Top Cyber Risks for K - 12 Schools in 2026

So here we go.

Welcome everyone.

Today, we are going to be talking about the top cyber risk for K-12 schools in 2026.

This is a great and very timely update.

Very excited to have our special guest from Blackbaud coming, and we have a wonderful presenter today.

So Lee is retired FBI special agent that's going to take us through some really cool things.

So Blackbaud, we really appreciate you guys sponsoring today's webinar and are excited to have you here.

Yeah.

Thanks, Ashley.

Just real quick to introduce Lee and myself.

So, I'm with Blackbaud.

I'm responsible for global cyber operations here at Blackbaud.

I've been here about four years.

Previously to that, I served as a senior vice president within cyber at SunTrust Truist.

So, been around a while.

Also involved in AI, with Furman University, sit on their advisory council there and sit on some technology companies advisory boards.

But also, Lee, want to give you a chance, you're the main focus here, give you a chance to tell folks about who you are.

Very good.

Thank you, Don, and thanks everyone for taking your time today.

My background is purely law enforcement.

I was a special agent with the FBI for approximately 21 years.

Fifteen of those years, I worked counterterrorism, national security.

My first office was Detroit, Michigan, and that really opened my eyes.

And what transitioned me into cyber was around 2010 with the rise of ISIS in Afghanistan, Iraq, Syria.

We saw a lot of the bad actors were using encrypted applications, and typical government, we were behind the times, so that was a real challenge.

So that steered me into the direction of cyber, and I then progressed in my cybersecurity interest, and I was able to go to the NSA as the LNO for approximately three years in Augusta, where they do a lot of cool stuff.

A lot of the work is directed at the same APT actors that we see on the private sector that may be targeting your businesses and your institutions.

I hold a degree from the University of Akron in law.

I attended law school while I was a police officer during the day.

And then, now I got this great opportunity to work with Blackbaud and their cybersecurity team.

And, hopefully you'll get some good information out of today.

And if you want to go to the next slide, I'll roll through the agenda.

We've already discussed who we are, and we're going to go into what's changed in the threat model in 2026.

We'll discuss the cyber risks that your institutions have and some practical guidance on an action plan.

And before we get too far into it, I just want to give our caveat that the views and opinions expressed today are those of our own.

This intelligence is from the picture we see it now, and it's not an accurate prediction of what may or may not trends spire.

But, with a lot of reporting we're seeing, it's been confirmed by incidents that you see and hear in the media, unfortunately, every day.

Next slide.

Yeah, and- Go ahead, Don.

Yeah.

And Lee, just to add to that.

So we started, I think it was last year or the year before, producing an annual report similar to what you'll see some of the organizations provide, that talks about top threats that we believe the industry will see over the next year.

So we just published that, and this touches on some of those topics, but that paper's also available on our website, I believe.

We will also publish one later in the year that's specific to the nonprofit sector.

The one that we've got out now is education.

But we're trying to put those out at least once a year now because the threat landscape continues to change.

We continue to have to change what we do as you guys do as well.

So thanks.

Sorry about that.

That's all right.

Good reminder.

Okay.

As you can see here, what's different in 2026 is attackers are focusing on people, credentials, vendors, and trust.

With the use of AI, they've been able to increase the scale and realism of social engineering attacks.

And then everybody is now relying on cloud or a SaaS service, which just expands that identity attack surface.

We've seen a shift from malware to now we're having to protect networks, workflows, and identities.

Education environments are especially exposed due to the heavy reliance on distributed users, seasonal workflows, and high-trust communications.

Those high-trust communications are what the bad actors exploit in their phishing.

And we don't see phishing going away anytime soon.

If anything more, it's just becoming more realistic, more layered, and it poses a challenge.

Like we said, the use of AIs, they're able to create campaigns that use that institution's language.

They are aware of the workflows.

They know who to target by doing their research.

And we're also seeing a multi-stage, multi-platform approach.Victims may get an email, which is followed up by a text message, and some actors are even as bold as giving voice calls.

And I read this week of actors actually showing up at law firms, posing as IT workers for their particular vendor and getting access that way.

So we're seeing more and more aggressive approach in the social engineering aspect, and it's something to be aware of.

