In today’s digital landscape, school districts face unprecedented cybersecurity challenges. Cyberattacks, often launched with minimal warning, exploit vulnerabilities in outdated systems and underfunded infrastructures. For schools, the stakes are high: Sensitive student data, staff records and operational continuity all hang in the balance.

This article builds on a presentation delivered at the New Jersey School Boards Association’s Workshop 2024, offering a detailed roadmap for improving school security. By examining real-world case studies, lessons learned and actionable strategies, we aim to equip educational institutions with the tools needed to safeguard their digital and physical environments.

Background

As a point of reference, the Robbinsville Board of Education in Mercer County was fortunate to have four board members with infrastructure technology backgrounds, creating an ad hoc Technology Committee to ask probing questions, support initiatives and set policies. After four years of improvements, the ad hoc Technology Committee was disbanded and rolled into the Business Committee.

After a few years of advancements, our school district experienced a cyber incident in November 2023, which did affect some systems, but did not cause any liable damages or access to personally identifiable information, such as payroll and the student information system. We had secured our most important data before the attack, which prompted us to harden even more systems and close additional vulnerabilities.

The Current Landscape of School Cybersecurity

Schools, like many organizations, are attractive targets for cybercriminals. Hackers exploit common vulnerabilities, including weak passwords, outdated hardware (i.e. no longer receiving patches and software upgrades), and insufficiently segmented networks. For our high-performing K–12 district serving 3,100 students, these risks materialized into a full-scale attack.

The district inherited outdated systems, including multiple email servers (i.e. three different emails per person), decades-old hardware and inadequate network segmentation. These structural deficiencies provided attackers with easy entry points. The consequences were significant, underscoring that even seemingly small vulnerabilities can lead to catastrophic outcomes.

A Case Study in Cyber Vulnerability

The district’s cyberattack unfolded in three distinct phases: pre-attack, attack progression and recovery.

  1. Pre-Attack Indicators The attack began with subtle warnings: email password reset notifications followed by internet outages. These disruptions hinted at unauthorized activity within the system. Unfortunately, these notifications by our systems were noticed too late, since attacks typically occur very early in the morning when people are sleeping.
  2. Attack Progression Attackers exploited multiple vulnerabilities, including a flaw in a clock system and the use of outdated passwords. They installed IP scanners weeks before the event to map the network and identify weak points. The exploitable issue was known in advance by a multi-billion-dollar IT vendor for months with no patch/update to fix the issue, known as a zero-day attack.
  3. Response and Recovery Once the attack was detected, the district disconnected affected systems. Insurance companies and third-party contractors were engaged, but delays in secondary insurance response hampered progress. Critical systems were eventually restored, but not without significant financial and operational losses.

This case study highlights the importance of rapid response, robust insurance and proactive investments in security infrastructure. Our insurance broker was instrumental in pushing for a fast response, including legal representation.

Key Lessons Learned

  1. Every District Is at Risk Small or large, all districts are potential targets. Smaller districts are particularly vulnerable due to limited IT staff, systems emplaced and budget resources. Even with a massive influx of budgetary resources, rolling out multiple complex and integrated systems takes time to coordinate. Deliberate planning and continuous upgrades are essential.
  2. Rapid Response Is Key Districts must maintain vendor contracts with preapproved emergency response capabilities. Delayed actions can exacerbate damage and recovery costs.
  3. Infrastructure Matters Outdated systems were a significant liability in this case. Investing in modern hardware and software is no longer optional — it is a necessity.

