Shielding Our Schools: A Step-by-Step Guide to Improving Cyber Security in K-12 Education
Security solutions in educational institutions are more important now than ever.
Prevalence and Nature of Cyber Attacks: Schools are “Target-Rich and Cyber Poor”
Did you know that there were more than 7.6 million malware attacks on kindergarten-12th grade classroom devices in the last 30 days? Education is the most affected industry when it comes to cyberattacks, with the next most affected industry being retail and consumer goods. They have experienced approximately 900,000 malware attacks in the same period. According to the Cybersecurity & Infrastructure Security Agency (CISA), schools and districts across the nation are considered “target-rich, cyber poor” due to the lack of protection and the wealth of information they store. This includes personal details about students, families, teachers, and support staff.
K-12 schools have increasingly become targets for cyberattacks, including ransomware, phishing, denial-of-service (DDoS), and video conferencing disruptions. These attacks can cause significant interruptions in educational activities, result in the loss of sensitive data, and incur substantial financial costs to mitigate the damage. The rise in cyber threats, particularly ransomware, is driven by the digital expansion in schools, the adoption of cloud-based systems, and the reliance on technology for both in-person and remote learning. The complexity and frequency of these attacks underscore the urgent need for robust cybersecurity measures in the education sector.
Consequences of Cybersecurity Breaches
The impact of cyber attacks on schools is far-reaching. Beyond the immediate disruption to educational services, these incidents can compromise the personal information of students and staff, potentially leading to identity theft and financial fraud. High-profile cases, such as the ransomware attack on the Los Angeles Unified School District, underscore the severe consequences of cybersecurity breaches, where sensitive data was exposed publicly, intensifying the pressure on affected institutions.
Current Measures and Recommendations for Security Solutions
Efforts to bolster cybersecurity in K-12 schools have been substantial but remain inconsistent across districts. The Cybersecurity and Infrastructure Security Agency (CISA) and other bodies emphasize the importance of investing in effective cybersecurity measures. They recommend that districts prioritize the most impactful security investments to develop a long-term cybersecurity plan. Despite challenges such as limited budgets, resources, and technical expertise, schools can take immediate steps to improve their cybersecurity posture. Implementing these key recommendations from CISA can help schools better protect their sensitive data, systems, and networks from cyber threats:
- Implement Multi-Factor Authentication (MFA):
Multi-factor authentication (MFA) enhances security by requiring users to provide multiple forms of identification before accessing systems or data. This aids in significantly reducing the risk of unauthorized access to sensitive information like student records, financial data, and administrative systems. Educating staff, students, and parents about the importance and effective use of MFA is essential. The National Institute of Standards and Technology (NIST) recommends changing passwords once per year unless there is an immediate threat. Frequent password changes can lead to minor, predictable alterations, making accounts more vulnerable. Annual password changes encourage the creation of entirely new passwords, improving security. - Mitigate Known Exploited Vulnerabilities:
Regularly update and patch software, operating systems, and network devices to address known vulnerabilities. Conducting vulnerability assessments and penetration testing to identify weaknesses in the school’s IT infrastructure will minimize the risk of exploitation by malicious actors. - Implement and Test Backups on Your Security Systems:
Regularly backing up critical data, including student records, financial information, and administrative documents, will ensure continuity of operations in the event of a cyber incident. Store backups securely and offline to prevent them from being compromised in the event of a ransomware attack or other cyber threats, and test backup systems and procedures regularly to verify data integrity and the ability to restore systems and services effectively in case of a cyber emergency. - Regularly Exercise an Incident Response Plan:
Develop a comprehensive incident response plan that outlines roles, responsibilities, and procedures for responding to cybersecurity incidents such as data breaches, malware infections, and phishing attacks. Conduct tabletop exercises and simulations to test the effectiveness of the incident response plan. Ensure that staff members are prepared to respond quickly and efficiently in the event of a cyber incident. Regularly reviewing and updating the incident response plan based on lessons learned from exercises and real-world incidents will improve the school’s cyber resilience. - Implement a Strong Security Training Program:
Ensuring that teachers, support staff, and students/parents have a general knowledge of cybersecurity is vital. Provide cybersecurity awareness training to staff, students, and parents about threats like phishing, social engineering, and malware. Emphasize good cyber hygiene, such as strong passwords, avoiding suspicious links, and promptly reporting security incidents. Offer specialized training for IT staff and administrators to ensure they can implement and maintain effective cybersecurity measures.
Free resources and training to help teachers, support staff, students, and parents protect themselves and the school or district can be found here:
The National Cybersecurity Alliance
The National Initiative for Cybersecurity Careers and Studies
Common Sense Education
My Cyber Hygiene
Using Artificial Intelligence (AI)
With the growing use of public generative AI applications like ChatGPT, Bard, and Claude, schools and districts must understand the difference between public and private AI. The International Association of Privacy Professionals (IAPP) warns that information entered into public generative AI applications becomes public, risking the exposure of sensitive data. Conversely, using private AI applications allows schools to control data more effectively. When using private AI, schools must implement IT best practices, including encrypting data, securing it with multi-factor authentication, and adding protections such as auditing and tracking to safeguard students’, parents’, and teachers’ information.
Leveraging State and Federal Resources to Improve Cybersecurity Posture
K-12 schools can improve their cybersecurity by using state and federal resources like guidance documents, training programs, and cybersecurity frameworks. Staying updated on regulations, guidelines, and best practices from state education departments, federal agencies like CISA, and industry organizations is crucial. Collaborating with other schools, districts, and educational organizations fosters a community-driven approach to cybersecurity resilience.
Schools should also utilize cybersecurity grants and funding from state and federal governments, as well as private organizations, to support their cybersecurity efforts. Here are some grant opportunities:
- State and Local Cybersecurity Grant Program (SLCGP): Administered by DHS, this program funds state and local governments to enhance cybersecurity, which K-12 schools can access through local government partnerships.
- CISA Grants: CISA offers various grants for cybersecurity initiatives, including those for education.
- Department of Education Grants: The U.S. Department of Education provides grants for technology and infrastructure improvements, including cybersecurity.
- State-specific Grants: Many states offer their own cybersecurity grants for schools. Schools should check with their state departments of education or other relevant agencies.
By exploring these opportunities, K-12 schools can secure funding to enhance their cybersecurity.
Moving Forward
To address cybersecurity, K-12 schools must educate and raise awareness among students, teachers, staff, parents, and administrators. Providing cybersecurity training, emphasizing good cyber hygiene, and encouraging prompt incident reporting fosters transparency and accountability. Building a strong cybersecurity culture requires commitment and involvement from everyone, promoting shared responsibility for data protection. Integrating cybersecurity principles into the curriculum empowers students to navigate the digital world safely. As cyber threats evolve, schools must continuously update practices to ensure safety and privacy.