Important points:
- In the face of increasing cybersecurity attacks and threats, Congress has asked CISA to report on the risks and create a guide for K-12 educational institutions.
- Stakeholders expressed concern about the lack of resources and guidance to mitigate cybersecurity risks.
- CISA encourages agencies to take small impact steps to build cybersecurity. Plan with budget constraints in mind. Take advantage of partnerships. Collaborate with other users.
- CISA has provided a variety of resources and tools to the K-12 community to support their efforts to strengthen cybersecurity.
Background
The adoption of new technologies, such as the rapid and unexpected shift to virtual learning due to the COVID-19 pandemic, exposes K-12 institutions to cyberattacks and threats. An increasing number of cyberattacks are not only jeopardizing student and family identities and school data, but also disrupting education.
In 2021, Congress passed the K-12 Cybersecurity Act. With this, the Cybersecurity and Infrastructure Security Agency (CISA) reports on cybersecurity risks to elementary and middle schools and provides recommendations, including cybersecurity guidelines, to help schools develop policies and procedures to mitigate risks. matter must be created. CISA will publish its final report (“Protecting Our Future: Partnering to Protect K-12 Organizations from Cybersecurity Threats”) in January 2023, along with an online toolkit.
Hearing from stakeholders
In assessing security risks and making recommendations, CISA engaged a number of stakeholders to gather insights into cybersecurity issues and possible solutions. The agency spoke with school administrators, superintendents, and other educational leaders. These stakeholders expressed various concerns and communicated the need to:
- Increased Cybersecurity Budgeting and Support – Remember that cybersecurity resource allocations will always compete with employment needs and other priorities, so cybersecurity funding should be allocated as such.
- Clear, actionable guidance and cybersecurity planning.
- Centralized governance in planning and advising on how to allocate cybersecurity resources.When
- More effective oversight and accountability.
In light of this feedback, after analyzing different types of cybersecurity threats and attacks conducted against educational institutions, CISA’s final report outlines key findings and accompanying recommendations.
Key Findings and Recommendations
In its report, CISA issued 3 key findings Along with their respective recommendations:
Main Findings 1. With limited resources, K-12 institutions can take several steps to significantly reduce cybersecurity risks.
- recommendation: Invest in the most effective security measures and build towards a mature cybersecurity plan. CISA recommends the following course of action:
- Implement high priority security controls.
- Utilize multi-factor authentication (MFA).
- Fix known security flaws by keeping your systems patched.
- Run a backup and test.
- Minimize your exposure to common attacks.
- Create and execute a cyber incident response plan.
- Prioritize short-term investments.
- Develop your own cybersecurity plan.
- Implement high priority security controls.
Main findings 2. Many school districts suffer from a shortage of IT resources and cybersecurity capabilities.
- recommendation: Recognize and proactively address resource constraints. CISA recommends the following course of action:
- Work with state planning commissions to take advantage of the State and Local Cybersecurity Grant Program (SLCGP).
- It will provide a total of $1 billion in grants to U.S. state, local, territorial and tribal governments over the next four years.
- To participate, each state, territory, or district must establish a cybersecurity planning committee to coordinate, develop, and approve cybersecurity plans.
- Make short-term improvements to resource-constrained environments with free or low-cost services.
- Expect and encourage technology providers to enable strong security controls by default at no additional charge.
- K-12 organizations should expect technologies used for key educational functions (learning management, student management systems, etc.) to have strong security controls enabled by default.
- Minimize your security burden by migrating your IT services to a more secure cloud version.
- Most small organizations ditch on-premises systems because they can’t continuously handle the security and time commitments of running on-premises services.
- Work with state planning commissions to take advantage of the State and Local Cybersecurity Grant Program (SLCGP).
Main findings 3. K-12 entities cannot independently identify and prioritize emerging threats, vulnerabilities, and risks.
- recommendation: Focus on collaboration and information sharing. CISA recommends the following course of action:
- Join relevant collaboration groups such as MS-ISAC and K12 SIX. Members receive critical alerts on current threats, risks, and vulnerabilities, as well as 24/7 access to free cyber tools, resources, services, and assistance, including threat incident analysis.
- Collaborate with other information-sharing organizations such as the Center for Integration, the State School Safety Center, other state and local agencies, and associations.
- Build strong and lasting relationships with CISA and FBI regional cybersecurity personnel.
CISA clarified its engagement with the K-12 cybersecurity community beyond the publication of this report. We are committed to working with technology providers to encourage the provision of free or low-cost security tools and products that are secure by default and designed for K-12 educational institutions. This report is just the first step in building school communities that are increasingly resilient in the face of cybersecurity threats and cyberattacks.
We understand the challenges private schools face in this complex and competitive market and work closely with administrators and key stakeholders to respond to legislative or regulatory changes and prevent cyber breaches. We help manage complex and sensitive issues such as prevention and response strategies.