Custom Quick Reference Information Directories
Request A Sample
GCC Blog

We hope you find our articles informative and interesting. If you'd like to receive our monthly newsletter with articles like these, please take a minute to sign up.

K-12 Cybersecurity Q&A: Safeguarding Smaller State and Local Entities

April 8th, 2025 by Guest Communications

Written by: Amy Rock – April 7, 2025

Data security is the second highest risk facing K-12 schools and colleges and universities, according to two recent reports from United Educators (UE). This includes data breaches, phishing, accidental disclosure of personal data, ransomware, and hacking.

Earlier this year, PowerSchool, cloud-based software solutions provider most known for its Student Information System (SIS) that helps schools track the data of K-12 students, announced it suffered a cyberattack after a threat actor used stolen credentials to access its customer support portal. The threat actor then used a customer support maintenance access tool to download student and teacher data from districts’ PowerSIS databases.

A subsequent audit by CrowdStrike determined the company, which stores information of over 62 million K-12 students and teachers across more than 18,000 customers, determined the company failed to take basic precautions to protect students’ data, leading to the largest breach of American children’s personal information to date.

As cybersecurity concerns continue to grow, educational campuses must shore up their defenses to protect data. In this Q&A, Doug Thompson, Chief Education Architect at Tanium, a cybersecurity and systems management company, shares ways K-12 schools can enhance their cybersecurity practices.

K-12 Cybersecurity Q&A

Campus Safety: What can you tell me about the rise in cybersecurity attacks targeting institutions, including smaller state and local entities? What cybersecurity strategies would you recommend these institutions adopt to protect themselves?

Doug Thompson: Between July 2023 through December 2024, 82% of K-12 schools reported experiencing a cyber incident. The recent PowerSchool breach serves as an important reminder that education institutions, just like any business or organization, need to give careful attention to not only their own cybersecurity posture, but also that of the third parties they work with.

Smaller state and local entities, like educational institutions, are increasingly vulnerable to cyber threats due to outdated technology, limited cybersecurity expertise, and unpatched software. As threat actors grow more sophisticated and widespread, protecting their digital infrastructure has become even more challenging. For these institutions, adopting a whole-of-state approach to cybersecurity can strengthen security, improve risk mitigation, reduce costs, and optimize resources while ensuring equitable access to secure systems.

CS: What is a whole-of-state approach?

DT: A whole-of-state approach is a promising approach that centralizes resources, expertise, and strategies to enhance security across an organization. It is used primarily to address gaps in outdated, fragmented strategies. A whole-of-state approach relies on three key components: governance, implementation, and validation. By adopting this approach, educational institutions can transform their cybersecurity and improve the following:

  • Increased Coordination: Statewide collaboration streamlines IT risk management, reducing fragmentation and minimizing the risk of exposing sensitive data and critical services to threats.
  • Complete Visibility: Integrated and aligned tools enhance cybersecurity practices and close gaps that could allow threats to go undetected.
  • Consistent Governance: Unified leadership across all levels of government drives consistent integration of cybersecurity systems, improving threat detection and response.
  • Scalable Implementation: A statewide strategy delivers scalable and measurable results, which fragmented approaches and isolated solutions often fail to deliver.

With federal funding cuts across the education sector already under way, this type of combined, holistic approach provides a leaner, more cost-effective means of cyber defense.

CS: Why is a whole-of-state approach important for smaller entities like K-12 education?

DT: Cyberattacks often succeed against smaller entities, such as K-12 schools, due to limited staffing, tools, and expertise. A whole-of-state cybersecurity approach addresses this by centralizing resources and expertise. For K-12 education systems specifically, this approach connects schools with leaders at all levels of government, enabling them to collaborate by sharing resources, exchanging information, and utilizing federal and state funding to address cybersecurity challenges and present a united front against cyber threats.

Overall, this approach improves security, reduces costs, and ensures equal protection for all institutions. By adopting a whole-of-state model, states can implement a robust and resilient cybersecurity framework that safeguards all educational entities while supporting their mission to provide quality education and services.

CS: How does the whole-of-state approach improve security?

DT: The whole-of-state approach to cybersecurity enhances security by centralizing efforts, creating uniform defense mechanisms, and minimizing vulnerabilities across all entities. Since the approach implements consistent security protocols, even the smallest institutions benefit from state-of-the-art protection. This unified approach also leads to quicker and more coordinated incident response, as a dedicated state-level cybersecurity team can offer immediate support and guidance to smaller entities during breaches, reducing damage and recovery time. Furthermore, pooled resources allow states to negotiate better deals on cybersecurity tools and
services, delivering cost savings – particularly for institutions with limited budgets.

Beyond improving security, the whole-of-state approach fosters equity and access, regardless of size or location, so all institutions receive the same level of protection. This is particularly critical for underserved and rural communities that might otherwise remain vulnerable. Smaller entities also benefit from shared expertise, gaining access to guidance, training, and support they may otherwise lack. With standardized training and consistent resources, staff at all levels are better equipped to manage cybersecurity threats, further strengthening the state’s overall security posture.

