In an effort to help protect K-12 educational institutions from an increasing rate of cyberattacks, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a new report with recommendations and resources to help K-12 IT professionals deal with their many security risks.
CISA’s new report, “Protecting Our Future: Partnering to Protect K-12 Organizations Against Cybersecurity Threats,” includes an overview of the current K-12 threat landscape and offers simple steps school IT managers can take to bolster their cybersecurity efforts.
The K-12 Cybersecurity Report comes as schools adopt more advanced networking technologies designed to facilitate learning and make schools more efficient and effective, but also introduce new cybersecurity risks. This leads to an increasing number of threat actors targeting K-12 establishments. The report comes after a year in which several high-profile ransomware attacks forced school districts to close while the attack was mitigated, such as in the case of the Los Angeles Unified School District.
Data included in the report shows how cyberattacks against the K-12 education community are increasing, and reported incidents have grown from around 400 in 20187 to over 1,300 in 2021. The reason is simple: Schools, school districts, educational technology vendors, and other entities have a lot of sensitive data about students and school employees.
However, participants in CISA listening sessions on cybersecurity in K-12 institutions say they lack the IT support, staff, and resources to sufficiently protect their systems.
“Participants noted that most districts do not employ full-time cybersecurity staff, and some smaller school districts may not even employ full-time IT staff,” the report said.
Additionally, K-12 schools staffed by cybersecurity experts say they can’t afford to pay for additional training or professional development. This problem becomes even worse in small school districts with very limited budgets.
In addition to other issues, schools say their existing IT staff are already overburdened with keeping school IT systems up and running and simply don’t have the time to build robust enterprise-grade cybersecurity programs.
CISA Director Jen Easterly said in a statement that keeping K-12 schools safe means they need to be better prepared.
“As K-12 institutions use technology to make education more accessible and effective, malicious cyber actors are working hard to try to exploit vulnerabilities in these systems, threatening our country’s ability to educate our children,” says Easterly. “Today’s report is a first step towards a stronger and safer cyber future for our nation’s schools, focusing on simple, high-priority actions schools can take to measurably reduce cyber risks.”
The K-12 Cyber Security Report includes a set of three key recommendations, including:
Invest in the most effective security measures and develop a mature cybersecurity plan by following these three steps:
- Implement the highest priority security controls.
- Prioritize other short-term investments in accordance with CISA’s comprehensive list of cross-industry Cybersecurity Performance Objectives (CPGs).
- Long-term, develop a single cybersecurity plan that leverages the NIST Cybersecurity Framework (CSF).
Recognize and actively address resource constraints:
- Work with the state planning committee to leverage the State and Local Cybersecurity Grant Program (SLCGP).
- Use free or low-cost services to provide short-term improvements in resource-limited settings.
- Expect technology vendors to enable strong security controls by default and at no additional cost.
- Minimize the security burden by migrating IT services to more secure cloud versions.
Emphasize collaboration and information sharing:
- Join relevant collaboration groups, such as MS-ISAC and K12 SIX.
- Work with other information-sharing organizations, such as fusion centers, public school safety centers, other national and regional agencies, and associations.
- Build a strong and lasting relationship with regional CISA and FBI cybersecurity personnel.
Read the report for more information.