Building a Resilient Cybersecurity Framework

To mitigate future risks, districts must focus on several core areas:

  1. Upgrading Core Infrastructure
    • Modernization of Systems Replace outdated servers, email systems and active directories with scalable, cloud-based solutions. For example, migrating student information systems and payroll systems to online platforms can enhance security and operational efficiency. Cloud based systems cost more, but the liability transfer, uptime of systems, and not purchasing or maintaining your own servers on site makes the investment worthwhile. In addition, cloud-based systems allow staff to access systems from home, without the archaic and incredibly vulnerable virtual private network methodology of the past.
    • Segmentation and Fault Tolerance Implement network segmentation to isolate critical systems. Use fault-tolerant networks and dual-factor authentication to secure sensitive data and operations. As an example, create multiple WiFi networks:
      • Production: staff and students for day-to-day business: 95% of your usage.
      • Internet of Things devices, such as your building management systems, elevators, clocks, etc. (these tend to be the worst in cybersecurity).
      • Guest network and ensure you have a “splash” page with liability disclosure for using your network. 
    • Example Investments:
      • New servers: $4,000+ each.
        • Take into consideration electric is around $300 to $1,000 per year, plus maintenance and depreciation may propel you to proceed to a cloud-based product.
      • Wireless access points: $1,000 each.
      • Uninterruptible power supplies: $15,000+ for lithium-ion models
      • Computers: $800 to $1,000 each.
        • We purchase “pocket PCs” for $179 each to replace teacher computers from a decade ago. The pocket PCs are far superior and well performing for 95% of our teachers’ needs.
      • Touchscreen presentation devices: $2,500 to $4,500 each.
        • Alternate version for those who do not use the touch feature is 75” TVs with a pocket PC mounted on the back and a wireless keyboard and mouse. Total cost is less than $1,000, and they perform well.
    • Case in point: When analyzing your district’s infrastructure, create an equipment list of the entire network with dates installed, models, make, etc. Software programs can scan your entire infrastructure and provide this information. Of great importance is when equipment is end of life and end of support. A wireless access point may have a five-year life cycle, but its end of support (i.e. software upgrades) could be eight years. Unlike building systems that can go past their life expectancy and still work, when IT equipment is past its last software upgrade and end of support, you are incredibly vulnerable to a cyberattack. In our school district, almost all of our 300 wireless access points were end of support within months of conducting the analysis, and it cost around $250,000 to purchase and install new ones. Such costs need to be incorporated into budgeting, just as buildings and grounds are in the long range facilities plan. The examples above, however, show how you can control expenses.
  2. Enhancing Cybersecurity Protocols
    • Managed detection and response: Deploy managed detection and response and endpoint detection and response systems to monitor and neutralize threats. At approximately $18 per device annually, these solutions provide cost-effective, high-impact protection, even while you are asleep. Such a system would have prevented our cyber incident while costing less than the $50,000 insurance deductible per incident.
    • Email and password security: Launch districtwide TechAlert systems for incident reporting and implement robust email filtering protocols. Encourage staff to adopt strong passwords and mandate two-factor authentication on all systems.
    • Case in point: At our district, we created a unique email for all staff to communicate an immediate cyber issue, as opposed to a work order. When a teacher or administrator receives a spoofing or spearfishing email, the email is forwarded to TechAlert. Any of the IT technicians takes action by reviewing the emails, and if warranted, deleting all such emails, blocking the sender, and more importantly disabling forwarding to others.
  3. Optimizing Incident Response Plans
    • Incident response standard operating procedures: Develop SOPs for handling cyber incidents. Include clear roles and responsibilities for IT staff, administrators and third-party vendors.
    • Legal and insurance coordination: Understand legal requirements, such as GDPR’s 72-hour notification rule, and ensure insurance coverage is comprehensive. Proactively address potential gaps in policies to avoid costly delays during crises. Most importantly, the verbiage in district communications to the staff and public must be exact. If you are not aware of a cyber intrusion with data theft, but publicly announce you were hacked, then the district’s liability may become of great concern. Contact legal counsel for appropriate messaging.
  4. Investing in Technology Lifecycles and Budgeting
    • Lifecycle management: Align technology replacements with end-of-service schedules. Treat these updates as part of the district’s long-range facilities plan.
    • Budgeting for cybersecurity: Allocate funds for key initiatives, including:
      • AI-driven security cameras with weapon detection. If too costly, there are options to pay by the camera and contract for key exterior cameras, such as main entrances and parking lots.
      • Cloud-based storage for redundancy.
      • Encrypted communication systems.
      • Cost Examples:
      • AI camera systems: $600 per camera annually.
      • Technology wiring infrastructure: ~$1,000 per drop.

