Cyberattacks are now a daily threat to K-12 schools, but new guidance from the Federal Cybersecurity and Infrastructure Security Agency offers “simple, prioritized actions” schools can take to protect against these threats.

Recommendations include investing in “impactful security measures,” building a “mature cybersecurity plan,” leveraging different grant programs that reduce the cost of cybersecurity efforts, and collaborating to share information. .

The report comes more than a year after the K-12 Cybersecurity Act of 2021 was enacted. It established a K-12 cybersecurity initiative and asked CISA to release a report on risks facing K-12 schools, along with recommendations and resources. to help schools reduce risk and maintain resilient cybersecurity programs.

It also comes as cyberattacks on schools have increased in recent years, with schools’ use of technology increasing as cybercriminals become more sophisticated. More recently, the Des Moines paudience sschool districtthe largest in Iowa, was the victim of a cyberattack on January 9, which resulted in the shutdown of the district’s servers and the cancellation of classes for two days.

Keith Krueger, CEO of the nonprofit Consortium for School Networking, praised the report and its recommendations, calling it “a big step forward.” Krueger said he particularly liked the report’s suggestion to take advantage of available subsidy programs, such as the Federal Communications Commission’s E-Rate program..

CISA, through listening sessions with K-12 leaders, found that there was a shortage of cybersecurity professionals in K-12 institutions; there is a need for clear and easily adoptable guidelines; there is a need for centralized governance to help with resource allocation; and there needs to be more effective oversight and accountability.

To address these challenges, CISA recommended these key steps:

  • Implement effective security measures: This includes using multi-factor authentication, patching known security vulnerabilities, developing an incident response plan, and implementing a training and awareness campaign. It also means using CISA’s Cybersecurity Performance Goals and the National Institute of Standards and Technology’s Cybersecurity Framework.
  • Respond to resource constraints: States and districts can do this by taking advantage of the State and Local Cybersecurity Grant Program, which requires states or districts to create a cybersecurity planning committee to develop a cybersecurity plan. The report also suggests using the FCC’s E-rate program, which subsidizes telecommunications and broadband services for schools.
  • Prioritize collaboration: K-12 districts should join information-sharing forums, such as the Multistate Information Sharing and Analysis Center and the K-12 Security Information Exchange. Districts should also establish a relationship with their regional CISA advisor and the local FBI office.

Tony Dotts, the network systems administrator for Community High School District 99 in Illinois, said the recommendations seemed achievable.

The steps to secure K-12 district networks are “not always necessarily technical in nature,” Dotts said. “Things like the implementation [multi-factor authentication], while they have a technical side, a lot of that comes down to getting buy-in from your admin, superintendent, and others. Implementing the change is probably the most complicated piece than the technical aspects. »

For example, if a district already uses Google as their email system, they can easily implement multi-factor authentication because it’s already something Google offers, Dotts said. “A lot of it is just getting buy-in for procedural changes,” he added.

Doug Levin, national director of the K12 Security Information Exchange, a nonprofit that helps schools prevent cyberattacks, said he’s heard similar challenges from other technology leaders in the district.

“We repeatedly hear of school district IT leaders who try to do the right thing for their school communities and implement some of these protections, but then get blocked by their leadership who has other priorities. . [and] may not be willing to let anyone be inconvenienced, even though that inconvenience could be the difference between a ransomware incident or not,” Levin said.

The CISA report will hopefully help other K-12 district leaders, as well as policy makers, understand “the risks and risk mitigations that school districts really can and should.” put in place,” he added.

Although this is a landmark report, experts say there is still a long way to go to help the K-12 community.

Levin said he would have liked to see a “stronger call for additional resources” and funding, as well as a “call for a stronger role for the U.S. Department of Education,” which is supposed to play a role. to help keep school systems safe from cybersecurity threats, according to the Government Accountability Office.

Source link

Leave A Reply