What to know about the newest cyberattack strategy putting K-12 schools at risk

Key points:

• Data breaches can cripple entire school districts’ digital infrastructure
• K-12 cyberattacks threaten data–and students
• Hackers don’t take a summer vacation–neither can school cybersecurity
• For more news on K-12 cybersecurity, visit eSN’s IT Leadership hub

A staggering 82 percent of K-12 schools experienced a cyber incident between July of 2023 and December 2024, according to a recent report by Center for Internet Security. The threat to schools continues to grow as attempts to breach their networks become more frequent and sophisticated, while education budgets and resources to bolster cybersecurity dwindle.

One of these emerging and sophisticated strategies by cyber criminals puts K-12 at even more risk–the use of legitimate file hosting services, such as Google Drive and Microsoft OneDrive, to launch cyberattacks. According to Microsoft, this method of launching a cyberattack grew by 18 percent in 2024. It’s a uniquely significant threat to K-12 schools, where students and teachers rely heavily on file-hosting services to complete, submit, and share work and information.

At the same time that cyberattackers are developing more tools, discovering more weaknesses, and increasingly targeting K-12 institutions, federal funding cuts have added a layer of complexity and risk. Cybersecurity is likely to continue falling down the list of priorities for schools, which puts the data and sensitive information of students, teachers, administrators, parents, and potentially entire districts at risk. While resources may be limited, there are strategies educators and administrators can use to push back on cybercrime and this emerging strategy. 

Understanding and addressing the unique threat of cyberattacks through file hosting services

In cybersecurity, the bad guys are always trying to stay a step ahead of technological innovation, security measures, and the best efforts of those whose job it is to thwart attacks. The rules are always changing, which means cybersecurity training and awareness is not just important–it’s an ongoing process.

This is especially pertinent to address the threat posed by cyber criminals using file hosting services to target K-12 institutions, because it’s a strategy designed to outsmart standard cybersecurity awareness best practices. A standard security awareness training recommendation to prevent successful phishing scams has been to pay close attention to the source email and double-check that any hyperlink came from a trusted source. However, by using a legitimate file-sharing service, the source emails or hyperlinks in a malicious phishing campaign are from Google Drive, OneDrive, SharePoint, or another source that students, teachers, and administrators trust and use every day. The initial link may even take them to a Google Drive file with bad links, Trojans, or other forms of malware. 

Although school-age children can be more tech-savvy than their teachers or caregivers, they often haven’t had enough life experience to recognize or understand the consequences of a cyber threat. This makes them a uniquely susceptible target for bad actors. It’s a policy issue that makes for a tough sell at a time when schools are strapped, facing more cuts, and often have a laundry list of higher priorities, but incorporating cybersecurity awareness and training into curriculum–as part of computer lab, for instance–should be considered in much the same way that schools prioritize disaster and lockdown training.

In addition to awareness training, administrators need to ensure the same hosting services are being used across classrooms, grades, and schools in their district and monitor activity under one umbrella. This makes it easier for IT teams–and even teachers and students–to recognize patterns of suspicious behavior across their network and address it accordingly. 

Cybersecurity monitoring and rapid response

Most education institutions and systems are already scrimping to provide basic student materials and keep up with textbook updates. Crack IT teams and in-house cybersecurity infrastructure are rarely part of the program. But even many private companies–some with far greater financial resources–are woefully underprepared for cyberattacks; the security burden shouldn’t fall solely to districts, individual schools or the students themselves, even if it frequently does.

A viable option in education settings is a managed SOC, a third-party security operations center that can provide threat detection, incident response and ongoing security monitoring–and even cybersecurity awareness training. Public education institutions at the K-12 level are unlikely to ever have the resources to maintain 24/7 vigilance against cyberthreats, but a SOC offers the option of tapping into that service and expertise–and many work within budget constraints.

Data breaches can cost students, parents, and teachers thousands of dollars (or more); cripple entire school districts’ digital infrastructure, and, in the case of a politically motivated attacker, even target public officials.

Rather than leave cybersecurity to chance or risk outdated prevention models, regular awareness training and a dedicated monitoring and rapid-response team, whether in-house or outsourced, gives K-12 systems the security and peace-of-mind needed to navigate today’s cybersecurity challenges and focus on education.

About the Author:

Ven Auvaa is the Director of Information Security at ArmorPoint, where he was one of the team’s first security analysts before building and leading a team as Cyber Incident Response Manager. With a Master’s degree in Cybersecurity and IT Management and nearly a decade of experience in the field, he’s a seasoned expert in security operations, incident response and user security awareness.