K-12 schools are facing a crisis of cyberattacks threatening to compromise data and disrupt education. Unfortunately, with K12 schools in the U.S. underfunded by nearly $150 billion annually, many don’t adequately have the IT security budget to protect against these attacks.
School data may include the personal, academic, and financial details of students, families, and staff. The K-12 sector must establish strong cybersecurity measures to protect this data from malware threats like hacking, phishing, and DDoS attacks. Schools produce vast amounts of data daily, which makes managing it a huge task. It can be extra challenging when working with older hardware or a limited number of IT staff due to restrictions from a low IT security budget.
A school’s IT security budget is based on tax revenue estimates, with no slush fund ready to help them buy a new security system after an unanticipated attack. But it’s important that schools recognize these budget constraints can cost them more in the long run. Monetary losses from K-12 cyberattacks range from $50,000 to $1 million per incident, according to the U.S. Government Accountability Office.
While most school districts are making the most of their limited education IT budget, the need for better security solutions is clear. Without a substantial investment in cybersecurity, it’s impossible to establish effective programs to keep pace with the increased threat of cybercrime. In this blog post, we’ll look at the challenges K-12 schools face due to a limited IT security budget and how they can combat the challenges in their fight against cybercrime.
Understanding K-12 IT budget constraints
COSN’s 2023 State of EdTech Leadership report revealed that one thing, in particular, remains unchanged in the K-12 sector: leaders have severe school IT budget constraints that make it difficult to keep pace with technology.
The report outlines the results of a survey of more than 1,200 school administrators. It shows that while districts are overhauling their digital ecosystems, the speed of emerging new technologies and increased cybersecurity threats are significant concerns.
Then there’s the 2023 CIS MS-ISAC K-12 Cybersecurity Report, which provides insights into the current mindset regarding cybersecurity in the K-12 sector. Perhaps unsurprisingly, the biggest concern voiced was insufficient K12 IT funding, with 81% of those surveyed expressing displeasure with school budget challenges.
Additionally, 59% said they were concerned about the evolution of technology involved in the threats, and 58% expressed concern over a lack of written-up cybersecurity processes.
Only one in three IT leaders believe their resources are sufficient to combat cybersecurity issues. And 12% of districts don’t have an IT security budget at all.
Impact on cybersecurity
Some K-12 schools may believe their low cybersecurity costs are healthy for their bottom line, and direct losses from some attacks appear to be minimal on the surface. However, many hidden costs come with cyberattacks.
For example, when a ransomware attack hit the Las Cruces Public Schools in New Mexico, the entire district’s network was out of operation for weeks. Recovery took months, with district IT staff working thousands of additional hours and the district spending tens of thousands of dollars of their education IT budget on new computers.
Ransomware attacks, in particular, have significantly affected K-12 schools. Ransomware is rising, with 80% of schools attacked in 2023, compared to just 56% in the previous year. These attacks, which keep the target's system hostage, can disrupt day-to-day operations, such as communicating online and accessing various resources.
Ransomware attacks can also result in reputational damage, which leads to a loss of credibility on top of financial losses. Such attacks highlight the need for an increased IT budget to combat security issues. Data breaches that compromise student data create an impression that schools don’t take data protection as seriously as they should.
Addressing budget constraints for IT security in K-12 schools
With a limited IT security budget to protect their IT infrastructures from cybersecurity threats, most K-12 schools are ill-prepared for the risks they face. Fortunately, there are IT security measures they can take to maximize the resources they have at their disposal.
Cost-effective security strategies
Here are three strategies schools with a restrictive IT security budget can implement to improve their cyber defense.
1. High-impact security measures
Endpoint protection has long been a sound security practice. As the network perimeter now includes home networks, it’s become even more important.
To address this while on a tight IT security budget, schools could prioritize high-risk assessor systems, such as servers or data stores, and implement advanced endpoint detection to notify them of potential threats.
K-12 schools can also make better use of the technology already at their disposal, such as the security features in Chromebooks, Windows, and cloud-based software. This enhances the protection of lower-risk assets.
2. Efficient cyber hygiene practices
K-12 institutions must build a culture of security to help students, IT teams, and other staff become more cyber aware. Choosing strong passwords, not sharing them, and knowing how to spot and report phishing emails can significantly improve cyber hygiene within an institution. These basic measures don’t require much—if any—IT security budget, just a few hours of training and security awareness lessons.
3. Segmented users on the school’s network
Networking segmentation can help reduce the risk of bad actors breaching faculty or student mobile devices and accessing sensitive data by laterally moving across school networks.
Software-defined networking (SDN) technology simplifies this process. SDN also offers an easier way to collect network data to detect traffic anomalies that could highlight malicious activity.
IT security budget allocations in K-12 schools
According to a report from the Multi-State Information Sharing and Analysis Center, the typical school only spends around 8% of its IT security budget. The report was released in November 2022 after the Cybersecurity and Infrastructure Security Agency announced its plan to improve basic cybersecurity practices in local communities, focusing on local utilities, hospitals, and schools.
K-12 schools already have to deal with an array of academic and social issues on extremely tight budgets. So when it comes to adding to their cybersecurity budget, things like Multifactor Authentication (MFA) and Single Sign-On must be weighed against other investments that fuel the need for educators and students.