Mentioned cloud and SaaS reliance.

They're heavy on the supply chain.

As you're probably well aware, those trusted platforms now we have to look at more skeptically.

Is the code that you're getting or the software provider that you're using, is that someone that is doing their due diligence, going through the checks to make sure it's trusted? And with that, we have shadow IT.

Many institutions don't have a full inventory of what all services and products they're using, and inconsistent access controls often leads to successful compromises.

Next slide.

Yeah.

Go ahead, Don.

Yeah.

And just to add to that-- Sorry, Ashley.

If we can go back real quick, just to add to that.

It used to be that we could rely on this hard external part of our network, right? We could focus on firewalls.

We could focus on these boundary points.

And that has slowly shifted to where now identity is our new boundary, right? Where we have to make sure that we've got the right controls in place to manage our identity, that we're doing it.

You also mentioned, Lee, the AI threat.

So we all know, we all have read the news recently where Mythos has come out, or there's a new model, Mythos, that's out that really continues to ensure that we're having to pivot from a defensive perspective at a much quicker pace than we ever had.

So it's important that not only we see that, but that we're leveraging AI where we can internally to combat that.

Because humans can't react at the same pace that AI is creating offensive capabilities.

So, I just wanted to emphasize that, Lee.

Yes.

Now that we've scared them half to death- ...

we'll continue on the nightmare scenario here.

But in actuality, the things on the horizon are the top threats that we're seeing.

So I think that we are at a turning point now where it's a maximum application of the technology by the bad actors.

But like I like to tell a lot of audiences, that's okay.

We know how to work a fax machine and write in cursive, so I think we're going to be okay.

So the big risk categories, no surprise here, is the AI-driven social engineering, the identity threats across SaaS, the student-driven cyber risk, which I'll elaborate on a little later, and also the cyber insurance pressure.

Cyber insurance providers are-- There's been a lot of payouts historically, and they've transitioned their model now to where they expect the customers to have some skin in the game.

So no longer can you just sign the check and forget about it.

They want to see robust things in place.

Multi-factor is mandatory now.

And in fact, if you don't have multi-factor on all accounts, your premium, I think, is nearly doubled.

They want to see an endpoint detection and response plan and documented instances where you've put those in place.

So premiums are tied now to a security maturity and controls and not necessarily a risk.

The assumption now is there's going to be a compromise, but how bad will it be? Have you taken the steps to mitigate that as much as possible? And with all that being said, ransomware is still a top disrupter.

It's especially the case in schools because you're dealing with a calendar.

If your system is compromised and encrypted days before the first day of school, the actors know that you're going to have to respond.

You're going to be in a very bad situation if you can't get back online.

Yeah.

And just to add to that, Lee, going back to the AI-driven social engineering component.

So I've managed the red team here at Black Bot.

I've also managed the red team at multiple other organizations.

And I can tell you that the force multiplier of AI assisting with offensive capabilities is true.

My red team, they're able to come up with red team missions, tools, and so on and so forth in a much shorter time period than they were, say, two years ago.

So if we're using it from a red team perspective, and I'll call it a controlled environment.

Red teams aren't necessarily, quote, "controlled," but we know that the malicious actors are using it as well.

So the AI threat is real.

It's being used not only offensively, but we alsoWe are also learning to use it from a defensive perspective, too, just to keep pace with what they're doing on the offensive side.

Back to you, Lee.

All right.

Thank you.

Shifting over to the student-focused, if you can just go to the next slide, the social engineering aspect.

Just an example of what this may look like in a school setting is you work in IT, you get that urgent email from a proposed teacher who says that they're locked out of their account, they're having problems with their MFA, and they're asking to reset credentials.

This tailored email is very convincing.

It falls in line with the terminology that a school would use, and it adds that layer of time constraint and the pressure, sense of urgency.

And we're seeing a lot of IT departments fall for this.

In my time as an FBI agent and as a supervisor, I interviewed hundreds of witnesses, and they were convinced that the email they received did in fact come from someone in their organization.

They said that the wording and the name, title, everything looked to be legitimate.

So it is very challenging to detect these, and the bad actors know that.

Another scenario we're seeing, the payroll sync issue.

