Optimizing Your K-12 Security Budget for Growing Threats

By Robert Allende on September 4, 2020

The evolving threat landscape. The hard reality is the IT and security world has been rapidly changing since February 2020. The COVID-19 pandemic given rise to a host of technology issues: a dramatic increase in remote workforce support, increased email and phishing attacks, onboarding and remote user support issues, personnel outages due to pandemic related issues, nation-state attacks on universities and bio labs working on COVID-19 related research, a strong rise in ransomware and crypto locker related events – especially in K-12.


While the threat landscape and trajectory is starting to become clear, I am of the strong belief that we are at the edge of a security precipice. Given the current ability for K-12 to react, and the inclination for bad actors to hold K-12 hostage $50 to 100K at a time, we are in dangerous territory until we get proactive with our security tactics and remediation techniques.


Where to place your security bets?

As student, administrative and cloud-based K-12 resources continue to shift and evolve, the K-12 security stance needs to keep pace. K-12 is being challenged with more demand, more state compliance requirements, level or shrinking security budgets and challenges with non-dedicated K-12 security personnel. While every K-12 district has unique requirements, in general we recommend directing the school’s security budget in the following areas to get the most effective use of each dollar:

  1. A comprehensive remote access solution (student cloud-app access, K-12 system access, IT admin access)
  2. 24x7 DNS security service
  3. Access management & monitoring security appliance or software
  4. Utilize email filtering & phishing protection security software
  5. Simple web facing K-12 app security scan (looking for OWASP top-10 security issues)
  6. Documented layout your student PII & sensitive K-12 admin / business information
  7. Create a formal cyber incident response plan and test it annually
  8. Consider a managed security service to provide 24x7 monitoring of essential K-12 networks and service components

This suite of security services and controls are specifically recommended as a first step of essential security services specially targeted to work with today’s evolving K-12 security threat landscape. The focus is on securing remote access, preventing known attacks in these areas, providing visibility when an attack happens and have the ability to react to an incident sooner than later, preventing a small problem from turning into a much bigger problem.



What to do next. If you do not have a running 3-year security plan, create one. If you do not know where to begin, look for a security expert that can help you. A security plan will help you identify critical issues, open items in need of remediation, outline the overall security risk for your K-12 district, as well as the start of a realistic budget.


But don’t just make a plan to make a plan – to ensure your valuable K-12 resources are focused and cost effective, be sure to clearly identify (by risk and impact) what to work on now, and what’s next in your security roadmap plan.


If you would like to discuss more or see how these recommendations can apply to your K-12 district please contact security@redriver.com