Digital tools have become essential to teaching and learning, but they have also made schools prime targets for cyberattacks. Public schools are particularly vulnerable because they often operate with limited budgets, outdated technology, and small IT teams — conditions that make them easier for attackers to exploit.
The risks are not hypothetical. Research shows that around eight in ten schools have experienced at least one cyber incident over an 18‑month period. From ransomware to phishing scams, these disruptions can halt teaching and put sensitive student data at risk.
In a recent episode of the Harvard EdCast, Cybersecurity: The Greatest Threat Schools Aren’t Ready For, host Jill Anderson spoke with Lisa Plaggemier, Executive Director of the National Cybersecurity Alliance, about why schools remain so vulnerable and what educators can do to better protect students and staff.
Below, we have highlighted the key takeaways for schools — the most important insights from the conversation that can help leaders and teachers strengthen their approach to cybersecurity.
Key takeaways:
- Human Error Is Often the Weak Link: Most breaches do not require sophisticated hacking. They happen because of basic mistakes — such as clicking on a phishing email, reusing passwords, or failing to update software.
- Threats Are Evolving Quickly: Ransomware remains a common way schools are targeted. Newer threats such as AI-driven phishing and even deepfake voice scams are beginning to appear and may soon pose added challenges.
- Insurance Is No Silver Bullet: Cyber insurance is now harder to secure without meeting minimum security standards, meaning schools must take proactive steps before they can even qualify for coverage.
- Leaders and IT Teams Need to Talk: One of the biggest challenges is the communication gap between school leaders and IT staff. Plaggemier notes that translating technical risks into plain language is key to getting support for investment in cybersecurity.
- Students Need to Be Part of the Solution: Safe online habits start in the classroom. Teaching children not to share passwords and to spot suspicious links is as important as any firewall.
-
Four Simple but Effective Practices:
- Teach phishing awareness: including scams via phone and text.
- Stay on top of software updates: patching reduces easy entry points.
- Enable multi-factor authentication (MFA): across all school accounts.
- Use strong, unique passwords and reliable backups: keep backups separate from main systems to prevent ransomware from spreading.
Cybersecurity may not always be top of mind in education, but ignoring it comes at a steep cost. As Lisa Plaggemier stresses, it is not a matter of if a school will face an attack, but when. Strong recovery plans, awareness training, and the right technical safeguards are essential to building resilience. Small, deliberate changes — from staff training to MFA to stronger backups — can dramatically reduce risk.
For a deeper dive into this issue, you can listen to the full conversation here: Cybersecurity: The Greatest Threat Schools Aren’t Ready For.
