K-12 Cybersecurity Advisory

You answer for the safety of every student's data. You shouldn't have to be a security expert to protect it.

TRAG is an independent advisory group for school districts. We help you see your real risk, fix what matters first, and keep a seasoned advisor on call — without the cost of a full-time security chief.

27 yrsCISO-level experience
Vendor-neutralNo products to sell
K-12 onlyBuilt for districts
The reality in K-12

This is happening to districts like yours — right now.

Cyberattacks on schools are no longer rare events that happen to "big districts." They have become a normal operating condition — and K-12 absorbs the highest recovery costs of any sector. The numbers below are recent and independently reported.

1+ a day

On average, U.S. K-12 schools experience more than one publicly reported cyber incident every school day — and researchers estimate the true number is many times higher. The U.S. Department of Education puts districts at roughly five incidents a week.

CISA · K12 SIX · U.S. Department of Education
1 in 2 U.S. school districts experienced a cybersecurity incident in 2025 — up from about 1 in 3 the year before. Clever, Cybersecure 2026
82% of K-12 organizations were hit by a cyber incident across an 18-month study of 5,000+ schools. CIS MS-ISAC, 2025
$2.28M average cost for a district to recover from a ransomware attack — the highest of any industry. Sophos, State of Ransomware in Education 2025
32% of districts were breached through a third-party vendor in 2025 — up from just 4% two years earlier. Clever, Cybersecure 2026
Case in point — the largest breach of children's data in U.S. history

One stolen password exposed roughly 62 million students and 9.5 million teachers.

In December 2024, an attacker used a single compromised credential to reach the student-information system that thousands of districts rely on. Names, birth dates, addresses, Social Security numbers and medical information — for current and former students and staff — were stolen and held for ransom. Most of the affected districts had done nothing wrong: the exposure came through a trusted vendor. Months after the company paid, individual districts were still being extorted over the same data.

The lesson for superintendents: your risk isn't only your own network. It's every vendor you've handed student data to — and almost no district reviews that exposure on its own.

Sources: U.S. court filings; PowerSchool disclosures; reporting by K-12 Dive, TechCrunch & Security.org, 2025.

And barely a year later — it happened again

Then Canvas: 8,800+ institutions, hundreds of millions of records.

In May 2026, attackers hit Instructure — maker of Canvas, the learning platform used across K-12 and higher ed. Student names, email addresses, ID numbers, and private student–teacher messages were exposed. The extortion group claimed roughly 275 million records taken from 8,809 institutions across 50 countries — among the largest education breaches ever recorded. As with PowerSchool, the way in wasn't a school's network: the attackers manipulated the vendor's own support channel. And Canvas messages often hold exactly what students share in confidence — medical notes, accommodations, counseling.

Put the two together: the system that holds your student records and the platform that runs your classrooms — the two biggest names in education software — both breached through the vendor, within eighteen months. If your district uses either, your data was in scope, and there was nothing your own IT team could have done to stop it.

Sources: Instructure disclosures; BleepingComputer; Trend Micro; reporting, May 2026.

The bind you're in

You're expected to secure a district with the staff and budget of a school — not a bank.

Your board and your parents want one answer: are we safe? But the people you'd ask are stretched thin.

Most districts run on a one- or two-person technology team with no dedicated security specialist. Vendors multiply every year. A full-time CISO costs north of $200,000 — if you can even find one willing to come to a district. So the hard security questions quietly wait, until an incident forces them.

You don't need to become a cybersecurity expert, and you don't need to hire one full-time. You need a trusted advisor who already does this for a living — and who answers to you, not to a product line.

What we do

Advisory, not another vendor.

TRAG is an advisory group. We don't sell software, hardware, or managed services — we give you the senior judgment to decide what's worth your budget and attention. Four ways districts work with us:

01 — Assess

Cybersecurity Risk Assessment

Know exactly where your district stands, measured against a recognized framework (NIST CSF, CIS) and translated into plain English. You get a board-ready picture of your real exposure — including the vendors holding your student data.

  • Maturity scored across every security domain
  • Prioritized findings, not a 200-page data dump
  • Written for a cabinet and board, not just IT
02 — Advise

Security Advisory Retainer

A seasoned security advisor on call. Not a product vendor, not a part-time staffer — an independent expert who knows your district and picks up when you need a decision made, a vendor vetted, or a steady hand on a bad day.

  • Ongoing guidance for you, your cabinet & board
  • Vendor & contract security review
  • Someone to call the moment something looks wrong
03 — Plan

Technical Remediation Roadmap

Our signature. A prioritized, phased plan that says exactly what to fix now, in 30 and 90 days, and across the year — each item sized to your budget and mapped to the risk it retires. The plan that turns a scary assessment into fundable action.

