Cybersecurity

Why 92% of schools faced cyber incidents this year

By Amit Kothari January 3, 2025

The numbers are hard to ignore. According to the K-12 Security Information Exchange, 82% of K-12 organizations experienced a cyber incident in the 2023-2024 school year. Ransomware attacks specifically increased 92% compared to the previous year.

This isn’t a problem happening somewhere else. Rockwood School District - right here in the St. Louis area - was hit by criminal ransomware. Francis Howell went remote for two days after a malware incident. These aren’t theoretical risks.

Why schools are targets

Schools make attractive targets for a few reasons, and none of them have to do with schools being careless.

First, schools hold valuable data. Student records, family financial information, social security numbers, health records. All of it is worth money on the dark web.

Second, schools tend to have smaller IT teams than similarly-sized businesses. The typical ISSL school runs technology with 1-3 people. That’s not a lot of capacity to stay ahead of sophisticated attackers.

Third, schools are public-facing. Websites, parent portals, email systems - there are lots of entry points. And attackers know schools can’t just shut down and go dark when there’s a problem.

What’s actually happening

Most attacks start with phishing. Someone clicks a link they shouldn’t have. It’s not because they’re stupid - modern phishing attacks are sophisticated enough to fool experienced professionals.

From there, attackers establish persistence in the network. They might sit quietly for weeks, mapping systems and escalating privileges. By the time you notice something’s wrong, they’ve already got access to everything.

Then comes the demand. Pay us or we’ll encrypt your data. Pay us or we’ll publish student records. The average ransom demand in education is over half a million dollars. Many schools pay because the alternative - losing years of records or having student data exposed - seems worse.

What you can actually do

Here’s where I probably diverge from some cybersecurity consultants. I’m not going to tell you to implement a 47-point security framework. You don’t have the staff for that, and frankly, it’s not the right approach for most schools.

Instead, focus on the basics that actually matter:

Train your people. Most breaches start with human error. Regular phishing simulations and security awareness training reduce that risk significantly. Not hour-long compliance videos - short, practical guidance that people will actually remember.

Enable MFA everywhere. Multi-factor authentication stops the majority of credential-based attacks. It’s annoying, yes. It’s also the single most effective security measure most schools can implement.

Know your backup status. When ransomware hits, your recovery options depend entirely on your backups. Are they current? Are they stored offline where ransomware can’t reach them? Have you tested restoring from them?

Have an incident response plan. Not a binder that sits on a shelf, but a real plan that people know. Who makes decisions? Who communicates with parents? Who talks to insurance? Figure this out before you need it.

The insurance question

Cyber insurance is getting harder to get and more expensive to keep. Underwriters are asking detailed questions about your security posture. Do you have MFA? What’s your patching cadence? Have you done penetration testing?

If you can’t answer these questions, you might find coverage difficult to obtain - or discover your existing policy has exclusions that matter.

In conversations we’ve had with school business officers, this is increasingly a concern. Insurance isn’t optional anymore, and insurers aren’t accepting “we’re a small school” as an answer.

The hard truth

No amount of preparation guarantees you won’t be breached. Sophisticated attackers with enough motivation will eventually find a way in. The goal isn’t perfection - it’s making yourself a harder target than the school down the road, and being prepared to respond when something happens.

That might sound cynical. I think of it as realistic.

If you’re an IT director at a St. Louis private school and this keeps you up at night, you’re not paranoid. You’re paying attention.