Education has been dealt a difficult hand over the past several years. The mass shift to virtual schooling during the pandemic upended systems in so many ways, and it shone a light on the aging infrastructure and technical deficits so many school districts struggle with. Not only did children and teachers have to be more flexible and resilient than ever, but districts also have been hammered by ransomware and other cyberattacks.
At the same time, schools aren’t always getting the right guidance for dealing with the increased cybersecurity threats. A Government Accountability Office (GAO) report released late last year found that the U.S. Department of Education’s current plan for addressing K-12 school threats needed updating and was primarily focused on mitigating physical threats. And that plan was issued in 2010–in terms of cybersecurity, that might as well be eons ago.
So, what should education IT leaders be doing? And what should they be on the lookout for?
What we’ve seen and what we expect
The unfortunate reality is that the disruptions and increased cyber threat activity caused by the pandemic in 2020 and 2021 will persist in 2022. There were a record-setting 408 publicly disclosed cybersecurity incidents in 2020 in the K-12 sector, across 40 states, according to the State of K-12 Cybersecurity: 2020 Year in Review. Numbers for 2021 are still being finalized, but given what we’ve seen in terms of ransomware and cyber incidents overall, we expect them to be even higher.
We’re early into 2022, but we’re already seeing schools across the country revert back to virtual learning as a result of the omicron variant. Those types of shifts can too often open up potential opportunities for bad actors to strike; cybercriminals have that “kick ‘em while they’re down” mindset. And we’ll continue to see cyber actors evolve their methods as needed to bypass or fool current cybersecurity efforts and continue being successful.
All of this means that districts and schools will really need to focus on transitioning the short-term actions they initially took – both to facilitate virtual learning and combat cyber risk – into longer-term and more strategic cybersecurity approaches.
Examining the GAO’s findings
The GAO found that the Department of Education’s guidance to schools needs revision because cyber risk continues to evolve. The report noted that the Department is responsible for developing and maintaining a sector-specific plan to address cybersecurity risks at K-12 schools, and for determining the need for sector-specific guidance.
The GAO has recommended the education department meet with CISA to devise the go-forward plan. And in late December, Joe Biden signed into law the K-12 Cybersecurity Act, which directs the Cybersecurity and Infrastructure Security Agency (CISA) to conduct a comprehensive study of the cybersecurity risks schools face and develop recommendations and resources for schools. That will include a survey and, ultimately, an online training tool kit.
This is constructive guidance and good foundational steps for the future. In the meantime, here are some recommendations as the bigger picture evolves.
Next steps for staying secure
It’s a huge task for the nation’s education leaders to provide accurate guidance and strategy for broad consumption. K-12 education leaders can get ahead by working on their local plans to:
- Examine their city or county district strategies and processes to address Denial of Service, including video conference disruptions
- Develop and exercise processes to isolate, eradicate and rebuild following a ransomware attack
- Educate teachers and students while providing tools for addressing business email compromises and email scams, including use of mail filtering tools.
Pulling all of this together in the turmoil of the pandemic is a challenge for the agencies and departments involved – not to mention the actual schools themselves, which are grappling with limited budgets, staffing shortages, and IT skills gaps (not to mention the overall cybersecurity skills shortage facing almost every industry).
However, schools need to improve cyber hygiene and security posture now. To provide our nation’s young learners with the full cybersecure and safe environments where learning flourishes, additional strategies are needed:
- Make security awareness training a priority. Every teacher and staff member should know how to identify phishing emails and know not to click on suspicious links. In addition, make sure you have tested, password-protected backups that are stored offline.
- Regularly update and patch your critical systems.
- You should also have web application firewalls in front of your learning management system and anything else that’s externally facing.
- Develop and test a comprehensive cybersecurity incident response plan — a guide that outlines the steps to manage incidents such as a ransomware attack. The plan should identify members of an incident response team and describe their roles and responsibilities.
- Deploy network firewalls and practice network segmentation to separate internet-facing applications from back-office applications. To help prevent email phishing, make sure you have anti-malware and anti-spam capabilities.
- Simple, automatic secure remote access that verifies who and what is on the network and secures application access no matter where students and teachers are located is helpful to enable secure learning-from-anywhere.
A fighting chance
Virtual learning, staff shortages, and increased cyberattacks: that’s a difficult environment in which to secure school networks. So, it’s incumbent upon K-12 schools to be proactive in the fight against cybercrime. Taking action now will give them a fighting chance against the bad actors ruthlessly seeking to attack their networks.
- 5 major education trends of 2024 - December 26, 2024
- Does AI think like your students? - December 25, 2024
- Building ethical AI usage in K-12 education - December 23, 2024