Technologies in education are a double-edged sword. Technologies make schools more efficient while putting them at cybersecurity risk. See what CISA recommends on K-12 cybersecurity
K–12 schools and school districts, like any other field, have been quickly adopting advanced technologies. In education, technologies facilitate learning and make schools more efficient while introducing heightened risks to cybersecurity. Given the enormous amount of data stored by K–12 schools, they have become the frequent targets of malicious cyber actors. Any malicious attempt puts students, their families, teachers, and administrators at risk. According to such a cybersecurity landscape, debates on cybersecurity for K-12 schools intensified.
To help schools cope with cybersecurity issues, Congress enacted the K–12 Cybersecurity Act of 2021. The Act requires Cybersecurity and Infrastructure Security Agency (CISA) to report on risks facing K-12 schools. Furthermore, the Act obligates CISA to develop cybersecurity guidelines for schools.
CISA released such a report on January 2023, titled Protecting Our Future: Partnering to Safeguard K–12 organizations from Cybersecurity Threats (the Report). The Report gives guidelines on addressing cybersecurity risks. It also provides insight into the current threat landscape specific to K-12.
The Report has three main findings:
Let’s learn about the K-12 cybersecurity risks and challenges and find out more about CISA recommendations regarding cybersecurity resistance.
Сybersecurity incidents disrupt schools’ ability to carry out their educational mission. CISA warns of rising data breaches, ransomware, DDoS, and other malicious activities targeting education. For instance, from 2018 to the present, reported data incidents affecting schools have risen from 400 to over 1,300, as the Report states. In fact, his number is much higher as many incidents remained unreported.
The main risks and challenges to K-12 schools and school districts are the following:
Schools store a lot of sensitive information. Grades, assessment scores, addresses, phone numbers, emails, financial and medical information, and Social Security Numbers (SSNs). This bulk of the information is the criminals’ desired target. In total, 29 percent of K–12 schools reported being victims of a data breach, according to the Report. Ransomware attacks, business email compromise (BEC) scams, and online class invasions are among the most frequently occurring attacks.
One of the most notable examples of a data breach at K-12 was the ransomware attack on the Los Angeles Unified School District (LAUSD), the second-largest public school system in the U.S. The incident occurred in early September 2022. Attackers, known as Vice Society, compromised 500 GB of sensitive data and required LAUSD to pay a ransom. When the LAUSD officials refused to pay, Vice Society published 500 GB of data on its dark website.
COVID-19 learning protocols and increased usage of distance learning apps by K-12 schools and school districts. Some of these apps grab personal information and track the online behavior of millions of students and teachers. Some apps also gain access to students’ digital contacts and cameras. Thus, using distance learning increased the attack surface and attracted more criminals.
One of the ways to an organization’s data lies through its vendors. Criminals know that and often attack supply chain participants to get to their main target. The supply chain attack aims to access information held by multiple organizations (or a targeted one) by attacking less-secure elements in the supply chain. CISA experts say 55 percent of all data breaches at K–12 between 2016 and 2021 were carried out on schools’ vendors. In January 2022, for example, a ransomware attack on a software provider Finalsite took down the websites of 5,000 schools across the country.
Resource scarcity is a common problem in the K-12 environment when it comes to ensuring cyber security. Due to limited resources – finances, personnel, expertise- schools and school districts cannot afford to maintain sufficient professional staff to deal with cybersecurity threats. Those lucky enough to have one often need help to ensure up-to-date training or skills. As a result, the lack of cybersecurity personnel and/or professional training for them undermined schools’ ability to respond adequately to cybersecurity threats.
When you feel constant pressure to respond to cyber attacks, but your resources are limited, make sure you undertake the most impactful measures. CISA recommends starting with the security controls that have the highest priority, including MFA, patching, backups, etc. These measures help you align near-term investments with pressing goals and compliance regulations, thereby providing a minimum necessary level of cyber protection.
Examples of CISA-recommended security measures, which ring true for most organizations, are provided below:
MFA is an authentication method that requires users to provide two or more verification factors to access a system or a resource. MFA is usually based on one of three types of additional information: knowledge (password or PIN), possession (e.g., hardware MFA tokens, smartphones), and inherence (fingerprints or voice recognition). Even if one factor (such as a user password) becomes compromised, unauthorized users must bypass the second authentication requirement. In most cases, such multi-layered protection stops criminals from gaining access to the target accounts. More on MFA and other access controls read in in our blog article Reinforcing the Weakest Security Link with Access Controls.
If implementing MFA is challenging for you, start with implementing MFA on your highest-risk systems, such as student information systems and high-priority accounts.
Many attacks succeeded because users run outdated software when a newer version is available. Thus, always prioritize patch management to keep your data and systems secure. Patch management is deploying firmware, driver, operating system (OS), and application updates to your devices. Patch management fixes vulnerabilities in your software and applications susceptible to cyber-attacks. This means when you’re regularly patching vulnerabilities, you’re helping to manage and reduce the risk that exists in your environment.
Patching is one of the most cost-effective practices your school can adopt to enhance its security posture.
Many threat actors find vulnerable targets by scanning the internet for exploitable services. K–12 entities should ensure that IT assets accessible via the internet do not expose frequently exploited services. Any exposed system must have strong compensating controls in place and be reviewed as part of the governance program.
Many K-12 schools and school districts that have fallen victim to cyberattacks, such as ransomware, had incomplete/damaged backups. Or didn’t have them at all. Backup refers to copying physical or virtual files or databases to a secondary location for preservation in case of equipment failure or catastrophe. K–12 entities, like any other organization, should back up all key systems regularly. Regular testing of the partial and full restoration of data is also necessary.
Store your backups offline and disconnected from the network.
Every K-12 entity needs to clearly understand how to respond to cybersecurity incidents if such occur. Knowledge of incident recovery is also vital. Schools should establish and regularly exercise a written incident response plan. An incident response plan is a document outlining what an organization should do in the event of a data breach or other form of a security incident.
A good incident response plan should:
Cybersecurity management always includes people part. Humans often click on suspicious links, connect to unsecured networks, or use the same password across multiple accounts. Such a factor makes people the main target of malicious actors worldwide. K-12s should consider regular security awareness training because investment in training is just as important as investment in cybersecurity capabilities, tools, and solutions. While leadership, staff, and student time is limited, CISA recommends initiating positive change and driving cyber awareness within reach. Don’t know how to carry out a successful security awareness program? Read our article Security Awareness Training. Important Things to Know.
In addition to the above CISA recommendations, we advise you to work with technology providers that offer security products and services. In the condition of resource constraints, reducing the security burden by migrating to secure cloud environments would also be a good decision.
For these reasons, technology adoption in schools should be wise. The primary value of every educational institution is not only knowledge but also students and educators. Physical security only is no longer sufficient for keeping them safe. School administrators should also pay proper attention to cybersecurity. Virtual learning, educational apps, and scattered digital information – are the factors raising the potential attack surface on education. As a result, t necessary cybersecurity measures must be implemented.
If some questions regarding cybersecurity in K-12 schools and school districts are unanswered, please, contact our Planet 9 team, and we’ll be happy to assist!