VIP Focus: Cybersecurity at K-12 Institutions: A Lesson Worth Learning

DashBoard, Dec. 9, 2015

Submitted by Judy Wright, Consulting Partner, Plante Moran

Cybercrime has touched organizations of every size and in every industry, and school districts are no exception. An attack on a district’s information technology system can compromise its ability to teach. If personally identifiable information is exposed, districts may be subject to penalties under the Family Educational Rights and Privacy Act, including loss of federal funding. Civil lawsuits may ensue. Districts may also find they aren’t covered for damages under their traditional business interruption insurance policies. One thing is clear: K-12 institutions need to have a strategy for minimizing the likelihood of a breach as well as a plan to deal with the fallout after one takes place.

What Makes School Districts so Vulnerable?

Schools tend to have more porous networks that can be accessed not only by teachers and staff, but students. School buildings are at times open to the public, allowing anyone to connect a device to the network, which makes the network incredibly difficult to secure.

Facing the Challenge: A Lesson Plan

A comprehensive cybersecurity plan needs to address not only risk minimization, but strategies for handling the fallout of a breach. Following are some important practices for getting K-12 cybersecurity up to speed.

Teach the Security Basics. Education is the first line of defense against a cyber-attack. School districts need ongoing initiatives targeted at staff, students and even parents that teach good security practices, from choosing and changing passwords to appropriate use of devices connected to the school’s network.

Classify Your Data. Not all data has the same level of sensitivity. Determine what data is sensitive and requires protection, then develop an appropriate access management plan.

Establish Strong BYOD Security Policies. Allowing students and staff to use their own computers and mobile devices to connect with a school’s network has become an increasingly common practice. Each device can introduce threats when connected to the network. Rather than allowing a free-for-all, develop a list of approved devices and a strategy for securing them.

Make Sure Your Technology Gets a Passing Grade. There are a host of basic security practices and applications that need to be in place and kept up-to-date in order to maintain a secure network, including perimeter security, wireless security, authentication, encryption, anti-virus software and patch management.

Hold Cyber Drills. Every school is familiar with the fire drill, designed to maintain safe and orderly conduct in the event of a fire. Today, schools need to be equally prepared for a digital inferno. IT administrators should put networks through their paces via penetration testing. For even more rigorous testing, consider working with an outside party to help identify potential network vulnerabilities.

Establish a Response Plan. Once a breach occurs, how the district handles the situation is critical. A comprehensive response plan should include detailed processes for containing and repairing the breach, a clear delineation of roles and areas of responsibility, a communications checklist, a set of triggers that can help determine when the institution might need to bring in outside help and guidelines for dealing with internal perpetrators.


As schools increasingly rely on the Internet, effective cybersecurity will become an essential component of a healthy infrastructure. Even with constrained budgets, there’s still much that school districts can do to detect and prevent cyber breaches and to contain them when they do occur. From ongoing education to developing sound policies, procedures and response plans, they can make significant headway in shoring up their networks and minimizing the impact of a cyber-attack.

This article is an excerpt from Avoiding a Data Breach: Cybersecurity at K-12 Institutions, available on the Plante Moran website.

Judy Wright is a partner and leader of Plante Moran’s education consulting practice. She can be reached at or 248.223.3304‚Äč.Plante Moran is one of the nation’s largest accounting, tax and consulting firms and offers comprehensive services to K-12 education clients. The K-12 team has worked with more than 200 school districts, ranging in size from 1,000 to over 100,000 students, and includes auditors, CPAs and consultants across multiple disciplines.

VIP Focus articles are company-sponsored advertisements and do not necessarily reflect the views or positions of MASB. It’s intended to provide Very Important Partners with a space to share information of value to you and your district.

Read More DashBoard Articles