TRAG is an independent advisory group for school districts. We help you see your real risk, fix what matters first, and keep a seasoned advisor on call — without the cost of a full-time security chief.
Cyberattacks on schools are no longer rare events that happen to "big districts." They have become a normal operating condition — and K-12 absorbs the highest recovery costs of any sector. The numbers below are recent and independently reported.
On average, U.S. K-12 schools experience more than one publicly reported cyber incident every school day — and researchers estimate the true number is many times higher. The U.S. Department of Education puts districts at roughly five incidents a week.
CISA · U.S. Department of EducationIn December 2024, an attacker used a single compromised credential to reach the student-information system that thousands of districts rely on. Names, birth dates, addresses, Social Security numbers and medical information — for current and former students and staff — were stolen and held for ransom. Most of the affected districts had done nothing wrong: the exposure came through a trusted vendor. Months after the company paid, individual districts were still being extorted over the same data.
The lesson for superintendents: your risk isn't only your own network. It's every vendor you've handed student data to — and almost no district reviews that exposure on its own.
Sources: U.S. court filings; PowerSchool disclosures; reporting by K-12 Dive, TechCrunch & Security.org, 2025.
In May 2026, attackers hit Instructure — maker of Canvas, the learning platform used across K-12 and higher ed. Student names, email addresses, ID numbers, and private student–teacher messages were exposed. The extortion group claimed roughly 275 million records taken from about 8,800 institutions worldwide — among the largest education breaches ever recorded, though Instructure has not confirmed those figures. As with PowerSchool, the way in wasn't a school's network: attackers exploited a flaw in the vendor's own platform. And Canvas messages often hold exactly what students share in confidence — medical notes, accommodations, counseling.
Put the two together: the system that holds your student records and the platform that runs your classrooms — the two biggest names in education software — both breached through the vendor, within eighteen months. If your district uses either, your data was in scope, and there was nothing your own IT team could have done to stop it.
Sources: Instructure disclosures; BleepingComputer; Bitdefender; reporting, May 2026.
Your board and your parents want one answer: are we safe? But the people you'd ask are stretched thin.
Most districts run on a one- or two-person technology team with no dedicated security specialist. Vendors multiply every year. A full-time CISO costs north of $200,000 — if you can even find one willing to come to a district. So the hard security questions quietly wait, until an incident forces them.
You don't need to become a cybersecurity expert, and you don't need to hire one full-time. You need a trusted advisor who already does this for a living — and who answers to you, not to a product line.
TRAG is an advisory group. We don't sell software, hardware, or managed services — we give you the senior judgment to decide what's worth your budget and attention. Four ways districts work with us:
Know exactly where your district stands, measured against a recognized framework (NIST CSF, CIS) and translated into plain English. You get a board-ready picture of your real exposure — including the vendors holding your student data.
A seasoned security advisor on call. Not a product vendor, not a part-time staffer — an independent expert who knows your district and picks up when you need a decision made, a vendor vetted, or a steady hand on a bad day.
Our signature. A prioritized, phased plan that says exactly what to fix now, in 30 and 90 days, and across the year — each item sized to your budget and mapped to the risk it retires. The plan that turns a scary assessment into fundable action.
People are the way in — phishing is the leading entry point for attacks on schools. We make your staff harder to fool and walk your leadership team through a realistic incident before a real one writes the headline.
We don't resell tools or take vendor kickbacks. That means the recommendation you get is the one that's right for your district — not the one that pays us. The whole point of an advisor is advice you can trust.
FERPA and student-data privacy, E-Rate realities, tiny IT teams, board politics, the academic calendar. We speak your context — this isn't enterprise consulting with the word "school" pasted on top.
Twenty-seven years of CISO-level work, translated for superintendents and boards. You'll always know what to do next, what it protects, and what it costs — no jargon, no fear-selling.
From E-Rate and state programs to the FCC's new Schools & Libraries Cybersecurity Pilot, dollars are increasingly available to help districts defray the cost of protecting student data. What they consistently reward is exactly what TRAG builds: a documented, prioritized cybersecurity plan you can act on and report against.
We help you position your district to capture funding — and make sure the plan behind it would survive a grant reviewer, an auditor, or a cyber-insurance questionnaire.
No drawn-out sales process. A clear path from "are we safe?" to a prioritized answer.
A free 30-minute conversation about your district, your concerns, and what's keeping you up at night.
We measure your real risk against a recognized framework — including the vendors holding your data.
You get a prioritized, costed, plain-language plan: what to fix now, next, and over the year.
We stay on call as your trusted advisor, so the plan keeps moving and you're never facing it alone.
Before you ever sign anything, you can read exactly what a district receives — a worked assessment and a full sample report, start to finish.
Every engagement produces the same set: an Executive summary for the board, a Technical detail report for your team, a Compliance crosswalk for counsel, and a phased Remediation roadmap to execute. Real samples of all four are on the site — read them before you ever sign.
The Assessments page walks through how we score maturity and cover all 18 areas. The Reports page shows the full deliverable a district receives — start to finish.
K-12 pays the highest ransoms of any sector — a mean of $7.46M in 2024 — before you count lost instructional days, legal exposure, and the trust you can't buy back. Getting ahead of it costs a small fraction of that.
A complete read on your risk across every area, plus the prioritized, fundable plan to fix it.
Indicative pricing for planning purposes — every engagement is scoped to your district's size and needs. Final figures confirmed after the briefing.
It's the opposite. Large districts often have their own security staff; small and mid-sized districts are the ones attackers count on being under-resourced — and they're the majority of victims. Our work is sized so a district without a security team can act on it.
Your IT team and MSP keep things running — that's a different job from independent security strategy, and most MSPs also sell the tools they recommend. An advisor gives you a vendor-neutral second opinion that answers to you, and frees your team to act on a clear plan instead of guessing at priorities.
No. We take no commissions and resell nothing. That independence is the point — our recommendations are based on what protects your students, not on what we'd profit from selling you.
Nothing. The first step is a free 30-minute briefing — a real conversation about your district, with no obligation and no automated sales follow-up. You'll leave with a clearer read on your risk whether or not we ever work together.
Start with a free briefing. Thirty minutes, no pressure — just a clear-eyed look at where your district stands and what to do first.