If you think critical infrastructure, what springs to mind? Probably transportation, energy, or healthcare—systems that, when disrupted, can cripple our daily lives as well as the broader economy. We rightfully worry about this. We defend against cyberattacks such as ransomware shutting down hospitals, DDoS attacks disrupting financial institutions, data breaches compromising sensitive information, attacks disabling power grids, or hackers compromising air traffic control systems. But consider this: what happens when your kid’s school closes? Typically, the narrative after a cyberattack on a school centers on the sensitive student data that was compromised. But what about how it could compromise everyday life and their education?
Is It Time to Redefine the Education System as Critical Infrastructure?
Is it time to broaden our view of what is critical to our lives and economy? We recently covered several reports highlighting cybersecurity vulnerabilities within the educational system. Much attention has been paid to higher education, particularly threats from nation-state actors seeking proprietary research. However, K-12 schools may represent an even more concerning target, a soft underbelly in our critical infrastructure. Are the ramifications of a disruption far beyond our current appreciation?
2,500 Cyberattacks a Day: The Stark Reality for Schools
We previously reported on a KnowBe4 report that found educational institutions experience over 2,500 cyberattack attempts per day. Schools are particularly vulnerable due to outdated cybersecurity systems, limited training, and heavy reliance on third-party vendors. Ransomware and phishing attacks top the list of threats, with many schools forced to pay ransom to recover from a data breach.
A Lesson From the Pandemic: Disrupted Education Hurts Everyone
COVID-19 closures forced parents into the dual role of caregiver and teacher, resulting in significant learning gaps and family stress. Now, imagine a similar disruption triggered not by a virus but by a cyberattack. One that didn’t force parents to stay home as they were during the pandemic.
Imagine a Statewide School Shutdown Due to Cybercrime
Picture a future where California’s entire K-12 system is crippled by ransomware, a targeted attack on school management systems, or even a data breach from a software vendor.
This isn’t fanciful thinking. A few headlines.
- A cyberattack in Albuquerque forces schools to cancel classes.
- Cyberattack compromises and shuts down Highline Public Schools.
- Jefferson School District cancels classes following cyberattack.
Imagine an attack that lasts days or weeks, not motivated by the promise of ransom but something more sinister. Couple that with a DDoS attack that makes online or remote learning untenable.
The 2025 Center for Internet Safety/MS-ISAC report paints a pretty grim picture, one where 82% of K-12 organizations experienced cyber incidents totaling over 9,300 confirmed attacks. These cyberattacks can disrupt essential community services like education, but they can also impact meal programs, counseling, and childcare, highlighting how cybersecurity threats reach far beyond data breaches.
Underfunded and Understaffed: Schools Are Struggling
Yet despite this evident risk, K-12 cybersecurity remains dangerously underfunded. Teachers routinely dip into personal funds for basic supplies like crayons and paper, emblematic of chronic budget shortfalls. In a recent study, over 86% of schools cited inadequate funding as their most significant barrier to appropriate cybersecurity. Bake sales for cybersecurity seems a foolish path.
Digital Snow Days Are No Longer Just a Joke
The concept of a “digital snow day,” once a cute and amusing novelty, is now an actual threat. What about a digital snow week or month? We have plows to clear streets of real snow. Chains for the bus, so the wheels can “go ’round and ’round.” Digital resilience in education needs to adapt with the same goal in mind.
How long could working families manage without reliable schooling or childcare? Such disruptions ripple quickly across economic sectors, from productivity losses as parents scramble to broader social instability.
The Case for Cyber Insurance and Proactive Defense
Schools and the policymakers that determine their funding must urgently reassess cybersecurity postures and budgets. Beyond security, there is the need to prepare for the worst case, the failure of security. Enhancing cyber insurance coverage explicitly tailored to education systems is equally critical. PowerSchool’s Chief Legal Officer, Michael Bisignano, advises schools to proactively engage cyber insurance brokers following breaches. He also emphasizes the need for comprehensive coverage.
As we prioritize investments in infrastructure security, the education sector deserves greater attention. School security and cybersecurity are vital components of community stability and safety.
