Necessary Learning: Cybersecurity Risk in Education

Cybercrime’s climb to prominence as an industry includes the specific targeting of, and successful attacks on, the education sector.

Recently, The Cybersecurity & Infrastructure Security Administration (CISA) published a report detailing five years of research and analysis of cybercrime’s impact on K-12 organizations as a requirement of the K–12 Cybersecurity Act of 2021.

The Findings

There’s a great need for resources and there lacked a singular, simple checklist focused on reducing and mitigating cybersecurity risk.

The top cyber concerns school districts should focus on tackling include:

• Multi-factor authentication (MFA)
• Mitigating known exploited vulnerabilities
• Backup systems
• Incident response plan formation and updating

Leadership, both school administrators and lawmakers, must make cybersecurity risk management a top priority. Budget constraints, as with any public need, remain a barrier. Creative approaches and partnerships will be needed to secure the necessary resources to address the growing threat against our school districts nationwide.

Obtaining the tools to combat the present problem will require working with technology providers to offer low-cost services and solutions, designed by default, to be secure. Pushing sensitive information and private data to cloud-based environments where trusted management can oversee and protect encrypted inputs is critical to the overall security posture of the nation’s education system.

Shared knowledge is a key and integral piece of the puzzle. No district is alone in the fight against cybercrime and no one should act as an island. Collaboration with other districts, local and abroad, will yield peer-reviewed best-practices. Outlets for this include the Multi-State Information Sharing and Analysis Center (MS-ISAC) and the K12 Security Information eXchange (K12 SIX). By additionally establishing a direct relationship with CISA and the FBI, our nation’s districts will create safe, secure systems designed to protect staff, students, and suppliers alike.

The Recommendation

CISA will assist K-12 leaders in building, operating, and maintaining a manageable program by designing a checklist rooted in three key points:

1. Investment should be made to develop and deliver the most secure system possible.
2. The strain on resources must be recognized and reconciled.
3. A “best-practices” mentality connecting technology leaders with districts must be implemented.

By combining insight and intelligence from policymakers, business and industry leaders, and stakeholders within the K-12 landscape, administrators will have a detailed playbook to attack cybercrime.

First, to address the need for investing in the most secure systems possible, CISA recommends utilizing its Cross-Sector Cybersecurity Performance Goals (CPGs) to resolve short-term security concerns and leverage the NIST Cybersecurity Framework (CSF) for long-term implementation.

Second, resolving the resource constraint issue starts with working within a given state’s planning committee to tap into the State and Local Cybersecurity Grant Program (SLCGP). Short-term improvements can be made by partnering with local technology providers to access low-cost services enabled with default cybersecurity controls. Converting to cloud-based software and storage methods will lift the burden on localized IT staff and allow for easy migration of data and information to one monitorable, secure location.

Third, administrative and IT staff need to join shared-practices groups like MS-ISAC and K12 SIX. By partnering with other organizations (think-tanks, state legislative boards, local and regional agencies and associations), a refined approach will be forged. CISA and the FBI field offices provide access to cybersecurity personnel professionals to bolster and review formed plans.

The Solution Toolkit

With the guidance outlined above, CISA also published a toolkit of resources to help achieve the recommended actions and offers free cybersecurity training for the K-12 community.

You can access the Digital Toolkit page to view all resources and print the Toolkit as well.

Additional cybersecurity training and awareness tools may be considered to help staff and students learn to identify cybercrime types like phishing, smishing, and social engineering via real-world simulations. These tools can be used within the classroom as an effective means of learning to create an enhanced human firewall for both the present and the future. Phishing training and phishing simulations can improve overall security posture and reduce the risk of human error, thus mitigating the risk phishing and similar cyberthreat tactics present.