  • Sequenced by risk and effort, not vendor hype
  • Costed so you can fund it in stages
  • Built to satisfy grants, auditors & insurers
04 — Prepare

Staff Training & Leadership Tabletop

People are the way in — phishing is the leading entry point for attacks on schools. We make your staff harder to fool and walk your leadership team through a realistic incident before a real one writes the headline.

  • Practical, role-appropriate awareness training
  • Phishing-resilience for staff who handle data
  • A tabletop exercise for the people who'd run the response
Why districts choose TRAG

Independent judgment, built for schools.

No products, no commissions

We don't resell tools or take vendor kickbacks. That means the recommendation you get is the one that's right for your district — not the one that pays us. The whole point of an advisor is advice you can trust.

K-12 is the whole focus

FERPA and student-data privacy, E-Rate realities, tiny IT teams, board politics, the academic calendar. We speak your context — this isn't enterprise consulting with the word "school" pasted on top.

Plain English, senior level

Twenty-seven years of CISO-level work, translated for superintendents and boards. You'll always know what to do next, what it protects, and what it costs — no jargon, no fear-selling.

There's money for this

Funding for school cybersecurity is expanding — and funders reward a clear plan.

From E-Rate and state programs to the FCC's new Schools & Libraries Cybersecurity Pilot, dollars are increasingly available to help districts defray the cost of protecting student data. What they consistently reward is exactly what TRAG builds: a documented, prioritized cybersecurity plan you can act on and report against.

We help you position your district to capture funding — and make sure the plan behind it would survive a grant reviewer, an auditor, or a cyber-insurance questionnaire.

$200M committed to school & library cybersecurity through the FCC's federal pilot program. FCC Schools & Libraries Cybersecurity Pilot, 2024–25
How it works

From first call to a plan you can fund.

No drawn-out sales process. A clear path from "are we safe?" to a prioritized answer.

STEP 01

Briefing

A free 30-minute conversation about your district, your concerns, and what's keeping you up at night.

STEP 02

Assessment

We measure your real risk against a recognized framework — including the vendors holding your data.

STEP 03

Roadmap

You get a prioritized, costed, plain-language plan: what to fix now, next, and over the year.

STEP 04

Ongoing advisory

We stay on call as your trusted advisor, so the plan keeps moving and you're never facing it alone.

See the actual work

Nothing here is a black box.

Before you ever sign anything, you can read exactly what a district receives — a worked assessment and a full sample report, start to finish.

SAMPLE FINDING · F-014Critical

Backups reachable from the production network

If ransomware reaches the same network as your backups, you can lose both at once — turning a bad week into a closed school. We found this pattern in a recent assessment and sequenced it as a "fix now" item.

Risk retired
Ransomware / closure
Effort
Low–Medium
Roadmap phase
Now

Two ways to see our output

The sample assessment shows how we score maturity and prioritize findings. The sample report shows the full deliverable a district receives — executive summary, detailed findings, and the funded roadmap.

The value

Advisory is a rounding error against the cost of one incident.

The average district spends $2.28M recovering from a single ransomware attack — before counting lost instructional days, legal exposure, and the trust you can't buy back. Getting ahead of it costs a small fraction of that.

Most districts start here Risk Assessment + Roadmap
From $9,500

A complete read on your risk, plus the prioritized, fundable plan to fix it.

  • Framework-based maturity assessment
  • Prioritized findings & vendor-risk review
  • Phased, costed remediation roadmap
  • Board-ready executive summary

Indicative pricing for planning purposes — every engagement is scoped to your district's size and needs. Final figures confirmed after the briefing.

Questions superintendents ask

Straight answers.

It's the opposite. Large districts often have their own security staff; small and mid-sized districts are the ones attackers count on being under-resourced — and they're the majority of victims. Our work is sized so a district without a security team can act on it.

Your IT team and MSP keep things running — that's a different job from independent security strategy, and most MSPs also sell the tools they recommend. An advisor gives you a vendor-neutral second opinion that answers to you, and frees your team to act on a clear plan instead of guessing at priorities.

No. We take no commissions and resell nothing. That independence is the point — our recommendations are based on what protects your students, not on what we'd profit from selling you.

Nothing. The first step is a free 30-minute briefing — a real conversation about your district, with no obligation and no automated sales follow-up. You'll leave with a clearer read on your risk whether or not we ever work together.

Don't let the next breach make the decision for you.

Start with a free briefing. Thirty minutes, no pressure — just a clear-eyed look at where your district stands and what to do first.