In an effort to help protect K-12 educational institutions from an increasing rate of cyberattacks, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a new report with recommendations and resource to help K-12 IT professionals address their plentiful security risks.
CISA’s new report, “Protecting Our Future: Partnering to Safeguard K–12 organizations from Cybersecurity Threats,” includes insight into the current K-12 threat landscape and offers simple steps school IT leaders can take to strengthen their cybersecurity efforts.
The report on K-12 cybersecurity comes as schools adopt more advanced networking technologies designed to facilitate learning and make schools more efficient and effective, but are also introducing new cybersecurity risks. This is leading to an increasing number of threat actors targeting K-12 institutions. The report comes after a year in which several high-profile ransomware attacks forced school districts to shut down while the attack was mitigated, such as the case of the Los Angeles Unified School District.
Data included in the report shows how cyberattacks against the K-12 education community are increasing, and reported incidents have increased from about 400 in 20187 to over 1,300 in 2021. The reason is simple: schools, school districts, educational technology vendors and other entities have a lot of sensitive data on students and school employees.
However, participants in CISA’s listening sessions on cybersecurity in K-12 institutions say that they lack the IT support, staff and resources to sufficiently protect their systems.
“Participants noted that most districts do not employ full-time cybersecurity personnel, and some smaller school districts may not even employ full-time IT staff,” the report says.
Further, those K-12 schools with cybersecurity experts on staff say they can’t afford to pay for additional training or professional development. This issue becomes even worse at smaller school districts with very limited budgets.
In addition to other issues schools say their existing IT personnel are already overburdened with keeping school IT systems operational and simply don’t have the time to build robust enterprise-grade cybersecurity programs.
CISA Director Jen Easterly says in a statement that ensuring the safety of K-12 schools means that they must be better prepared.
“As K-12 institutions employ technology to make education more accessible and effective, malicious cyber actors are hard at work trying to exploit vulnerabilities in these systems, threatening our nation’s ability to educate our children,” Easterly says. “Today’s report serves as an initial step towards a stronger and more secure cyber future for our nation’s schools, with a focus on simple, prioritized actions schools can take to measurably reduce cyber risk.”
The K-12 cybersecurity report includes a set of three key recommendations, including:
Invest in the most impactful security measures and build toward a mature cybersecurity plan by taking these three steps:
- Implement highest priority security controls.
- Prioritize further near-term investments in alignment with the full list of CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs).
- Over the long-term, develop a unique cybersecurity plan that leverages the NIST Cybersecurity Framework (CSF).
Recognize and actively address resource constraints:
- Work with the state planning committee to leverage the State and Local Cybersecurity Grant Program (SLCGP).
- Utilize free or low-cost services to make near-term improvements in resource-constrained environments.
- Expect and call for technology providers to enable strong security controls by default for no additional charge.
- Minimize the burden of security by migrating IT services to more secure cloud versions.
Focus on collaboration and information sharing:
- Join relevant collaboration groups, such as MS-ISAC and K12 SIX.
- Work with other information-sharing organizations, such as fusion centers, state school safety centers, other state and regional agencies, and associations.
- Build a strong and enduring relationship with CISA and FBI regional cybersecurity personnel.
Read the report for more information.