Library Header Image Library Header Image

Free Security Resources K-12 Districts Need Post-Canvas 


Posted on by Kacy Zurkus

While thousands of students across the country were in the midst of final exams, Instructure’s Canvas–the learning management system used in over 9,000 schools, colleges, and universities, went offline. The ransomware hacking group dubbed ShinyHunters declared it was behind the attack in which they accessed the data of approximately 275 million users. Chaos ensued and the impact was massive.

It is the largest such attack on the education sector, which is often referred to as “target rich, cyber poor.” According to BlackFog, a data privacy and ransomware prevention provider, “Today’s threat actors prioritize data exfiltration, extortion, and reputational damage, often targeting organizations that manage large volumes of sensitive personal information.” So, what are EdTech vendors and the education sector doing to prevent the next major breach?

This scenario highlights the primary cybersecurity challenge for K-12 IT administrators. These institutions did not fail in their responsibilities. They were victims at the mercy of third-party vendors whose products had vulnerabilities. The attack surface extends far beyond school infrastructure. Every edtech tool and third-party integration represents a potential entry point. Vendors whose products are sold to schools have price tiering where security features are more costly. Security practitioners call it the "security tax" model, where things like single sign-on, MFA enforcement, audit logging, and granular access controls get bundled into enterprise tiers that cash-strapped districts can't afford, leaving them with the less secure option.

The reality, though, is that most districts struggle with balancing their needs against their resources, said Randy Rose, Vice President, Security Operations & Intelligence at the Center for Internet Security. As this most recent breach demonstrated, every school who has implemented and is now dependent upon these tools is left at the mercy of vendors when these systems are exploited. 

What Districts Can Do About Vendor Risk

The nonprofit standards body for education technology, 1EdTech, is working to change this at the procurement level so that districts and universities have a shared vetting infrastructure for evaluating products. Before evaluating specific resources, districts should implement concrete steps to reduce exposure to vendor-side incidents.

In addition to maintaining a comprehensive inventory of all third-party platforms accessing student or staff data and tracking specific data access levels, it’s critical to review vendor contracts for breach notification timelines and data handling requirements. Ensure your communication plan functions independently of compromised platforms. 

Security on a Shoestring Budget

While vendor security is beyond an administrator's direct control, district preparedness is not. Administrators must improve disruption detection, family communication, and incident recovery protocols to avoid disruption. Additionally, proactive preparation mitigates the impact of inevitable third-party platform failures.

“We encourage all organizations to aim for full compliance with Implementation Group 1 of the CIS Controls,” Rose said. Compliance provides essential guardrails across a spectrum of controls and have proven effective at risk reduction from some of the most common cyberattacks, though these are not simple endeavors. 

“Like a great athlete or musician, you've got to get the essentials right before you can do the more complex tasks. And, in the end, it's often those essentials that keep you performing at your best,” Rose said. It’s important to recognize that it’s all too easy to start feeling overwhelmed, especially for K12 IT Directors, who are often a team of one. Rose said focusing on getting a little bit done every day can help. “Spend each dollar you have wisely, and look for low cost solutions, including where you can lean on partners at the state and local level and through groups like the MS-ISAC.” 

Establishing a robust security posture often requires additional budget allocations or personnel, but that’s rarely an option for the education sector. Still, success can come from identifying and leveraging available free resources.

The following free resources directly address these security gaps.

Free Resources for K-12 IT Administrators

1. CISA K-12 Cybersecurity Toolkit

This is the most comprehensive K-12 resource provided by the federal government. It offers prioritized recommendations, action guides, and no-cost training. The Protecting Our Future report translates complex threats into specific controls for districts lacking a dedicated CISO.

2.  K12 SIX Essentials Series (2026 Edition)

This series establishes baseline security standards and implementation guidance for under-resourced districts. The 2026 edition covers access management, device protection, secure backups, phishing prevention, incident response, and network segmentation. It serves as a rigorous self-assessment checklist.

3. CoSN NIST Cybersecurity Framework Alignment for K-12

This toolkit provides posters, presentations, and email templates for year-round use. Quarterly staff reminders are a zero-cost method to address human behavior, a primary attack vector. Awareness campaigns are vital because phishing and social engineering cause nearly half of all successful attacks.

4. Cybersecurity Education and Workforce Development

CYBER.ORG offers free professional development to help teachers integrate cyber awareness into their curriculum. A dedicated cybersecurity teacher is not required. This program assists educators in incorporating these concepts into existing coursework.

5. CyberPatriot National Youth Cyber Defense Program

CyberPatriot provides middle and high school students with hands-on cyber defense experience. The program provides all necessary materials, allowing non-experts to coach. Participation is free for public schools. This initiative builds a generation proficient in cyber hygiene to counter attacks targeting human behavior.

6. National Cybersecurity Alliance

National Cybersecurity Alliance provides a variety of educational resources including educational videos and industry reports to help mitigate human risk. They offer programming to inform users of all ages how to stay safe online.

7. Center for Internet Security (CIS)

While MS-ISAC membership is fee-based, CIS offers some limited content and services through a program we call "MS-ISAC Connect." This provides access to select webinars, cybersecurity advisories, and content in the CIS Portal. Furthermore, CIS Controls and Benchmarks are freely available and highly encouraged for all K-12 orgs to build the best possible security baseline.

The Need for Continued Advocacy

While these resources are valuable, they do not supplant for a fully funded and staffed IT security program. Advocacy for increased state and federal funding must continue. These tools allow districts to transition from total exposure to documented risk reduction.

Attackers target the weakest defenses. Implementing MFA and establishing an incident response plan require institutional intention rather than budget requests. Identifying available support is the first step in hardening district security. To learn more about security foundations, visit the RSAC Library.

Contributors
Kacy Zurkus

Director of Content, RSAC

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSAC™ Conference, or any other co-sponsors. RSAC Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs