1. How much is the district’s cybersecurity spending and what specifically are they paying for?
A: This school year, the district has spent $22 million on cybersecurity services, which is only $1 million more than the year before (2023-24) but $12 million more than two years ago. (2022-23), according to school district records provided to us via an open records request.
You’ll remember that 2023 “cybersecurity incident” that released student data — CCSD threw a lot of money at cybersecurity after that, so it doubled previous spending.
The largest item this year was $15 million to Chromis Technology “to provide [Fortinet] enterprise cybersecurity software and services.”
Another 11 companies got between $3,000 and $470,000 for various IT and security services.
There’s also 58 school district cybersecurity employees, making a combined $5.4 million, with an average pay of $93,000. The two directors make $142,000.
So, all in all, over $27 million spent on cybersecurity and other related IT services.
But it’s more than the budget for gifted and talented students (under $20 million in the next budget) more than the budget for repairs and maintenance for the entire district ($24.8M)
2. How common are cyber threats in schools across the country and what are schools doing to prevent it?
They are the number one target for ransomware hackers.
One reason for the increase in attacks is that hackers have realized school systems are vulnerable. They often have older computer systems, rely heavily on technology and, "they don't necessarily have cyber security experts on staff."
That’s not currently the case in CCSD – they have invested heavily in staff and software.
Also, schools are essential services, so superintendents are under a lot of pressure to resolve these issues quickly, and willing to pay a ransom to resolve it.
We don’t have great updated numbers but in 2022, cyberattacks cost schools and colleges an estimated $9.5 billion in downtime alone. That's according to a report by the research group Comparitech, which is also quoted by the GAO.
So, schools are doing what CCSD has done — bought cyber liability insurance or increased existing insurance, and are doing things like investing in updated software, and training staff not to fall for phishing emails and use secure passwords.
Unfortunately, we don’t have updated national figures to say whether a $12 million increase over 2 years like in CCSD, is average.