Districts manage sensitive records, run on thin staffing, and rely heavily on email to coordinate teachers, substitutes, and families. Over the past few months, coverage has shown two realities at once. Federal support remains uncertain and some funds have tightened, so states are trying to build their own programs. Meanwhile, phishing continues to drive the bulk of day‑to‑day incidents.
The Core Problem: Identity and Email Weak Points
GovTech describes how states are filling the gap with grants, minimum standards, and shared services. Progress is uneven and districts with fewer resources feel it most. District Administration profiled two states that have already moved legislation to set baseline security requirements. EdTech’s mid‑year view from the field echoes the operational picture: leaders are trying to fund security while rolling out new classroom technology and handling a constant stream of onboarding and turnover.
Phishing keeps working because K‑12 identity is messy. Shared logins still exist in labs and temporary programs. Legacy mail protocols remain enabled long after modern authentication is in place. Hiring cycles create windows where spoofed HR messages and fake payroll changes land at the worst possible time. Decentralized purchasing adds dozens of different cloud tools, each with its own login method and data footprint, often without a central security review.
The fix starts with identity and email basics. DMARC at a “reject” policy blocks most spoofing of district domains. Phishing‑resistant MFA for staff and for parent portals that expose student information reduces the chance that a single phish becomes a data exposure. Turning off legacy IMAP and POP closes a back door many attackers still use. Conditional access rules that limit admin sign‑ins to trusted devices and expected geographies add another barrier without slowing teachers down.
Training works best when it is specific and short. A yearly, generic video blends into the background. Districts see better results with brief sessions on the scams they actually face—vendor banking changes, payroll direct‑deposit requests, gift card scams—and by measuring reporting behavior rather than only click rates. Users who report quickly help the response team shorten investigations, even if they clicked.
Detection and response need attention as well. A few alerts catch most account‑takeover behavior: new auto‑forward rules, mailbox rules that hide replies, OAuth grants to unfamiliar apps, and bursts of failed logins. Finance teams benefit from a simple, pre‑approved playbook for business email compromise. It should specify how payment change requests are verified, who approves them, and what language is used with vendors when something seems off. Clear steps reduce friction and prevent hasty replies that attackers exploit.
Vendors are part of the security posture. A short register that lists which apps access student data, whether they support SSO and MFA, and who owns each contract gives IT and curriculum leaders a shared view. When a tool cannot support basic controls, record the exception and a date to revisit it. Over time, that list drives better purchasing decisions and speeds up incident response when a vendor is involved.
A focused plan for the next 90 days
- Enforce DMARC p=reject, DKIM, and SPF across all domains; disable legacy IMAP/POP.
- Roll out phishing‑resistant MFA for staff and parent portals that handle student data.
- Add conditional access for admin roles and restrict sign‑ins from unmanaged devices.
- Configure alerts for auto‑forward rules, suspicious OAuth grants, and sign‑in anomalies.
- Publish a one‑page BEC runbook for finance and require verification of payment changes.
Boards and superintendents need clear signals that progress is real. Track the percentage of staff on phishing‑resistant MFA, DMARC enforcement status for every domain, time to revoke compromised accounts and restore mailboxes, and the number of vendor payment fraud attempts detected and stopped. These are simple to communicate and tie directly to operational risk.
Districts do not need a perfect program to reduce exposure. A consistent set of identity and email controls, paired with realistic response steps and smarter purchasing, shrinks the target quickly. The technology already exists; the challenge is focus and follow‑through.
References:
-
- GovTech, “States Struggle to Fill K‑12 Cybersecurity Gaps Left by Federal Cuts”: https://www.govtech.com/education/k-12/states-struggle-to-fill-k-12-cybersecurity-gaps-left-by-federal-cuts
- District Administration, “These 2 States Are Spearheading K‑12 Cybersecurity Legislation”: https://districtadministration.com/article/these-2-states-are-spearheading-k12-cybersecurity-legislation/
- GovTech, “Phishing Remains Persistent Threat in K‑12 Cybersecurity”: https://www.govtech.com/security/phishing-remains-persistent-threat-in-k-12-cybersecurity
- EdTech Magazine, “K‑12 Leaders Evaluate Funding and Cybersecurity Challenges” (June 2025): https://edtechmagazine.com/k12/article/2025/06/k-12-leaders-evaluate-funding-and-cybersecurity-challenges