In the early days of automation, the public sector faced security threats such as viruses and unrefined hacking attempts to exploit weak network defenses. Alongside corresponding technological advancements, digital infrastructure has become more integral to the operations of SLED institutions, and cyber threats have become significantly more advanced.

Today’s SLED organizations face various threats, including ransomware attacks that hold critical data hostage through infiltration and encryption, phishing scams designed to deceive employees into disclosing sensitive information, and distributed denial-of-service (DDoS) attacks that flood websites with traffic to disrupt essential digital services.

In their journeys to improve cybersecurity measures through comprehensive or multi-layered frameworks, many SLED agencies face at least one of these four significant threats:

• SLED organizations often operate with legacy IT systems and outdated infrastructure.
• The public sector has increasingly become an appealing target for ransomware attacks.
• Insiders with privileged access can inadvertently or intentionally compromise security.
• Third-party vendors introduce supply chain risk as they have access to their public sector clients. If a vendor’s network is breached, their SLED clients will likely also be affected.

According to Check Point Research, documented cyberattacks in the first quarter of 2024 increased by 28% over the last quarter of 2023. Government and public education led all sectors, combining for a global average of more than 4,000 weekly cyberattacks.

While cybersecurity is an urgent concern for both SLED and the private sector, the challenges they face are uniquely different across various areas:

Resource Availability and Investment: Typically, private companies can allocate significant funds towards cybersecurity based on risk assessments and potential return on investment (ROI). Larger corporations may have the resources to invest in innovative cybersecurity technologies and hire industry-leading security professionals. Public agencies often face stricter budget constraints and must justify expenditures within allocated government funding. They have limited investments available and cannot always procure the latest technology or attract the same talent level due to salary limitations.

Regulatory and Compliance Pressures: While some private sector industries face stringent regulations, such as HIPAA for protecting patients’ information or GDPR for European security and privacy compliance, they often have some flexibility to tailor these standards to align with their specific business needs, allowing them to implement highly customized cybersecurity solutions. In contrast, SLED must meet regulatory frameworks that have more rigid compliance standards, which are typically slower to change than the private sector. This lack of flexibility can delay the rapid adoption of innovative cybersecurity measures and technologies.

Nature of Data and Services: The private sector often focuses on protecting customer data and proprietary information, which is central to maintaining customer trust and competitive advantage. Meanwhile, governments must safeguard a broader scope of sensitive information, including citizens’ personal data, classified information, and critical infrastructure systems, which require varying levels of protection.

Threat Profile: The private sector faces diverse cyber threats, including attacks aiming for financial gain, intellectual property theft, and competitive disruption. Governments face the same threats from cybercriminals and attacks by nation-states, terrorist groups, or activists, making their threat posture uniquely challenging.

Within the public sector, state and local governments face unique and diverse challenges. What works for the state doesn’t always work for local governments. Understanding the differences is key to building cyber resiliency for each sector.

As schools increasingly integrate technology into their curricula and administrative functions, they become prime targets for cyber threats that could compromise student safety, privacy, and the continuity of educational services. According to the Cybersecurity and Infrastructure Security Agency (CISA), K-12 cyber incidents are so prevalent that, on average, there is more than one incident per school day.

There are a variety of unique issues that complicate protecting digital networks in schools. The challenges are significant, from budget constraints that limit the availability of necessary cybersecurity resources to varying levels of cybersecurity awareness among staff and students. The shift towards remote learning has introduced new risks as students access systems from less secure home networks. Finding solutions to these cybersecurity issues requires understanding the unique challenges that schools face:

Budget Constraints: Many K-12 institutions face significant financial limitations, often preventing them from allocating sufficient funds for comprehensive cybersecurity measures. These constraints make it difficult for schools to invest in advanced security software or hardware and sustain the ongoing costs of maintaining these systems. The challenge also extends to human resources, as schools frequently struggle to afford salaries competitive enough to attract and retain skilled cybersecurity professionals. Due to this gap in funding and resources, educational institutions often cannot afford even the most basic cybersecurity defenses, making them particularly vulnerable to cyberattacks.

Lack of Cybersecurity Awareness: A fundamental obstacle in protecting K-12 institutions is the general lack of cybersecurity awareness among staff, students, and parents. Many users are not trained to identify suspicious emails or understand the risks of unsafe browsing habits. This knowledge gap creates ample opportunities for cybercriminals to exploit through phishing attacks, malware distribution, or social engineering schemes. With annual student turnover and a varying range of proficiency among staff, it is critical to provide constant, repetitive training to ensure all users understand and follow necessary cybersecurity principles.

