This week, Clever released its annual Cybersecure report, which found that in 2025, more than half (52%) of U.S. school districts experienced a cybersecurity incident—representing a 16-percentage-point increase year-over-year.
The report, co-authored by W/A’s own Evo Popoff and Daimen Sagastume, draws on a Q4 2025 survey from over 500 U.S. district technology and security leaders.
Key Findings
- The Identity Gap That Still Hasn’t Closed: Student identity protection remains the sector’s most conspicuous vulnerability. Student identity theft and associated long-term harm is now the #1 concern for more than half of district leaders, yet students remain the least-protected population in the system. While 93% of teachers and 97% of IT staff have adopted multi-factor authentication (MFA), student MFA coverage sits at just about 13% across all grade levels—a figure that has barely moved despite rapidly intensifying threats. Closing that gap, the report argues, requires solutions built for how students actually learn, not adult workflows retrofitted onto classrooms.
- Vendor Breaches and AI Risk Compound the Challenge: Third-party incidents are also accelerating, rising from 4% of reported breaches in 2023 to 32% in 2025, an almost eightfold increase that reflects how deeply districts now depend on a small number of shared platforms. The 2024 PowerSchool breach illustrates this challenge, with a single compromise exposing sensitive data across hundreds of districts at once. At the same time, 4 in 5 school districts believe AI is increasing their cybersecurity risk, yet only 11% have formal processes to vet AI use in edtech tools.
- Capacity, Not Awareness, Is the Core Constraint: Perhaps the most important throughline in this year’s report: the problem isn’t that district leaders don’t understand the risks. 66% of respondents reported that leadership support is among the least challenging aspects of their cybersecurity work. The binding constraint is capacity: staffing shortages, budget limitations, and tool complexity make it difficult to translate awareness into sustained action. Cyber insurance mandates are nudging districts toward stronger controls, but 58% of districts that adopted new technology to meet those requirements aren’t sure whether it meaningfully improved their security posture.
This article is sourced from Whiteboard Notes, our weekly newsletter of the latest education policy and industry news read by thousands of education leaders, investors, grantmakers, and entrepreneurs. Subscribe here.