CS: What are potential downsides to consider before implementing this approach? How can these downsides be mitigated?

DT: Before diving into a whole-of-state approach, it’s crucial to first grasp the potential risks involved and explore strategies to minimize any downsides. Below are the key risks to consider and strategies for mitigating each one.

  • Loss of Local Control and Autonomy: Local entities may resist giving up control over cybersecurity, fearing a one-size-fits-all approach. Early engagement with stakeholders and offering customization options within the centralized system can address these concerns by accommodating for specific requirements.
  • Implementation and Transition Challenges: Integrating systems into a centralized framework is complex, time-consuming, and costly. To mitigate this, implement a phased rollout starting with pilot programs to manage complexity and ensure thorough planning and testing before full-scale deployment. In terms of cost, institutions should pursue funding through federal grants, state programs, and public-private partnerships, highlighting long-term cost savings to justify the initial expenditure.
  • Data Privacy and Compliance: A whole-of-state approach must adhere to various legal and regulatory requirements. At the same time, local entities may have concerns about data sovereignty and control over their data. To address these concerns, it’s essential to create clear policies and agreements on data management and ownership. Establishing transparent data governance frameworks and involving local entities in the decision-making process ensures compliance and builds trust.
  • Sustainability and Continuous Improvement: Maintaining up-to-date cybersecurity systems is vital, but equally important is establishing clear success metrics and regularly assessing the return on investment (ROI) of the whole-of-state approach. To stay ahead of evolving threats, institutions should continuously invest in cybersecurity and create a dedicated team for ongoing monitoring and improvement.

CS: Can you provide an example of where this approach was successfully implemented?

DT: We’ve seen a few states turn to a whole-of-state approach, such as Arizona, which uses the strategy to protect the IT resources of smaller counties, cities, and districts. By doing so, they’re able to share information, techniques, and tools to enhance cybersecurity across the state.

Arizona’s initial goal was to create a consistent security baseline throughout the state and ensure that all state employees were trained in security awareness. To accomplish this, Arizona used funds from a U.S. Department of Homeland Security grant to build a collaborative defense network, allowing the state to share information, strategies, and tools like Tanium. During implementation, Arizona focused on addressing vulnerabilities, assessing endpoint inventory in Navajo County, and implementing endpoint security measures in school districts statewide. As a result, Arizona transformed its IT operations, meeting fiscal and cybersecurity requirements while safeguarding over 20,000 endpoints, including laptops, desktops, and mobile devices used by students, teachers, and staff.

CS: What are the long-term benefits of a whole-of-state cybersecurity approach?

DT: With a whole-of-state approach to cybersecurity, smaller state and local entities can help build a resilient framework against emerging cyber threats, reduce costs, and ultimately, give schools the opportunity to provide quality education. Below are some of the long-term benefits of implementing such a model.

  • Sustained Security Improvements: A whole-of-state approach ensures all entities benefit from the latest security technologies and best practices, strengthening defenses and reducing cyber risks over time.
  • Cost Savings and Efficiency: By leveraging economies of scale and shared resources, states can significantly reduce costs. These savings can then be reinvested in other critical areas, such as education and infrastructure.
  • Enhanced Educational Outcomes: Strengthened cybersecurity and IT infrastructure allow schools to focus on their core mission – delivering quality education. With fewer disruptions and better access to digital resources, students can achieve stronger educational outcomes.
  • Equitable Access to Technology: Centralized cybersecurity efforts help bridge the digital divide, ensuring that all students – regardless of their location or socioeconomic status – receive the same level of protection and access to digital resources.
  • Resilience and Adaptability: A whole-of-state approach creates a flexible, resilient cybersecurity framework that can adapt alongside evolving threats. Continuous improvement and regular updates ensure that the system remains effective in an everchanging threat landscape.

If you appreciated this article and want to receive more valuable industry content like this, click here to sign up for the Campus Safety FREE digital newsletters!


Guide to Guest Services™
Guide to Guest Services
Fully customized vinyl information directories for your patients and their visitors. They are easy to update and easy to use.
Learn more ►
Guide to Emergency Preparedness™
Guide to Emergency Preparedness
Fully customized quick reference guides to help keep your staff prepared for emergencies.
Learn more ►
Guide to Infection Control™
Guide to Infection Control
Fully customized quick reference guide to help keep your staff prepared for safe infection prevention and control procedures.
Learn more ►
Guide Accessories and Upgrades
Accessories for your guides
Protect your investment by utilizing one of our various mounting systems.
Learn more ►
Other Popular Products
Other Popular Products
Customized products including 3-Ring Binders, Sports Memory Books, Menus, Hotel Directories, and more…
Learn more ►
HOME | PRODUCTS | TESTIMONIALS | ABOUT US | RESOURCES | CONTACT US | SITEMAP | Connect with us on LinkedIn
© 2025 GCC. All Rights Reserved. Contact the Webmaster.
Employee E-mail | News Login