School districts maintain sensitive data which makes them attractive targets for cyberattacks.  Although school districts maintain sensitive data, Kansas districts are not required to implement any specific IT controls. Many school districts have not implemented several basic It security controls: The majority of survey respondents (147 of 286 school districts - 51% resonse rate) indicated they lacked proper security awareness training and incident response plans, did not require secure confidential data transmission, and did not perform vulnerability scans at all or frequently enough. Districts reported that staffing issues and lack of knowledge about what IT security controls to implement were significant barriers to improving IT security.  Finally, districts reported spending an annual average of about $18 per student on IT security in recent years. In comparison, the average total expenditure per student is about $16,200.