Despite the challenges of a limited IT security budget, district technology leaders are taking further measures to improve cybersecurity. The Federal Communications Commission (FCC) has proposed a program that would see $200 million allocated for cybersecurity in schools. Unfortunately, this doesn’t quite cut it, as estimates show it would take $5 billion to adequately secure all K-12 schools in the country.
IT security spending includes software and hardware procurement, testing, consulting, and hiring data protection experts. As technology becomes more sophisticated, cybercriminals will employ new methods to exploit vulnerabilities in IT systems, and teachers will need to be ready.
Strategies for budget allocation
How much of their IT budget should schools allocate to cybersecurity? And which method should they use to get their figure?
If we look to other sectors for inspiration, schools could divide the funding by the number of employees. As there are more than four million teachers in the U.S., if they were to allocate the lower end of that number that covers each full-time employee in the financial industry ($1,300), that would result in the $5 billion mentioned above.
Another way of looking at it would be to think, “What percentage of the IT budget should be spent on security?” In other words, an IT security budget percentage would be determined as a portion of the overall IT budget.
For example, in 2019, the U.S. government allocated 0.3% of its budget to cybersecurity. If schools followed that example, it would result in $2.4 billion being added to all schools’ combined IT security budget, almost cutting the $5 billion in half. Not quite there, but headed in the right direction.
Monetizing and funding IT security in schools
Education leaders who recognize the effects of their IT security budget restraints are looking for help. Fortunately, there are federal grants available for school security equipment and technology. Based on region, and at the time of writing, the following states have school security grants available:
- Alabama
- Arkansas
- Colorado
- Connecticut
- Delaware
- Florida
- Georgia
- Idaho
- Indiana
- Iowa
- Kansas
- Kentucky
- Maryland
- Michigan
- Missouri
- New Hampshire
- New Jersey school security grants
- New York school security grants
- North Carolina school security grants
- Ohio school security grants
- Oklahoma school security grants
- Pennsylvania school security grants
- Rhode Island school security grants
- South Carolina school security grants
- Tennessee school security grants
- Texas school security grants
- Utah school security grants
- Virginia school security grants
In August 2023, the government rolled out plans to inject millions of funding dollars into K-12 schools. The act is part of a larger effort to defend against increased malicious cyber threats facing the sector. The plans include the $200 million pilot program mentioned earlier in this post.
Other grants and federal funding for K-12 cybersecurity
The K-12 community has been pressing for increased federal funding, with schools needing help to deal with a wave of cybersecurity attacks. The government’s E-rate program could provide a treasure chest of school IT budget funding that these schools could access to defend themselves against increasingly savvy cybercriminals.
While the program’s spending limit currently stands at roughly $4.5 billion, it’s been distributing far less than that in real terms. It only shelled out $2.1 billion in 2021 and $2.5 billion in 2022.
Funds for Learning surveyed schools and libraries in the U.S. for its 2023 E-rate Trends report, which also includes publicly available data on E-rate funding requests. The U.S. Federal Communications Commission created the program, which is considering making the fund eligible for more advanced firewalls—something many schools surveyed said they would like to implement.
Business partnerships to increase school IT infrastructure
In June, IBM announced its global Request for Proposal (RFP) to help K-12 schools fight cyberattacks and increase their students’ and faculty’s cybersecurity and AI skills. The initiative will provide $5 million, which has already helped over 350,000 students worldwide.
Fundraising and community support
There are creative fundraising ideas schools can tap into to increase their IT security budget. Getting parents involved only makes sense when the data that so fiercely needs to be protected—including that of the parents.
Here are a few ways to build IT school budget figures that can include the help of parents, teachers, and local businesses.
- Silent auctions
- Walkathon, 5ks, or bicycle events
- Tournaments: charity paintball, card games, etc.
- Canoe battleships: for the more adventurous schools
At some point, schools will need a more advanced k12 cybersecurity strategy. But for now, getting creative can reap rewards for those schools with a limited IT security budget.
Reaching out to school alums who have enjoyed success since their days in K-12 education may also work. Schools shouldn’t forget crowdfunding, which can be a highly effective way of raising money.
Conclusion
Cybersecurity is critical to K-12 education to ensure that daily operations continue without disruption and protect the data of students, staff, and parents. Unfortunately, IT security budget constraints remain a pressing concern for schools.
The good news is that practical solutions are available to schools on a budget that can significantly improve their cybersecurity infrastructure and resources. Enter Prey Project.
Prey has years of expertise and a proven track record in aiding K12 schools to bolster their cyber defenses, even when constrained by tight IT security budgets. Besides offering a free 14-day trial with no obligations, Prey also extends various forms of assistance to ensure schools can access robust security solutions. This includes special discounts and customized offers tailored to meet the unique financial constraints and needs of educational institutions. These measures reaffirm Prey's commitment to making high-quality cyber security accessible to all schools, regardless of their budgetary limitations.
By working with renowned experts like Prey, K-12 schools can maximize even a limited IT security budget, creating a safer digital environment that builds trust from students, staff, and the wider K-12 community.
Juan is Prey's Content Specialist. He researches interesting and relevant information related to cybersecurity, and explains it in a way that everyone can understand it and make use of it.