Let's say it's the end of the month, payroll processing is underway.

The IT help desk receives a message through Microsoft Teams from someone appearing as a district IT systems administrator.

"Hey, quick heads-up.

We're seeing sync issues between HR and payroll systems.

A few staff accounts aren't updating correctly." And it's signed a teacher's name.

And then the actors are following up with a subsequent text message saying, "This is the district office.

We're seeing that." So the actors know that if you hear the same message from two or sometimes three different sources, it's more convincing.

And that's how they're leveraging AI to scale those social engineering phishing techniques.

And, so that attack vector will then get those OAuth authentications.

They no longer need your password, they just need those token sessions to be able to compromise the network even further.

The goal is credential theft here.

Not always malware delivery, but if they can get into the workflow, get to the keys to the kingdom.

Don, do you have anything to add on that? Yeah.

One of the things we talked about in the session at Atlas this year was how easy it is to take a voice and basically create-- If I can get a little bit of someone's voice, say, off a voicemail, I can then create and leverage that voice in a conversation to help phish, right? So the days of that being difficult are gone.

And the days of even doing that from a video perspective, if there's a significant amount of video, we're getting to a point where the processing power needed to quickly do this is freely available or available at an inexpensive.

So the days of you being able to quickly tell that "Well, that's not really my CFO's voice" are really kind of gone, right? And I know we had this conversation at Atlas about do your executives use their own voice on their voicemails, right? Because that gives the malicious actor, for instance, if you're a CFO, that gives them something to train a voice on, right? So just be careful about that.

And in some situations, you may just want, for instance, their voicemail to use the default voice on voicemail.

Simple things like that.

For sure.

Actually, next slide.

Yeah.

So I think this is probably my slide.

So, what can we do? So number one, and I'm sure many of you have MFA in place, I would encourage you, though, to make sure that you're reviewing how deeply that's used or how widely that's used across your organization, right? So for instance, you may have initially deployed it to only IT staff.

Make sure that those resources that potentially are, I'll call them big phish, make sure that they're using MFA.

So if they have access to critical data or they have wide access, make sure that they're using MFA if you can.

And typically, that's going to include your staff, your admin type of accounts.

Also, another thing, and we talked about this, Lee, during the session when we were at Atlas, was out-of-band verification.

So we've seen this.

We've heard some pretty bad horror stories.

I've seen it at other organizations where you have a request come in to make a payment, and it sounds like it's coming from someone within the organizationAnd again, it's someone's voice who's been duplicated, right? So for transactions that may seem that are high risk or out of the norm, make sure you have that second way of verification, that out-of-band verification.

So, if the request comes in via email, don't just email back and say, "Are you sure you want me to transfer $10,000 to this new account that's been set up?" Make sure that you've got verification.

So if it's your CFO making the request, make sure that you're validating that with the CEO or another high-ranking person, just to prevent exactly that.

Another item here, short, regular staff awareness reminders.

So many of us, me included, it takes several times for me to hear something before it really sinks in.

So if you can get a few minutes, five, 10, 15 minutes at staff meetings, whenever you do in-service hours or whenever you have in-service meetings.

If you can get time on the agenda, take that time to remind staff and key folks about the key things to keep your network and your environment safe, right? So it could be reminding them that, hey, if it doesn't feel right, question it.

We're okay with you questioning what doesn't feel right.

And look for A, B, and C.

But make sure that you're having those conversations so that they understand this isn't just something that happens to other people on the news.

I can tell you that our intel team picks this stuff happening to a number of schools on a regular basis.

So make sure you're having those conversations.

Make sure people realize the risk is real and that they're educated about potentially what can happens.

And- Go ahead, Lee.

I'm sorry.

I was just going to, before I forget the out-of-band verification, take that one step further in having a good contact list.

Because- Yeah ...

in the instance of, let's say, a ransomware where everything is encrypted, how are you going to get in touch with that CFO, that CISO? Normally, you would use your work email, but that's not an option.

So having the old-fashioned black book with telephone numbers, is a good tool to have in those incidents.

Yeah.

In addition, the FBI, if they need to pass crucial information to you, they won't send it to the infected network, just in the event that someone is monitoring those communications.

