Attacks are happening at an escalating rate, according to CISA, with cyberincidents involving schools’ systems taking place across most states since 2018. In 2018, 400 incidents were reported, compared to 1,300 by 2021. The introduction of more technology in recent years due to the pandemic has brought on heightened risks and consequences that can include monetary losses and learning disruption.
Under the K–12 Cybersecurity Act of 2021, CISA was directed to study cybersecurity risks for K-12 schools, create recommendations including cybersecurity guidelines and look at challenges schools have in securing information systems, among other tasks like gathering stakeholder input on related matters. The agency consulted with teachers, principals, superintendents, school administrators and various federal and non-federal entities with experience in education.
Four primary points of concern emerged through the engagement efforts, including “significant resource and staffing challenges” associated with hiring cybersecurity professionals in the K-12 sector.
The majority of districts do not have a full-time cybersecurity staff member and smaller local educational agencies don’t always even have full-time information technology (IT) staff.
“Participants further noted that many cybersecurity staff who are currently employed by schools do not have up to-date training or experience, in part due to limited resources for professional development. If a school is fortunate enough to have a security expert on staff, this individual may not get leadership support to implement critical controls such as multifactor authentication,” according to the report. “Participants further observed that many districts experience extreme disparity in talent availability and funding, with a clear divide between larger and smaller districts.”
Other findings include a desire for clear and actionable guidance, sample cybersecurity plans for adoption, prioritization of a centralized governance role in planning and advising on resource allocation, and more effective oversight and accountability.
The report provides recommendations for LEAs but notes that “change must come from the top down. Leaders must establish and reinforce a cybersecure culture. Information technology and cybersecurity personnel cannot bear the burden alone.”
Recommended first steps including the use of multifactor authentication, patch management, creating and testing backups, and creating training and awareness campaigns for users.
LEAs can recognize and work to address IT and cybersecurity capacity by working with their state planning committee to utilize the State and Local Cybersecurity Grant Program, using free or inexpensive services to make improvements, expecting and calling on technology providers to utilize strong security controls by default for free, and by minimizing “the burden of security by migrating IT services to more secure cloud versions.”
To address threats, vulnerabilities and risks, CISA advises LEAs to focus on collaboration and information sharing by joining collaborative groups like the Multi-State Information Sharing and Analysis Center (MS-ISAC) and K12 Security Information Exchange (K12 SIX); working with information-sharing organizations like state school safety centers or state or regional agencies and associations; and building a relationship with regional cybersecurity personnel from CISA and the Federal Bureau of Investigations. California is part of CISA’s Region 9.
“Going forward, CISA will continue to partner with the K-12 education community, and work with technology providers to encourage provision of free or low-cost security tools and products that are secure by default and design,” the report states. “Cybersecurity is a continuously evolving challenge. This report is only a first step toward an environment in which our nation’s schools are secure and resilient against cyber threats.”