K-12 Cybersecurity Insider | 2/9/2026 edition

Written By Doug Levin

A biweekly newsletter providing curated cybersecurity news to the K-12 community, as a public service of K12 SIX. Sign up for the K12 SIX mailing list to have future editions delivered to your inbox.

Mark Your Calendar

2026 National K-12 Cybersecurity Leadership Conference

Hosted by the K12 Security Information eXchange (K12 SIX), the 2026 National K-12 Cybersecurity Leadership Conference is a unique event designed for all K-12 cybersecurity practitioners to identify and share solutions and best practices to better defend school communities from emerging cybersecurity threats, such as ransomware and data breaches. The fourth annual conference will be held February 24-26 in Albuquerque, New Mexico. Advance registration required.

  • Preliminary agenda, updated 2/4.

  • Featuring: Workshops, Tabletop exercise, Birds of a Feather networking, Peer-led educational sessions, Capture the Flag contest, Exhibit hall

  • Learn from experts at the Cybersecurity & Infrastructure Security Agency (CISA/DHS) and U.S. Department of Education/Privacy Technical Assistance Center (PTAC)

  • And much more

On the Soapbox

Lies, Damned Lies, and K-12 Cybersecurity Statistics

While it may defy belief by those not as close to the work, no one has comprehensive, reliable data on cybersecurity incidents at scale, including about those that impact U.S. K-12 organizations. There are several reasons for this:

  • First, let us acknowledge that 1/ incident victims have every incentive to not voluntarily disclose anything and 2/ existing public reporting requirements are variable and quite weak. Absent a national, uniform public reporting requirement for cyber incidents,** no one has a comprehensive dataset upon which to base conclusions. What few reporting requirements exist vary across states by organization type, incident type, and incident severity. Plus, none of the existing requirements include much, if anything, on the subject of public disclosure. Even when invoking freedom of information requests, investigative reporters have been stymied in obtaining incident reports from state entities that are repositories for such data. Others with select insights—such as cybersecurity insurance providers—treat their knowledge as proprietary and a trade secret.

  • Second, many cybersecurity incidents do not fit into neat definitions—and organizations routinely apply definitions in different ways. Case in point: a threat actor sends a phishing email to steal credentials from a K-12 administrator that are then used to exfiltrate sensitive data about the school system from the school system’s vendor. The threat actor then extorts the school system, attempting to intimidate the district to pay a ransom demand or risk the abuse of the stolen data. How would one categorize the incident? As social engineering? Yes, but not that alone. As ransomware? A ransom is being sought but no malware was deployed, and access to IT systems remains uninterrupted. Is this even an incident that one would associate with the school system or would the vendor be blamed? Unclear. The categories of incidents used in common parlance simply do not hold up to even cursory scrutiny. Every organization making statistical claims about K-12 cybersecurity applies their own methodology to source and categorize incidents, including—in some cases—by counting claims of cyber criminals as gospel fact.

  • Third, cybersecurity industry reports on the ‘education sector’ take a laughably large number and type of organizations and treat them as if they are the same: universities, community colleges and trade schools, school districts (large and small), elite private schools, religious schools, and charter schools; public and private; across states, in the U.S., and abroad. What lessons could U.S. K-12 IT practitioners (or policymakers) take from a recent attack on an Italian university? They operate under different governance and legal regimes, are resourced differently, use different vendors, and serve a different population. There is precious little actionable for the K-12 practitioner here.

Spurious K-12 cybersecurity claims lead under-resourced school systems to purchase solutions mismatched to their needs and spend precious time defending against imaginary threats. They also lead policymakers to the wrong solutions, resulting in waste, fraud, and abuse of government investments. Yet, so long as news stories get clicks and cybersecurity vendors move product, here we’ll remain.

As a reader, hold those making claims to a higher standard and ask them to show their work. Look for information about what types of organizations are included and over what time frame. Look for details about how incidents are sourced, defined, and classified. If a survey was conducted, demand information about the sample and generalizability. Call BS on conference presenters repeating myths about K-12 cybersecurity trends and data—and on reporters who repeat it uncritically and without context.

** While CIRCIA is an important step forward—and K12 SIX is on record supporting the regulation’s application to the K-12 sector—it is neither designed nor intended to address the issue of research and reporting in the public domain.

Members Get More

The K12 Security Information eXchange (K12 SIX) operates as the independent, non-profit information sharing and analysis center (ISAC) exclusively for the K-12 education sector. Founded in 2020, organizations eligible for membership include school districts, charter schools and charter management organizations, private/independent schools, regional education agencies, and state education agencies. K12 SIX members get more.

Doug Levin
Next

K-12 Cybersecurity Insider | 1/26/2026 edition