So we would always ask for an out-of-band email, a Gmail account, something that we could send pertinent information to, especially during negotiations if you're engaged with the threat actor.

They were very big on being able to be active in those instances if that was something being requested.

Yeah.

And you may use Teams internally, but have those key people that need to be in communication, have that secondary method of communication, WhatsApp, Signal, or some other means for communication outside of your regular communication.

That's a great point, Lee.

Did you have anything else? No, sir.

Cool.

All right.

Believe this is me as well.

So SaaS and vendor identity exposure.

So this is something that's beginning to become a really big problem.

And you guys probably are familiar with the recent, I think it was 2025, the Salesforce event with SalesLoft.

The key is, I believe the key is, with this particular risk, is make sure you have a good inventory of stuff in general.

I'll say applications, but also your SaaS vendors, right? The connections that those SaaS vendors have, the identities that those different SaaS vendors may be using, right? Some common issues, OAuth consent abuse.

So, this really touches on the next slide, too, but make sure that when you're granting OAuth access, that you pay attention and that you teach folks to pay attention to what is this really granting, because many times the default will be overly permissive.

So you might want to push back and say, "Hey, vendor, do you really need this type of access? It seems pretty big." Right? So, I think awareness around what exactly you need, or what exactly that application needs to access this other component within your environment.

Because what can happen is they can leverage that interoperability and pivot within your network if vendor A has a compromise, right? So, token theft that bypasses MFA.

So, we've also seen an uptick in this, where tokens are stolen, they're leveraged for access.

If they're stolen and leveraged for access, that potentially bypasses MFA.

Make sure that, A, you don't have a token that's in place for two or three years.

If possible, make sure that you're rotating those tokens on a regular basis.

The last item here is shadow and unapproved apps.I kind of touched on that.

This is a problem, a problem for me, a problem for you, a problem for the industry, right? Where folks want to go out, I'll use ChatGPT as an example.

Maybe it's "not an approved app," but people use it.

Make sure you have a pretty good idea of what those shadow apps are, those "unapproved apps" are.

Because again, if there's a compromise of one of those shadow apps and if they've provided access to other components within your network, that potentially is a pivot point within your environment.

So again, not easy, I understand, but try to do the best you can to get a handle around the shadow apps, the unapproved apps within your organization, and keep an inventory of those, right? If you can, get in front of it and say, "Hey, I'm not here to say no.

I'm here to walk the path with you to make sure that when you're leveraging this app, that I help you understand what the risks associated with it are." So next slide, please.

So, I think I've touched on many of these.

Again, inventory.

I did a session two or three years ago at Atlas on know yourself and know your enemy, right? So know what your inventory looks like, know what your attack surface looks like, right? Because if you don't, you can't defend it.

So the first step is, and again, I realize that many of us are challenged because they don't want us to get in the way of progress.

They don't want us to get in the way of providing a service to the students, to our customer, right? But I encourage you to frame it in a way where you want to walk the path with them.

You want to be a good partner.

You want to make sure that you're working with them to make sure that we're keeping students safe.

Right? We talked a little bit on the SSO and MFA.

SSO, that just centralizes your account management, right? Again, it's very difficult when you're not using SSA, and you have all these different accounts that you've got to manage.

And so I encourage you, when possible, most of these apps today support single sign-on.

So if they do, make sure you're taking advantage of it.

And specifically, if they allow, make sure that you're turning on MFA to add that additional piece of validation for the user.

Review OAuth app consents regularly.

So again, this goes back to understanding, right? You have a SaaS solution or SaaS product internally.

It's been granted access to all these other applications.

Make sure you understand what that looks like and make sure you're reviewing your identities and what they have access to on a regular basis, and question anything that looks, A, overly permissive, or B, looks out of line, right? I can't tell you how many organizations I've talked to that never do this.

This is a key thing to making sure that you're removing access to things that no longer make sense, that connections with other applications that you no longer have.

That was a key piece of the- Hi.

Hold on one sec.

That was a key piece to the SalesLoft issue a year ago, was that many organizations, and that affected in the hundreds, right? Much of the access that had been granted previously had remained in place.

And so malicious actors were able to leverage that connectivity.

