Opinion: Context Matters in Designing Cybersecurity Tools for K-12

Just this past year, K-12 districts achieved a dubious new milestone: They surpassed hospitals, government offices and other public-sector targets to become the most frequent victims of cyber attacks, according to a January 2024 report from the antivirus software company Emsisoft. This shift, coupled with the accelerating adoption of ed-tech tools, presents unprecedented cybersecurity challenges for schools.

From our day-to-day interactions with district superintendents (and for one of us, from former experience as one), we know they feel a growing sense of anxiety and responsibility when it comes to ensuring the security of their technology systems. And with good reason: K-12 school systems, with their wide range of end users, including students as young as 4 or 5 years old, are particularly vulnerable to cyber attacks. Districts also make attractive targets for cyber criminals with millions — if not billions — of dollars and a wealth of personally identifiable information (PII) passing through their systems. This vulnerability, coupled with the valuable assets they possess, may also explain why school districts face increasing pressure from insurance companies to deploy top-notch practices that reduce their vulnerability to these attacks.

However, as former teachers, we know that adopting and following such practices can be particularly challenging for schools — precisely because they are schools. While modern classrooms, like our companies, have become increasingly dependent on technology, the similarities end there. Classrooms, with one teacher responsible for engaging multiple young learners simultaneously, present unique challenges when it comes to cybersecurity. This is why, as school districts adapt to an increasingly digital-first world, they will need to implement K-12-specific cybersecurity strategies that consider first and foremost the need for seamless learning experiences in the classroom. In developing and deploying these strategies, district leaders should consider the following factors:

• Tailor strategies to the unique needs of K-12 environments. If you do online banking, you are likely familiar with multifactor authentication (MFA). It’s a cybersecurity measure that requires a user logging into an account to verify their identity by providing a code sent to their email or phone. MFA has proven to be one of the best strategies for protecting an organization’s technical infrastructure, but still only 60 percent of companies are utilizing an enterprise-level MFA solution given the challenges of implementation with employees. Now, imagine deploying an MFA solution in a K-12 classroom with teachers and students. It’s critical to consider how MFA will work for a second-grade student who may not have an email account that can be used for the verification email. To address this, school districts should seek out K-12-specific cybersecurity tools with their end users — teachers and students — in mind. 

• Ensure security tools can integrate and interoperate with classroom tools. Cybersecurity in K-12 schools starts in the classroom — a dynamic, sometimes chaotic, environment where effective teaching and learning rely on seamless experiences with technology. Teachers naturally gravitate towards the most effective tools, but if those tools are not properly integrated with district IT systems, they become risky access points for cyber threats. Interoperability is key to ensuring that new ed-tech tools can be easily implemented in the classroom. Effective cybersecurity tools balance security with user-friendliness, making it easy for students to engage with learning materials while providing teachers with meaningful insights and protecting data privacy. Ultimately, the layers of security a school system puts in place must not only integrate with classroom tools, but support the core mission of teaching and learning. By prioritizing interoperability, schools can create a robust defense against cyber threats that starts at the frontline: the classroom.

• Design cybersecurity systems with your teammates in mind. Cybersecurity is a team sport. But in K-12 education, it’s a team sport that you play with a diverse group of teammates. K-12 systems, on average, also use a lot of different ed-tech vendors — over 2,500 per district, with each individual student and teacher interacting with 42 different tools, on average, according to the ed-tech evaluation company LearnPlatform. Each of these end users and tech tools presents a potential point of vulnerability. And for many districts, particularly those in remote and rural communities, there may not be a local talent pool of IT professionals. To mitigate these risks, districts should consider distributing responsibility by providing training to all employees. District leaders would also do well to engage educators as they design cybersecurity strategies so every teammate can play by the rules that are established.

As technology advances, so, too, will efforts by hackers to compromise the security of all workplace systems, including those in K-12 school districts. It is imperative that developers acknowledge the unique context faced by K-12 school systems and that districts already leading the charge on cybersecurity continue to do this important work. Schools need cyber tools built just for them, to protect and maintain the data of students and employees alike in this exciting but ever-changing digital landscape.

Trish Sparks is CEO of the ed-tech software company Clever Inc. James Lane, Ed.D., is the former superintendent of public instruction at the Virginia Department of Education and current CEO of PDK International, a professional organization for educators.