Brandon Gabel expected an ordinary day of remote work when he woke up at 5:45 on a January morning in 2024. By 8:30 a.m., he was racing to his office, simultaneously fielding calls from the FBI, Arizona homeland security and insurance providers. His school district had just become the latest casualty in a wave of cyberattacks sweeping across the nation.
“They were in our network for a few hours before I cut the VPN [virtual private network] and shut them out,” says Gabel, technology director for Agua Fria Union High School District in Arizona. Thanks to state-funded cybersecurity tools, including CrowdStrike, to handle endpoint protection and response (EDR), the attackers walked away empty-handed.
Gabel had created an incident response plan about five months earlier. When the attack happened, they put the plan into action. Still, the near-miss underscored a sobering reality: Schools are now battlefields in the digital war.
According to the nonprofit Center for Internet Security’s 2025 MS-ISAC K-12 Cybersecurity Report: Where Education Meets Community Resilience, 82 percent of reporting schools experienced cyber incidents between July 2023 and December 2024, with more than 9,300 confirmed incidents. What was once considered a corporate problem has become every district’s nightmare.
From Playground to Battleground
Not long ago, the worst digital headache for a school was a broken laptop or a sluggish Wi-Fi signal. Today, the stakes are existential. Districts hold sensitive data on thousands of children and families, including addresses, medical information, even financial records for meal payments. The stolen data can be used for identity theft, fraud or extortion. Children are particularly vulnerable since compromised identities may go undetected for years. In addition, a data breach can cause reputational and financial damage for the district. All of this makes districts lucrative targets.
It’s not the prince in Africa anymore. With AI, phishing emails look legitimate now.
“It’s not the prince in Africa anymore,” says Chantell Manahan, director of technology at MSD of Steuben County in Indiana. “With AI, phishing emails look legitimate now.”
Teachers now face the unnerving task of evaluating whether an email from their principal is genuine — or a cleverly disguised trap.
Doug Couture, director of technology at South Windsor Public Schools in Connecticut, puts it bluntly: “Generative AI has weaponized phishing. Even seasoned staff can’t always tell the difference.”
The Human Firewall
As threats evolve, districts are discovering that the first line of defense is not a piece of software; it’s people. Training teachers, administrators, staff and students to spot danger has become as critical as practicing fire drills or lockdown procedures.
Manahan remembers when one of her staffers nearly clicked a malicious link in what looked like a routine Amazon gift card offer. If a veteran tech employee could be tricked, she reasoned, everyone was at risk.
Since then, her district has reimagined training as a district-wide responsibility. “We’ve empowered every educator to be a digital guardian,” she says. Tech staff complete courses through Udemy; all employees have access to KnowBe4 courses and CyberNut training. Manahan hopes to offer CyberNut (a digital literacy and cybersecurity program that teaches students how to recognize online threats, protect their personal information and build safe technology habits) for high school students this school year, too.
Other districts have found that incentives matter. Couture’s team hands out Swedish Fish to staff who report suspicious emails. “The training shouldn’t feel punitive,” he says. “It should reward people for vigilance.”
These small gestures have ripple effects. Reporting suspicious emails becomes a point of pride, not a punishment. The act of defending the school network turns into a shared culture rather than an IT department’s thankless task.
Small Districts in the Crosshairs
Still, not all districts enter this fight with equal weapons. Wealthier or larger systems can afford larger tech teams and advanced defenses; smaller communities often cannot.
In Medway, Massachusetts, Richard Boucher oversees IT for both the schools and the town. “My network engineer and I spend more than half of each day on cyber defense,” says Boucher. Their layered defense system includes Sophos-managed endpoint protection and response, managed detection and response, network detection and response, AI-powered email filtering, continuous vendor monitoring and regular penetration tests. During one unannounced penetration test with third-party software — in which the IT department pretended to hack into its own system — Sophos called in just two minutes — proof that vigilance pays off.
But Boucher admits their system works because of careful prioritization and significant local investment. For many districts, such resources are out of reach. That’s where state partnerships make a difference.