And then the last thing here, reduce unnecessary third-party access paths.

Again, if you no longer need it, make sure you're getting rid of it.

Make sure that you're reviewing the granted accesses on a regular basis.

I suggest at least annually, quarterly if you can.

Just again, good hygiene.

Make sure you're cleaning up after yourself from an application perspective.

Lee, anything to add to that? Yeah, just one quick war story.

Unfortunately, I saw was an instance where an employee had gotten married, changed her name, so they created a new email account for her, left the old one on the system.

Over that time, every account had MFA required except that one because it was pretty historic.

It was still connected to the network.

That's what the actors were able to use to get access.

I think this was a business email compromise, resulted in a few hundred thousand dollars in loss just because the workflows, it appeared to be someone legitimately coming from the finance department.

And a lot of companies, when someone leaves the company, they're really good about disconnecting that access.

But not a lot of companies think to do variations of the same employee's email.

So just something to think about.

Yep.

I think the next slide is to you, Lee.

All right, very good.

We're going to talk about those students.

A lot of them are high risk, not intentional.

A lot of it is non-malicious, but risky behavior that we see instances of.Don talked about that shadow IT.

This falls in line with the shadow apps.

A student may download an app from the App Store that's been placed on there by an actor that specifically targets AI study helper.

Okay? They download it to their personal computer, which is unmanaged by IT, totally in a blind spot, and then they start giving away permission access to read files in cloud storage, access to school accounts, integration with the LMS, and before they know it, they're in the school's network.

It's outside the school's visibility and controls, and it has access to institutional data and credentials.

This one app could then be propagated through the system and harvest OAuth tokens for that student's device, and then before you know it, it's become a path for the bad actor.

The access to shared documents gives visibility into classes and faculty communications, and then they just pivot from there and go up to get more and more access.

Having a good inventory of what AI tools is going to be a must going into the future.

Just some simple awareness training for students, and we've read that it doesn't have to be long, just a catchy phrase.

Think before you link.

That pause so that they're aware of the dangers that are out there.

Actors also will use students' accounts for phishing.

Something that's very appealing is summer employment.

Put that out in mass.

It appears to come from a student, so you have that familiarity with other students, and it works a lot of times.

I had the opportunity to meet with a SOC administrator for a university, and during COVID, they saw a lot of uptick in emails about COVID tests and infection cases.

Everybody was concerned, so that got a high click rate and they had to stop a lot of phishing incidents.

So, you have a captive audience.

You have ones that are both on the school's network and their own network, maybe downloading things that the IT department doesn't have access to.

And the impersonation and fake content, that's something that each school will have to monitor on their own.

Next slide.

Yeah.

Go ahead, Don.

Yeah, real quick.

Let me go back to the slide real quick.

I think that we understand and we believe that students-- Thank you.

That the majority of students aren't malicious by nature.

And I think the majority of you do this, and I just want to call it out.

Make sure that you do have a separate student network that's air-gapped or has the proper controls in place to separate what I've known for years as, quote, "an untrusted network with your trusted network." And your trusted network being your financial systems, your key things, your crown jewel, so to speak.

But allowing or creating that air-gapped student network could potentially save you one day if you don't have one.

But I believe, again, based on the conversations we had with folks during the discussion at Atlas, I believe that most folks have that student network, hopefully air-gapped in place.

Next slide, please.

Yes.

And Don, you stole some of my thunder here- ...

with what small teams can do.

Yeah.

Like Don mentioned, separate the student and staff with security controls.

Your students don't have to have the same access as you all know.

Especially strong authentication for your staff and administrators.

Have that extra layer of MFA, just to make it harder for those actors to get that additional access.

Clear guidance on AI and acceptance use.

You don't want to have a situation where a student is using AI and claims, "I was never told that I couldn't download all these apps and use it." So having that policy in place and awareness helps a lot.

Simple student messaging.

Just stop, verify before clicking can break the attack chain.

And in my role with the FBI, we saw companies fare much better when cybersecurity was something that was hammered home from the person at the front door that greets people, to the CEO.

If cybersecurity is just something the IT department is concerned with, or just the executives are concerned with, it's fighting an uphill battle.

You can't stop the flooding if you don't turn the water off.