Outdated Infrastructure: K-12 systems often operate with outdated technological infrastructure. Due to budgetary constraints, many schools continue to use older software and hardware that no longer receives regular patch updates or security support from manufacturers. These outdated systems are prone to failures and present known vulnerabilities easily exploitable by cyber attackers. The reliance on such technology not only increases the risk of cybersecurity incidents but also hinders the ability of institutions to implement newer, more secure technologies.

Remote Learning Vulnerabilities: The rapid shift to remote learning, accelerated by the COVID-19 pandemic, has significantly expanded the cybersecurity challenges for K-12 institutions. While students are back to regularly attending school in person, remote e-learning days are much more frequent than they were pre-pandemic. Students accessing school networks remotely often do so from home networks that lack the security measures typically found in school environments, such as enterprise-grade firewalls and secure Wi-Fi setups. Using potentially unsecured personal devices adds another layer of risk, as these devices could be compromised and used as a conduit to access school systems. This dynamic environment makes it challenging to enforce consistent security policies and monitor for potential threats during remote learning.

Regulatory Compliance: Compliance with regulatory requirements such as the Family Educational Rights and Privacy Act (FERPA) in the U.S. adds another layer of complexity to cybersecurity in K-12 education. These regulations mandate strict controls on student data collection, storage, access, and sharing. While these laws are necessary to protect students’ privacy, they require schools to implement specific, often complex, security measures. The necessity to comply with these regulations can divert already limited resources away from other cybersecurity efforts and complicate the adoption of new technologies that might streamline security but require extensive vetting to ensure compliance.

As schools face these challenges with budgetary and operational constraints, cybercriminals are increasing attacks on this sector. According to a report by anti-malware company Malwarebytes, ransomware attacks alone on K-12 schools increased 92% between 2022 and 2023, making it a significant and growing threat to primary and secondary education.

While cyberattacks on education are on the rise, comparing the circumstances of colleges and universities to those of K-12 education reveals differences that can make enforcement more complex in higher education environments.

Scale and Diversity of Users: Higher education institutions typically have a larger and more diverse population of users, including undergraduate and graduate students, faculty, visiting scholars, and administrative staff, each with varying levels of access to institutional resources. Managing the security for a wide range of users, who may be spread across multiple campuses or even globally, adds complexity to cybersecurity enforcement.

Variety of Networked Devices: Universities often support a wider variety of devices and operating systems than K-12 schools, as students and faculty utilize their own devices and connect to campus networks. This diversity increases the potential of an attack and makes it more challenging to enforce uniform security measures.

Decentralized IT Infrastructure: Higher education institutions commonly have decentralized IT infrastructures, where individual colleges, departments, or research groups manage their IT systems with varying degrees of autonomy. This decentralization can lead to inconsistent security practices and make it challenging to implement comprehensive cybersecurity policies across the institution.

Advanced Research and Intellectual Property: Universities are hubs for research that often involves sensitive or proprietary data, including intellectual property that could be valuable to cybercriminals. Protecting this data from breaches adds extra responsibility and complexity to cybersecurity efforts.

Expanded Regulatory Compliance: Higher education institutions are subject to a range of regulatory requirements that may not apply to K-12 settings, such as data protection laws related to human research subjects, students’ healthcare information, and financial data. Compliance with these regulations requires specialized security controls and constant vigilance.

Open Network Environment: Universities traditionally maintain an open network environment to foster academic freedom and collaboration. While beneficial for educational and research purposes, this openness can be exploited by attackers if not properly managed with effective security controls.

Economic and Targeted Threats: Higher education institutions are targets for more sophisticated cyber threats, often aimed at stealing research data. The economic implications of a breach in higher education can be substantial, significantly affecting financial resources and the institution’s reputation.

Summarizing SLED Cybersecurity Differences

While state and local governments and education all face challenges such as limited budgets and outdated technology, governments manage an array of critical services, including emergency response, water supply, and public transportation. The impact of a cyberattack can have broader societal consequences compared to educational institutions.

K-12 institutions face considerable cybersecurity challenges, such as protecting student data and maintaining secure learning environments, but the scope and scale of these challenges tend to be less complex than those in governments and higher education. K-12 schools generally have more controlled IT environments, don’t need protection for high-value intellectual property, and have fewer types of sensitive data to manage, making them less likely to be targets of state-sponsored attacks.

Enforcing cybersecurity in higher education is typically more challenging than in K-12 due to the technology and organizational structures’ scale, diversity, and complexity. Higher education’s open-access environment must balance academic freedom and accessibility with responsible and effective cybersecurity, adding another dimension to college and university cyber challenges.