K-12 Cybersecurity Advisory

You answer for the safety of every student's data. You shouldn't have to be a security expert to protect it.

TRAG is an independent advisory group for school districts. We help you see your real risk, fix what matters first, and keep a seasoned advisor on call — without the cost of a full-time security chief.

27 yrsCISO-level experience
Vendor-neutralNo products to sell
K-12 onlyBuilt for districts
The reality in K-12

This is happening to districts like yours — right now.

Cyberattacks on schools are no longer rare events that happen to "big districts." They have become a normal operating condition — and K-12 absorbs the highest recovery costs of any sector. The numbers below are recent and independently reported.

1+ a day

On average, U.S. K-12 schools experience more than one publicly reported cyber incident every school day — and researchers estimate the true number is many times higher. The U.S. Department of Education puts districts at roughly five incidents a week.

CISA · U.S. Department of Education
82% of K-12 schools experienced a cyber incident across an 18-month study of more than 5,000 schools. CIS MS-ISAC, 2025 K-12 Report
60% of school principals reported at least one cyber incident across the 2023–24 and 2024–25 school years. RAND, 2024 national survey
$7.46M average ransom paid by K-12 schools in 2024 — the highest of any sector, before recovery costs. Sophos, State of Ransomware 2024
45% of schools reported a compromised staff email account — phishing remains the leading way in. RAND, 2024 national survey
Case in point — the largest breach of children's data in U.S. history

One stolen password exposed roughly 62 million students and 9.5 million teachers.

In December 2024, an attacker used a single compromised credential to reach the student-information system that thousands of districts rely on. Names, birth dates, addresses, Social Security numbers and medical information — for current and former students and staff — were stolen and held for ransom. Most of the affected districts had done nothing wrong: the exposure came through a trusted vendor. Months after the company paid, individual districts were still being extorted over the same data.

The lesson for superintendents: your risk isn't only your own network. It's every vendor you've handed student data to — and almost no district reviews that exposure on its own.

Sources: U.S. court filings; PowerSchool disclosures; reporting by K-12 Dive, TechCrunch & Security.org, 2025.

And barely a year later — it happened again

Then Canvas: 8,800+ institutions, hundreds of millions of records.

In May 2026, attackers hit Instructure — maker of Canvas, the learning platform used across K-12 and higher ed. Student names, email addresses, ID numbers, and private student–teacher messages were exposed. The extortion group claimed roughly 275 million records taken from about 8,800 institutions worldwide — among the largest education breaches ever recorded, though Instructure has not confirmed those figures. As with PowerSchool, the way in wasn't a school's network: attackers exploited a flaw in the vendor's own platform. And Canvas messages often hold exactly what students share in confidence — medical notes, accommodations, counseling.

Put the two together: the system that holds your student records and the platform that runs your classrooms — the two biggest names in education software — both breached through the vendor, within eighteen months. If your district uses either, your data was in scope, and there was nothing your own IT team could have done to stop it.

Sources: Instructure disclosures; BleepingComputer; Bitdefender; reporting, May 2026.

The bind you're in

You're expected to secure a district with the staff and budget of a school — not a bank.

Your board and your parents want one answer: are we safe? But the people you'd ask are stretched thin.

Most districts run on a one- or two-person technology team with no dedicated security specialist. Vendors multiply every year. A full-time CISO costs north of $200,000 — if you can even find one willing to come to a district. So the hard security questions quietly wait, until an incident forces them.

You don't need to become a cybersecurity expert, and you don't need to hire one full-time. You need a trusted advisor who already does this for a living — and who answers to you, not to a product line.

What we do

Advisory, not another vendor.

TRAG is an advisory group. We don't sell software, hardware, or managed services — we give you the senior judgment to decide what's worth your budget and attention. Four ways districts work with us:

01 — Assess

Cybersecurity Risk Assessment

Know exactly where your district stands, measured against a recognized framework (NIST CSF, CIS) and translated into plain English. You get a board-ready picture of your real exposure — including the vendors holding your student data.

  • Maturity scored across every security domain
  • Prioritized findings, not a 200-page data dump
  • Written for a cabinet and board, not just IT
02 — Advise

Security Advisory Retainer

A seasoned security advisor on call. Not a product vendor, not a part-time staffer — an independent expert who knows your district and picks up when you need a decision made, a vendor vetted, or a steady hand on a bad day.

  • Ongoing guidance for you, your cabinet & board
  • Vendor & contract security review
  • Someone to call the moment something looks wrong
03 — Plan

Technical Remediation Roadmap

Our signature. A prioritized, phased plan that says exactly what to fix now, in 30 and 90 days, and across the year — each item sized to your budget and mapped to the risk it retires. The plan that turns a scary assessment into fundable action.