So having that awareness from students, faculty, staff, that the threat is real and that they're part of it.

Those companies and institutions fared much better than those that didn't have that built into their culture.

Don, do you have anything to add on that piece? I don't.All right.

Is this you? Yes.

Yeah.

Cybersecurity, the insurance pressure, we've already discussed it.

MFA coverage is mandatory across staff and administrative accounts.

Even those accounts that may be holdovers from long ago, that inventory needs to be cleared either off the network or make sure they're secured.

Documented incident response plans.

It's good to have a plan, practice those plans, because in the case of an incident, one of your first calls will be to your insurance company provider, and they will come and see what's been done already.

And to have that set in motion, that muscle memory of, "Hey, we've done this before.

We're prepared." It goes a long way.

Tested backups and recovery readiness.

If you've been in the business, you know how important those backups are and the ability to get those backups when needed.

And, unfortunately, if these things aren't in place, insurance providers have denied claims if they found that account was compromised, didn't have MFA on it.

There has been instances of them denying responsibility or financial compensation.

So it's something that you need to do beforehand to make yourself as hard a target as possible.

All right.

So ransomware.

Old news, right? Old news, but still, frankly, pertinent to the conversation.

So, again, from an intel perspective, we have an intel team that scours the dark web.

We also have third-party service that does that on our behalf.

We look at third parties, vendors, we look at customers to see what type of attacks are affecting those folks, right? I can tell you that we continue to see ransomware as one of the top attacks and focused on education.

And why? Well, so I'm not telling you guys anything you don't know.

You're resource-constrained, right? You just don't have the resources to be able to do a lot of the things you'd like to be doing.

It's not because you don't necessarily know how or don't want to, but you don't have the resources.

So a malicious actor sees that as a opportunity.

The other piece is you got a huge attack service, right? So that's why we talked earlier about if you can go in and get rid of those things.

I say things, identities, links to other applications, all the stuff that's no longer applicable or needed, that helps reduce some of your attack service, right? And the attack service that you're probably not paying attention to.

But that makes, again, education a juicy target.

High disruption, high leverage, right? So they're looking at educational institutions and nonprofits, to be honest.

They're looking at both because if, let's say, they're going to target you during some event, whether it's finals, exams, right before Christmas hol-- They're going to pick a time when it's very important to target you.

So just keep that in mind.

Organizations I've worked for, during holiday long weekends, we often staff up rather than staff down.

So, just keep that in mind.

Those are the times when you want to get away, when the kids are wrapping things up for the year, that's when you're a juicy target because people aren't paying attention as much as they can, so on and so forth.

So just keep that in mind.

How are they going to do it? The top method for attack today is probably phishing, and they're going to target the identity, right? And again, using AI, they've gotten very good at formulating very real-looking emails, voicemails, so on and so forth.

So it's no longer where it's easy to pick out.

You don't get an email with a ton of misspellings anymore.

You get an email that looks awfully real.

Many times, there's going to be a call to action, and you got to do it in a short timeframe, though, so that's one thing you can still look for.

They're looking for you to act quickly.

Next slide, please.

So what can you do? We've covered a ton, right? So what can you do? Well, and I tell my team this all the time on stuff, right? There's a lot to tackle.

For whatever the problem is that you've identified, there's a lot to tackle.

Start somewhere, right? Here, I'd suggest that you start with two high-risk workflows, right? Make sure that you understand them, that you understand the risks associated with those workflows, and continue on down the track, right? But start somewhere.

Start with a couple, start with five.

Whatever you can fit into the schedule, just start.

Confirm your MFA coverage, right? You probably have MFA deployed, but make sure that it's deployed to the right resources, right? That the coverage is wide enough, because sometimes we deploy stuff, we deploy it to what feels like the right audience to begin with, but we never go back, or we don't often enough go back and review to see if we need to expand that coverage.What can I do intermediate term over the next month? Again, we talked a little bit about this, SaaS and OAuth Review, right? Make sure that the access that these apps are asking for and that you're granting or your customers or your internal folks are granting are appropriate, right? And if you don't feel like they are, push back, talk with the vendor, make sure that it truly is what they need.

And if it's not, ask them to change it.

The next one, incident tabletop.

