Cybersecurity experts told the Utah School Security Task Force that basic protections—multifactor authentication, endpoint detection and a zero-trust approach—would block many of the recent breaches of school-related systems and that the state should consider minimum standards for districts.

Kevin Lopez, a private-sector cybersecurity presenter, said multifactor authentication “does significantly increase security, and reducing risks, by up to 99%,” and recommended endpoint detection, role-based access, network segmentation and vendor contractual requirements tied to security standards such as NIST or SOC 2. Lopez described recent breaches involving third-party vendors, saying attackers used valid credentials and absent multifactor protections to access student and teacher records.

Spencer Jenkins of the Utah Education and Telehealth Network (UETN) described UETN’s role as a statewide network partner that connects schools; UETN sees network anomalies before some districts, provides coordination during incidents and is preparing a statewide security posture assessment for K–12 and higher education. Jenkins said UETN is evaluating managed services that would give districts and the state a shared view of threats and noted that deployment and resources vary widely by district.

Task force members cited recent compromises of Utah student records and warned that paying ransoms or trusting attackers to delete stolen data does not prevent re-use of that data. Representative Wilcox said roughly 170,000 student records were compromised in a recent incident he referenced; that figure was reported in the meeting transcript as his observation about ongoing compromises. Board member Joe Carey asked what is slowing wider adoption of multifactor authentication; presenters said both cost/licensing and user convenience are barriers.

The group learned the state legislative auditor has commenced an audit of education cybersecurity. Task force members said that audit, together with UETN’s upcoming posture assessment, should inform any minimum standards recommended in the task force’s legislation work for the coming session.

No formal action was taken at the meeting on cybersecurity standards; task force members instructed staff to continue work, coordinate with the Department of Technology Services and consider proposals for baseline requirements for districts.