The Office of the Legislative Auditor General told the School Security Task Force on Oct. 15 that Utah K–12 school districts and some higher-education institutions have cybersecurity gaps that raise the risk of data breaches and service disruptions. "We assessed the cybersecurity at local education agencies and degree-granting institutions," audit manager Jesse Martinson told the task force, summarizing the audit's scope and three key findings.

The auditors said two Utah school districts were publicly reported as breached in the past year; one incident affected roughly 450,450 student records and 30,000 employee records and produced a $150,000 insurance payment and sizable recovery costs. "In public education, attackers successfully breached, two Utah school districts in the last year," audit supervisor Chris McClelland said during the presentation.

Nut graf: The auditors recommended the Legislature study possible minimum cybersecurity standards for local education agencies and that the Utah Board of Higher Education clarify policy and accountability across institutions. The office also advised adding cybersecurity testing to future audits to better measure implementation of proven controls.

The report used Cybersecurity and Infrastructure Security Agency (CISA) guidance and the Center for Internet Security (CIS) baselines as its benchmarks, focusing on six high-priority controls such as multifactor authentication (MFA), backups, incident response plans and staff training. "These cover things like multifactor authentication, backups, training, incident response plans," Martinson said, adding the audit team used CISA-recommended practices "because they are proven to reduce the risk of cyber attacks."

The auditors combined a statewide UETN survey of 41 school districts and 10 charter schools with technical testing in six school districts and one charter school carried out with the Division of Technology Services. Survey results and targeted testing both showed gaps: incident response plans and training were often missing or incomplete in K–12, while testing found weaknesses in MFA, patch management, incident response and training.

The audit noted higher-education institutions generally performed better on the six CISA practices but showed variation when tested against the broader CIS controls. "Not all institutions had required information security plans," the auditors wrote, and recommended the Utah Board of Higher Education clarify cybersecurity policy and accountability.

The auditors cited third-party incidents, including a widely reported vendor breach that affected multiple districts, but emphasized the audit focused on controls districts can directly implement, such as contractual protections and local configurations. The office asked the task force to consider legislative study of minimum standards and to accept cybersecurity testing in future audits.

Ending: The audit team concluded its presentation with a recommendation that the Legislature and state education governance bodies study minimum standards, remove barriers such as staffing and training limitations, and consider routine, technical cybersecurity testing as part of future audits.