So I highly encourage you to do this.

Organizations that I've worked for and led, we do multiple a year.

So this year we'll do more than 12.

Right? Now, those aren't necessarily enterprise-wide.

Sometimes they're very specific to certain types of attacks, certain type of compromise.

But to Lee's point, you want to make sure that it's automatic.

You're not necessarily trying to figure out what to do.

You've already seen this, been down a similar path, and you kind of know how to react, right? Over the next quarter, make sure you're doing a backup restore test, right? If you get hit, you want to make sure you have a good backup, you know how to restore it, and you can do it quickly.

Vendor access cleanup.

Talked about that earlier.

Make sure that sometime over the next few months that you go through, you look at those vendors, you make sure that the vendors that have access are still needed, and if not, remove their access, right? And then, if you don't have an incident response plan, you should have something, because that should include who are the people I'm going to call when something goes wrong? Update it to make sure you've got the right contacts in there.

And update it to make sure you have a base plan for software as a service attacks and social engineering attacks.

Next slide, please.

So with that, unless Lee, I don't know if you had anything to add to the last couple slides.

I know we've got five minutes left.

We'll open things up to questions.

We can address the questions on screen, or if folks have other questions, we can try and address those in the time we have left.

Yeah, Don, I'd love to hear from the group as well, just to see what they're seeing from their perspective.

A lot of our stuff is from reporting and prior experiences, and it's always good to get new, updated insights.

If anyone is open to sharing what you're seeing in your environments.

While we're waiting on you guys to put something in chat, if you have it, we can talk about these a little bit.

So, oh, Ashley, "How do we balance student flexibility with security without impacting a learning experience?" So that's a great question.

And I don't have a great answer.

Lee can weigh in.

But I think, number one, I think you have to be in the conversation early, right, so that you're proactive as opposed to reactive.

Because reactive, you're going back and trying to fix what's already been done, right? So I think if you're proactive and you're at the table when something is initially being deployed, and in the conversations to make sure that it's done in a secure way and that people understand the risks and either accept them or we mitigate them through some control.

But having that conversation, make sure people understand that security is important.

We're not here to block progress or to impede progress.

We're here to help and make sure that we're safeguarding students.

Lee, I don't know if you had anything to add to that.

Yeah.

Falls in line with what you were saying.

I think we have schools will need to provide some option for them.

If not, the students will go and get their own- Yeah ...

service.

So marketing the school-sponsored or authorized option would probably be the best, and listen to feedback.

If the option the school chooses isn't checking all the boxes, find ways to accommodate or make those adjustments.

Yeah.

AI is used by everyone, and the easier and the quicker a response that's received, the better.

So...

Yeah.

And if you're kind of setting things up so that you have parts of your network that the trust level varies.

So that also means that the willingness to accept risk varies, right? Because in an untrusted network, you're not going to have as many controls, but you're also not going to have as much risk available to that tenant.

So, I think having those different levels of, I'll call it availability, but making sure that you've got kind of your network broken out and you're protecting your crown jewels and that you're giving more freedom to the, for instance, the student network versus maybe your internal network, may be key.

Yeah.

So John, that's a great question.

So the Canvas infrastructure breach or Canvas infrastructure breach, it's tough because I know in Canvas' case, theyThe actor actually reached out to them early and said, "Hey, there's a problem," right? And as vendors, I think we're learning and have learned, some of us may be further along on that process, we've learned that we've got to react quickly when someone indicates that they've identified a problem, that we're reacting to that earlier, right? And that we're not just kind of putting it on the back burner.

So, for instance, many organizations I've worked with leverage companies like Bugcrowd, who works with independent, I'll call them hackers, to identify stuff like this.

And I think as an industry, we're getting better about when things are found like that, taking them seriously.

We typically want to do some level of validation.

But I think in general, we respond very quickly to that.

I'm not sure why in structure kind of there was that delay between the initial quote compromise and then the follow-up, but certainly, I think as vendors, it's important for us to take those indicators when someone comes to us and says there's a problem, taking those seriously.

I'm not sure, John, if that answers your question.

So Lori, advice around BYOD.

So I don't know.

