CRACK IN THE CODE

Posted on by EnvisionED K-12
Crack in the Code

Best practices for cybersecurity in K-12 education

Each week, the staff at Community High School District 99 receive a brief scenario-based form prompting them to think critically about how they would respond to various cyber and physical security situations. The initiative—which the Downers Grove, Illinois, district branded “What-If Wednesday”—encourages ongoing reflection and engagement with its security protocols.

Tony Dotts, District 99’s Information Security Manager, says that staff training plays a vital role in defending against cyber threats, as even the most advanced security tools cannot fully compensate for the human element. As schools rely more on digital platforms, safeguarding student and staff data continues to be a critical priority. Part of that safeguard means empowering staff with knowledge and awareness. 

“It’s important that staff not only understand what data we’re protecting, but also understand their role in maintaining its security,” says Dotts, CISSP, CvCISO, CETL, CCRE. “Our initial training effort was through simulated phishing campaigns. These exercises help staff identify the signs of phishing attempts and understand the correct procedures for reporting them.”

By clearly communicating the purpose of these simulations and offering immediate, constructive feedback—including targeted mini-trainings for those who fall for phishing attempts—the District 99 team fosters a culture of learning rather than punishment. “Over time, we’ve expanded our training approach to include a variety of methods to reach different learning styles and maintain ongoing engagement,” Dotts says.

“It’s important that staff not only understand what data we’re protecting, but also understand their role in maintaining its security.” 

— Tony Dotts, Information Security Manager, Community High School District 99

Some of those approaches include things like professional development sessions, where the full administrative team partakes in a four-hour tabletop cybersecurity exercise simulating realistic scenarios and discussing appropriate responses. Another checkpoint is new staff onboarding, in which all new hires are required to complete a concise, 15-minute cyber safety training video to establish a baseline understanding from Day 1.

Other tools include visual reminders, including cybersecurity posters and digital signage placed in high-traffic areas to provide ongoing, passive reinforcement of key safety messages, and periodic email reminders tied to relevant threats, such as seasonal scams or phishing trends observed in the wild.

“We face the same types of attacks as Fortune 500 companies but without a Fortune 500 budget,” Dotts says. “The most common threats are ransomware, phishing, and social engineering, which are often interconnected parts of the same attack. Our data—especially student Personally Identifiable Information (PII)—is valuable, and schools are particularly vulnerable because we’re seen as soft targets.”

Many school districts today lack the resources for dedicated cybersecurity staff and tools, giving attackers an advantage. Additionally, the complexity of school IT environments, spanning both on-premises systems and the cloud, further increases the attack surface.

At the ready…

William Brackett recalls an incident at another school district where a cyber attacker used credentials from a website breach to gain initial access to the district’s system. In the following months, a team of attackers was able to move laterally until they found administrative credentials. Once they had administrative access, they planned a ransomware attack.

During an evening on a weekend right before a district break, the attackers set out to launch their attack. Before doing so, they threatened to release PII data from the school district, which resulted in a ransom being paid. The IT team were alerted within 12 hours of the start of the attack. After third-party entities were brought in, the IT team successfully cleaned up the backups and rebuilt the network. By the time the students came back from break, the district was at 90% operational capacity.

While Oak Park Elementary District 97 has never had a major breach of its systems, Brackett, Director of IT Services for Oak Park, is a student of what has happened at other districts and how they handle breaches. “Cybersecurity attacks follow what some call the anatomy of an attack, which I refer to as a chain of attack. In these models, it starts with initial access. The chain follows a series of attacks laterally and vertically to find the useful or intended resources to exploit.”

Brackett says for too long, security and data privacy have been a secondary or afterthought for many school districts. Efforts become bolt-on pieces that have inherent weaknesses. “We need to start working on designs and systems with security as part of the design. We also need to demand that our vendors’ offerings are secure by design as well.”

There are many different methods of training for today’s school administrators. One of the ways is to interject cybersecurity training into compliance training, which while an easy way to get eyes on the content, is the least effective. Another is phishing testing, along with training, which gives data on the readiness of staff while providing feedback training for those who failed the test.

“We need to start working on designs and systems with security as part of the design. We also need to demand that our vendors’ offerings are secure by design as well.” 

— William Brackett, Director of IT Services, Oak Park Elementary District 97

The most effective method is the one that takes the longest—teachable moments. “This takes the form of a one-on-one review of an incident,” Brackett says, like the one that hit Oak Park. “It requires using After Action Reviews (AAR) to build an environment of learning from actions. We also use group reports on known incidents and mass email attacks. I would explain the attack and how it was detected, praising staff members who identified the issues publicly.”

Oak Park’s IT team builds systems and trains staff on the processes, stressing that they will never get reprimanded for holding to the process. “The more sensitive the department, the stronger the processes and reinforcement,” Brackett says.

Building your cybersecurity plan

One of the most comprehensive cybersecurity plans for K–12 education begins with a foundational assessment, ideally based on the NIST Cybersecurity Framework. While the full framework can be overwhelming, there are free, K–12-specific assessment tools that help schools understand and apply its principles in a manageable way. These assessments are invaluable for identifying strengths, pinpointing areas for improvement, and outlining the steps needed to enhance cybersecurity posture.

Both Dotts and Brackett favor this approach. In addition, key components of a strong plan include an Incident Response Plan and a Business Continuity Plan—often referred to in educational settings as a Learning Continuity Plan. Both are essential for ensuring that teaching and learning can continue with minimal disruption during a cyber event.

Policy development is another critical area. In District 99, Dotts and his team partner with their Incident Response vendor to update and refine a range of cybersecurity policies—from Acceptable Use and Asset Management to Security Training, Vulnerability Management, and more. These are all consolidated in their public-facing Information Security & Data Privacy Governance Guide, which serves as a central resource for staff and stakeholders.

For schools with limited budgets, starting with a focused assessment and building out practical, scalable policies and response plans offers a strategic path forward. “It is a sad truth that funds for cybersecurity are a low priority,” Brackett says. “Board members and administration see ‘what if’ spending versus spending to address student achievement. When that formula is considered, student achievement will always win over cybersecurity spending.”

In today’s digital learning environments, safeguarding student data and school infrastructure requires more than just firewalls—it demands a culture of cybersecurity awareness and proactive planning. By implementing best practices and fostering collaboration across IT teams, educators, and administrators, K–12 schools can stay one step ahead of evolving threats.

SIDEBAR

Strengthening your cybersecurity strategy

A comprehensive cybersecurity strategy doesn’t require a massive budget—it requires a smart, balanced approach. Start with a foundational self-assessment using the NIST Cybersecurity Framework or CIS Critical Security Controls, which help identify current strengths and gaps. From there, build out key components:

  1. Incident Response & Learning Continuity Plans – Minimize disruption during a breach.
  2. Policy Development – Cover areas like Acceptable Use, Asset Management, Security Training, and more.
  3. Cybersecurity Culture – Train staff regularly, and set secure-by-default expectations within your tech team.
  4. Endpoint Protection – Use built-in tools to encrypt data, restrict admin access, and configure local firewalls.
  5. Network Monitoring – Set up logging and learn what “normal” traffic looks like to spot anomalies early.

Source: Tony Dotts, Information Security Manager, Community High School District 99; William Brackett, Director of IT Services, Oak Park Elementary District 97