Q&A: How district leaders can improve cybersecurity

Q&A with Nir Kshetri, Professor of Management at Bryan School of Business and Economics, University of North Carolina-Greensboro


Last summer, the White House announced initiatives to enhance K-12 cybersecurity, including increased federal support, resources, training and partnerships to strengthen school system resilience against cyber threats. Now more than ever, cybersecurity in K-12 education has become a priority for administrators, given the digitization of learning environments and the rising prevalence of cyber threats.

Nir Kshetri is Professor of Management at Bryan School of Business and Economics, University of North Carolina-Greensboro.Nir Kshetri is Professor of Management at Bryan School of Business and Economics, University of North Carolina-Greensboro.To gain more insight into current cyber challenges and possible solutions, DATIA K12 interviewed Nir Kshetri, Professor at Bryan School of Business and Economics, University of North Carolina-Greensboro. 

What prevents schools from utilizing federal cybersecurity resources, such as the Cybersecurity and Infrastructure Security Agency (CISA)?

A significant barrier for schools in utilizing federal cybersecurity resources like those from CISA is the lack of dedicated cybersecurity personnel. K-12 schools often perform poorly in cybersecurity due to staffing issues, with about two-thirds of school districts missing a full-time cybersecurity position. Even where cybersecurity staff are employed, budget constraints frequently prevent the hiring of a chief information security officer, resulting in IT directors assuming the role while managing broader IT operations.

What is the first step in improving school cybersecurity?

Evaluating and assessing any vulnerabilities that may affect a school district is the first step to ensuring cybersecurity. CISA has created a tool that assists districts when they need to “identify what security measures and supports are currently in place at their schools.” An initial assessment provides the district with a baseline, which will help to target and address any specific vulnerabilities that may have been otherwise overlooked. To Professor Kshetri’s point, it’s very important that there is enough room in the school budget for cybersecurity staff or a security officer.

How should district leaders approach the most common cyber threats?

1. Establish clear guidelines. The most common and serious threats are ransomware attacks, where cybercriminals have targeted public schools throughout the United States. School leaders should establish clear cybersecurity guidelines and policies, providing regular updates on phishing and other threats, along with strategies to mitigate them. Additionally, schools should consider purchasing cyber insurance to protect against ransomware and other threats.

The Department of Education and its Office of Educational Technology (OET) has issued several documents that can assist in providing a good foundation of guidelines and strategies, including a brief on digital infrastructure, which provides a good start for schools who haven’t updated their systems recently.

2. Implement an Identity and Access Management (IAM) system. According to Juniper Research, “IAM components can be classified into four major categories: authentication, authorization, user management, and central user repository.” An IAM system will assist in not only verifying the identity of the individual requesting access to a system, but also the authorization and management of the data accessed by that individual. This safeguards student devices and allows administrators to secure those devices remotely.

3. Provide training and professional development on cyber protocols. The Cybersecurity and Infrastructure Security Agency (CISA) is playing a key role in providing cybersecurity training for school staff. In 2023, the agency announced a plan to provide cybersecurity training to an additional 300 K-12 schools, school districts, and other organizations involved in K-12 education.

In 2022, Los Angeles Unified fell victim to a ransomware attack that disrupted multiple systems throughout the district. Their updated cyber safety policies afterwards now include these Quick Tips:

  • Set strong passwords, change them regularly, and don’t share them with anyone.
  • Keep your operating system, browser, and other critical software up to date by installing updates.
  • Maintain an open dialogue with your friends, family, colleagues and community about internet safety.
  • Use privacy settings and limit the amount of personal information you post online.
  • Be cautious about offers online – if it sounds too good to be true, it probably is.
  • Find out more about the types of messages that should trigger red flags for you.

What are some sources of government funding for school cybersecurity measures?

The FCC has announced a three-year, $200 million pilot program to enhance cyber defense measures in K-12 schools. Priority will likely be given to schools with evident requirements for cybersecurity funding, coupled with transparent and actionable proposals detailing how they intend to allocate the funds. Priority allocation of funds is likely to be given to low-income schools, especially those situated in rural regions. Through the FCC pilot program, K-12 schools and libraries will receive enhanced cybersecurity and advanced firewall services, which are vital for protecting their broadband networks and data.

Multiple companies such as Amazon, Google, Cloudflare, PowerSchool, and D2L have joined the federal initiative. Amazon Web Services has allocated $20 million to support a cyber grant program aimed at assisting school districts and state departments of education. In addition, the FBI and the National Guard Bureau are providing updated resource guides to ensure that state government and education officials know how to report cybersecurity. The U.S. Department of Education has established a council to bolster cybersecurity measures in K-12 schools.

For more information see the K-12 Digital Infrastructure Brief: Defensible & Resilient