecurity career took off at SearchSecurity. When she's not writing about cybersecurity, she pursues personal projects that include a mystery novel and poetry collection.   See more from Arielle WaldmanMore InsightsIndustry ReportsFrost Radar™: Non-human Identity Solutions2026 CISO AI Risk ReportCybersecurity Forecast 2026The ROI of AI in SecurityThreatLabz 2025 Ransomware ReportAccess More ResearchWebinarsBuilding a Robust SOC in a Post-AI WorldRetail Security: Protecting Customer Data and Payment SystemsRethinking SSE: When Unified SASE Delivers the Flexibility Enterprises NeedSecuring Remote and Hybrid Work Forecast: Beyond the VPNAI-Powered Threat Detection: Beyond Traditional Security ModelsMore WebinarsEdge PicksApplication SecurityAI Agents in Browsers Light on Cybersecurity, Bypass ControlsAI Agents in Browsers Light on Cybersecurity, Bypass ControlsCyber RiskBrowser Extensions Pose Heightened, but Manageable, Security RisksBrowser Extensions Pose Heightened, but Manageable, Security RisksLatest Articles in The EdgeThreat IntelligenceInside Olympic Cybersecurity: Lessons From Paris 2024 to Milan Cortina 2026Mar 16, 2026Threat IntelligenceThe Data Gap: Why Nonprofit Cyber Incidents Go UnderreportedMar 13, 2026|2 Min ReadCyber RiskCyberattackers Don't Care About Good CausesMar 13, 2026Cyber RiskWhat Orgs Can Learn From Olympics, World Cup IR PlansMar 12, 2026Read More The EdgeWant more Dark Reading stories in your Google search results?