Security leaders must work together to standardize school cybersecurity measures, including security awareness training, threat detection and governance strategies.

Setting a National Standard for K-12 Cybersecurity

The onset of the coronavirus pandemic set off a revolution in the classroom as teachers and students traded in textbooks for laptops and chalkboards for Zoom dial-ins, transitioning to two-plus years of remote and hybrid learning for many students. While this increased use of technology transformed how teachers deliver instruction and students learn, it also significantly widened the cybersecurity threat landscape.

According to the K-12 Cyber Incident Map, in the 2020 school year alone, 408 reported cybersecurity incidents impacted 377 school districts across 40 states. This represents an 18% increase year-over-year and equates to a rate of more than two incidents per school day — and that’s just what was disclosed publicly. From ransomware to phishing attacks and student and staff data breaches, these attacks are not only becoming more commonplace, but also more sophisticated.

That’s why, on October 8, 2021, President Biden signed the K-12 Cybersecurity Act into law, establishing a timeline in which the Cybersecurity and Infrastructure Security Agency (CISA) would identify and address the cybersecurity issues K-12 school districts face.

Unaddressed at the national, state and local level, the consequences of attacks on educational institutions include the potential leak of personally identifiable information (PII) of students and teachers, and even the shutdown of school operations.

To combat cyberattacks, school districts not only need to increase their awareness and preparedness, but governments and businesses need to join forces to support districts via training, testing and tools to ensure rapid detection, appropriate response and minimal damage.

The National Standard

Data from Statista shows that more than 50% of ransomware attacks succeed due to poor user education and practices. Cybersecurity is a complex, multi-faceted issue that requires preparing educators and students to effectively navigate.

Security leaders need to develop clear, simple recommendations that demystify cybersecurity and make it easy to take actions to improve cybersecurity postures. It’s crucial that school security professionals increase basic understanding of the practical elements of cybersecurity via ongoing awareness training, testing and exercises to create a solid first line of defense at the user level. School districts should implement data governance, including data classification, retention and protection policies and procedures to better secure students’ and teachers’ PII.

To help meet recommended standards and oversee cybersecurity efforts, districts should appropriately resource and prioritize appointing a cybersecurity professional. This senior professional should be someone with an understanding of cybersecurity and practical experience in the field. Districts should also ensure yearly professional development for this position.

Such changes will not be easy and school districts will need to approach the improvement of cybersecurity capabilities in phases, using a risk-based approach to account for the unique scenarios they may face, working to integrate security into the technology decisions being made. After prioritizing district-based leadership, schools should focus on three buckets:

1. Prevention and detection: Create active, uninterrupted barriers of protection aligned with their digitalization strategy to help address cyber threats.
2. Response: Mitigate or act quickly upon detecting cyber threats.
3. Resiliency: Successfully recover in a timely fashion in case detection and response are rendered insufficient when mitigating threats.

By clearly defining how to prioritize potential cybersecurity threats, school districts can better digest and implement the recommendations within their new toolkit.  

The Long Road Ahead

For many years, K-12 schools were not necessarily a prime target for cybercrime, but that rapidly changed with the onset of the pandemic. Teaching and learning have grown to rely on technology and data as essential components of learning. Preventing access to technology through cyber events adversely affects the primary charge of a school. Furthermore, schools store an abundance of important personal and financial information and often have unsophisticated safety measures, making them an easy and increasingly popular target.

The passage of the K-12 Cybersecurity Act puts us squarely on the path toward securing the emerging flexible education environments. The public and private sectors must continue to work together to develop and implement national standards for cybersecurity awareness and response at the K-12 level, while continuously reassessing the evolving threat landscape to ensure districts have the resources to keep students and schools safe from cyberattacks.