The Indiana Department of Education provides free cyber assessments through local universities, complete with recommendations leaders can share with boards and parents. Arizona’s Department of Homeland Security’s Statewide Cyber Readiness Program supplies CrowdStrike licenses, advanced endpoint protection, anti-phishing/security awareness training and more.
“Without that program, we never would have had the protection we do,” says Gabel. “We couldn’t afford it.”
Cyber Safety as Culture
Technology alone cannot win this fight. The districts making the most progress are reframing cybersecurity as a cultural issue, not a technology checklist.
Amy McLaughlin, who leads cybersecurity projects for the Consortium for School Networking or CoSN, prefers the term “cyber safety.” The language matters, she argues, because it makes everyone — not just IT staff — responsible. “We all know the protocols for locking school doors. This is the electronic version,” she says.
That cultural framing opens the door to creative engagement. In Indiana, Manahan gives CyberNut socks and “phishing” pens to top reporters of suspicious emails. Her school board received Goldfish crackers labeled Don’t Get Phished during Cybersecurity Awareness Month.
William Stein, director of information systems at MSD of Mt. Vernon in Indiana, delivers cookies to staff who correctly identify fake phishing emails and runs “Two-Factor Tuesday” raffles for employees who enable multi-factor authentication (MFA) on personal accounts. Couture tries to make his messaging about cyber vigilance humorous, like the time he used the term “nefarious n’er-do-wells” in an email.
Storytelling is another powerful tool. Stein shares short narratives of real attacks on his Cyber Shorts website to make the abstract concrete. “People remember stories more than protocols,” he says.
The Cost of Complacency
For all the sophisticated new tools, experts agree that the fundamentals are often the weak link. Patching or updating outdated systems, fixing known software vulnerabilities, auditing accounts, enforcing strong passwords and mandating MFA stop a large share of attacks before they start.
Focus on the biggest risks. Up to 40 percent of breaches start with patching problems.
“Focus on the biggest risks,” says Stein. “Up to 40 percent of breaches start with patching problems.”
Gabel learned that lesson firsthand. “Former tech teams had left behind old service accounts I hadn’t audited. That’s where the attack hit. Audit, audit, audit.”
When an attack does succeed, recovery costs can vary dramatically. By keeping incident response in-house, Gabel’s district contained its recovery to less than $100,000. Many others have not been so fortunate, with ransomware payouts, school closures and system rebuilds stretching into millions. According to a 2025 report by IBM, the global average cost of a data breach is $4.4 million. At the same time, cyber budgets represent about 6.6 percent of the IT budget across all sectors — at the lower end of the recommended range of 5 percent to 10 percent, according to one 2024 study.
Human exhaustion is another cost. “I get unhappy customers when we run phishing simulations,” says Chris Bailey, technology director at Edmonds School District in Washington. “People say they can’t trust their emails anymore. But that’s exactly the point. You have to learn to not trust email.”
Establishing Resilience
Looking ahead, experts see the next stage of progress not in buying more tools but in building resilient systems and communities.
Districts are starting to move from reactive firefighting to proactive resilience planning. That means tabletop exercises — practice drills where leaders talk through how they’d respond to a cyberattack — along with statewide collaboration networks and formal pacts where neighboring districts promise to support one another during a crisis. Modeled after fire department and disaster relief systems, these agreements let schools share tech staff, loan backup resources or even assist with parent communications when one district is overwhelmed by an attack. The goal is to ensure that no school has to stand alone in its darkest moment.
CoSN’s McLaughlin encourages districts to share resources and lessons rather than operating in silos: “No one should be doing this alone,” she says.
The imbalance will always remain: Attackers need only one vulnerability; defenders must protect them all. But districts are proving that preparation, creativity and collaboration can shift the odds.
At Agua Fria, Gabel reflects on his incident with humility as well as pride: “We were lucky, but we were also ready. If we hadn’t invested in training, partnerships and fundamentals, the story would have ended differently.”