  • Sequenced by risk and effort, not vendor hype
  • Costed so you can fund it in stages
  • Built to satisfy grants, auditors & insurers
04 — Prepare

Staff Training & Leadership Tabletop

People are the way in — phishing is the leading entry point for attacks on schools. We make your staff harder to fool and walk your leadership team through a realistic incident before a real one writes the headline.

  • Practical, role-appropriate awareness training
  • Phishing-resilience for staff who handle data
  • A tabletop exercise for the people who'd run the response
Why districts choose TRAG

Independent judgment, built for schools.

No products, no commissions

We don't resell tools or take vendor kickbacks. That means the recommendation you get is the one that's right for your district — not the one that pays us. The whole point of an advisor is advice you can trust.

K-12 is the whole focus

FERPA and student-data privacy, E-Rate realities, tiny IT teams, board politics, the academic calendar. We speak your context — this isn't enterprise consulting with the word "school" pasted on top.

Plain English, senior level

Twenty-seven years of CISO-level work, translated for superintendents and boards. You'll always know what to do next, what it protects, and what it costs — no jargon, no fear-selling.

There's money for this

Funding for school cybersecurity is expanding — and funders reward a clear plan.

From E-Rate and state programs to the FCC's new Schools & Libraries Cybersecurity Pilot, dollars are increasingly available to help districts defray the cost of protecting student data. What they consistently reward is exactly what TRAG builds: a documented, prioritized cybersecurity plan you can act on and report against.

We help you position your district to capture funding — and make sure the plan behind it would survive a grant reviewer, an auditor, or a cyber-insurance questionnaire.

$200M committed to school & library cybersecurity through the FCC's federal pilot program. FCC Schools & Libraries Cybersecurity Pilot, 2024–25
How it works

From first call to a plan you can fund.

No drawn-out sales process. A clear path from "are we safe?" to a prioritized answer.

STEP 01

Briefing

A free 30-minute conversation about your district, your concerns, and what's keeping you up at night.

STEP 02

Assessment

We measure your real risk against a recognized framework — including the vendors holding your data.

STEP 03

Roadmap

You get a prioritized, costed, plain-language plan: what to fix now, next, and over the year.

STEP 04

Ongoing advisory

We stay on call as your trusted advisor, so the plan keeps moving and you're never facing it alone.

See the actual work

Nothing here is a black box.

Before you ever sign anything, you can read exactly what a district receives — a worked assessment and a full sample report, start to finish.

The deliverable

Four reports, one assessment

Every engagement produces the same set: an Executive summary for the board, a Technical detail report for your team, a Compliance crosswalk for counsel, and a phased Remediation roadmap to execute. Real samples of all four are on the site — read them before you ever sign.

See the actual output

The Assessments page walks through how we score maturity and cover all 18 areas. The Reports page shows the full deliverable a district receives — start to finish.

The value

Advisory is a rounding error against the cost of one incident.

K-12 pays the highest ransoms of any sector — a mean of $7.46M in 2024 — before you count lost instructional days, legal exposure, and the trust you can't buy back. Getting ahead of it costs a small fraction of that.

Most districts start here Discovery Assessment
From $3,950

A complete read on your risk across every area, plus the prioritized, fundable plan to fix it.

  • All areas assessed, built from your team's answers
  • Prioritized findings register
  • Executive, Technical & Compliance reports
  • Phased remediation roadmap

Indicative pricing for planning purposes — every engagement is scoped to your district's size and needs. Final figures confirmed after the briefing.

Questions superintendents ask

Straight answers.

It's the opposite. Large districts often have their own security staff; small and mid-sized districts are the ones attackers count on being under-resourced — and they're the majority of victims. Our work is sized so a district without a security team can act on it.

Your IT team and MSP keep things running — that's a different job from independent security strategy, and most MSPs also sell the tools they recommend. An advisor gives you a vendor-neutral second opinion that answers to you, and frees your team to act on a clear plan instead of guessing at priorities.

No. We take no commissions and resell nothing. That independence is the point — our recommendations are based on what protects your students, not on what we'd profit from selling you.

Nothing. The first step is a free 30-minute briefing — a real conversation about your district, with no obligation and no automated sales follow-up. You'll leave with a clearer read on your risk whether or not we ever work together.

Don't let the next breach make the decision for you.

Start with a free briefing. Thirty minutes, no pressure — just a clear-eyed look at where your district stands and what to do first.