I feel like that's something you can't say no to, right? But I also believe that if you have to say yes, then you have to have what I just talked about.

You have to have that untrusted part of the network, whether it's probably a portion of your Wi-Fi that's set up, that's air-gapped, that provides a level of access, but you have strict controls in place that, and I'll again use the term air gap, but that creates this point of separation between your untrusted network and your trusted network.

So, there are very few holes poked between those two.

It's almost like they'd be able to get on the internet and, for instance, connect to something that they may be able to connect to at home, but they can't connect anything special while they're on that wireless network at school.

So I think it's one of those things, Lori, that we can't avoid, that we can't say no to, that we have to have a solution.

And I'd love to hear other folks' thoughts on that, too.

I feel like kids, that in today's world, people, kids, their parents want them to have a device with them at all times.

Okay, so Gerald, great question.

Is there still a benefit to having cybersecurity insurance if claims increasingly are being declined? Also, are you able to link to that Blackbaud Cybersecurity Report? We will get you that.

I will get that link for you, Gerald, and we'll share that.

So we have found recently, and Lee, you can jump on here too, but we found recently that we went through a period with cyber insurance where they were denying coverage for everybody, right? Or it was to a point where they were not accepting a lot of risk.

I think we've gotten, and I talk about we, the public, we've gotten better about deployment of some of our controls.

We've seen evidence of cyber insurance companies.

And I was just at DSAC, it's a domestic security alliance between the FBI, DHS, and the private sector where we discuss this.

Where cyber insurance, we've kind of taken that turn where they're starting to get back in the game because their controls are better.

The payouts are they're better able to manage that financial risk.

There was a time where it was just out of control.

And let's be honest, for cyber insurance companies, it's all about making sure that they're able to maintain solvency and eventually make a profit, right? So if they can't do that, they're going to deny what they see as risky coverage.

So, I think that's starting to take a turn to where folks are seeing it a little easier to get cyber insurance.

Lee, I don't know if you had anything to add to that.

Yeah.

Two things.

I think the perception now from cyber insurance providers is it's pretty much a given there's going to be a breach.

So as the customer, we have to assume that at some point we're going to need that.

And while you're shopping for cyber insurance, ask what mitigating services they provide.

A lot of the cyber insurance companies are now partnering with threat detection companies that will come in and assess your security posture and make recommendations.

Bad news doesn't get better with time, so on the front end, they will tell you what you need to do to make yourself more secure because it helps you and them.

But I would ask about that.

There are several companies out there that will come in, assess your configurations, your policies, and if it's not where it needs to be, they'll tell you what steps you need to take to get there.

So-Leverage those resources for sure.

And Lee, that's spot on, because a lot of times it's a minor tweak.

It may not even be spending a lot of extra money.

It's just making a minor tweak to what you're doing, right? So I think that's a great idea, because just generally, you can probably find someone to do that fairly inexpensively when you're comparing the potential for cyber loss.

For sure.

And I think we had one follow-up from Lori about the boarding school.

I think it's still going to have the challenge of parents are going to want to have that connectivity with their children.

So cell phones are pretty much everywhere.

But limiting their access, having almost a dirty Wi-Fi to where it's separated from any sensitive data would probably be your best bet.

Don, do you have any comments on that? I think that's spot on.

I wouldn't change my earlier response.

I'd say, make sure that they've got that untrusted network available in the dorms, but it's separated.

And then, maybe it's different access when they're in the classroom, and maybe you don't allow BYOD devices in the classroom.

I think those are options.

Again, that's going to probably be determined by the risk appetite for your individual school.

But it's a great question.

I don't know if we have other folks that have better advice on that.

But my advice would be, if you can, try and keep that traffic on a separate network.

I think that's spot on.

You all, just in case you missed it, we did share the link to that white paper in the chat, and it is a fantastic one.

We'll also include that in the archive, so if you want to click on that really quick before we wrap up, that's a great one.

Well, Don and Lee, thank you so much.

Blackbaud, we appreciate your support.

And thank you, guys.

Very informative, lots of fantastic information.

So thank you for being here with us today.

Absolutely.

Appreciate it, Ashley.

Yeah.

Thank you.

All right.

Bye everybody.

Have a great day.

Bye.

You too..