Best practices for school cybersecurity:

  1. Password and Network Security Secure critical accounts with strong, frequently updated passwords. Limit VPN access to devices with two-factor authentication and static IPs. Geofence your district and disable all international access. When administrators are travelling, lift the restriction matching their itinerary and access from that location only. As a great security measure, allow access outside of the school district for key systems, i.e. payroll, from the specific IP or media access control address. From our experiences, technology contractors are the worst offenders since they like to VPN into your system for remote work and leave back doors open. In the age of remote work, such practices reduced expenses, but these costs are too great to continue.
  2. Physical and Virtual Backups Implement off-site backups and cloud solutions for critical systems, ensuring redundancy and rapid recovery in the event of an attack.
  3. Incident Reporting and Prevention Encourage transparency and responsiveness through tools like TechAlert. For example, the district saved $50,000 in fraudulent payments by implementing vendor verification processes. Verify all address changes of companies by calling their publicly posted phone number or the one on record and require any bank account changes for personnel to be done in person.
  4. Security Awareness Training Educate staff on common phishing tactics, password management and the importance of cybersecurity hygiene.
  5. Core Infrastructure Investments Focus on scalable, future-proof technologies such as EDR/MDR systems, high-capacity fiber-optic networks, and secure access solutions. In addition, third-party data security and privacy is a must.
  6. Backup Generator for the Main Distribution Facility Losing power causes issues for IT systems and takes many hours to reset. Backup batteries are expensive and boost maintenance. Best practice is for generator backup power with battery backup designed for less than an hour. If your school already has a backup generator, check to see if it has capacity to add the main distribution facility, which can be done at a tenth of the cost by connecting another circuit panel.

Cybersecurity and Physical Security Integration

Cybersecurity efforts must complement physical security measures, such as:

  • RFID and Bluetooth-enabled door swipe systems that lock/disable during lockdowns.
  • Encrypted digital radios for emergency communication.
  • IP-based emergency notification systems tied to digital clocks.

Investments in these areas not only enhance safety but also qualify for state contributions under bond referendums, since they are replacing existing building systems.

Lessons for the Future

The evolving nature of cyber threats demands a proactive, adaptive approach to school security. By addressing vulnerabilities, investing in robust infrastructure and fostering a culture of cybersecurity awareness, districts can create safer environments for students and staff alike.

As school boards consider their next steps, the mantra should be clear: cybersecurity is not a luxury but an essential utility, as vital as electricity or water.

Schools occupy a distinct position in the cybersecurity landscape, where their mission to educate intersects with their responsibility to protect. The lessons shared here, drawn from challenges and successes, offer a blueprint for navigating this complex terrain.

We were fortunate to have an ad hoc Technology Committee to support the budget requests with the entire board, along with our former superintendent, Brian Betze, who understands that IT has become a utility and requires constant investment and redesign. Our current superintendent, Patrick Pizzo, a former school business administrator, continues to put a focus on cybersecurity, bolstering the safety of our district.

Having an IT director and school business administrator in constant communication about IT infrastructure and properly budgeting for future needs is of incredible value.

For school leaders, the message is simple: invest in cybersecurity today to protect your most vital assets: the education and safety of your students.

John Legere has almost three decades of experience in the IT sector and currently serves as the IT Director for the Robbinsville Board of Education, Mercer County. He supports commercial companies and nonprofits with IT and coaches high school football.

Nick Mackres has a decade of experience as a school business administrator, currently working for the Robbinsville Board of Education, Mercer County. He has experience in startups, private equity, construction, commercial real estate, inventions/patents and almost 30 years of military service.