Technology has revolutionized how we learn, teach, and manage educational institutions. K-12 school districts have increasingly embraced digital tools, online platforms, and data-driven systems to enhance the educational experience. However, this rapid digitalization has brought forth a new set of challenges, chief among them being the need for robust cybersecurity measures. SonicWall’s 2023 Cyber Threat Report found that ransomware attacks against K–12 schools in 2022 were up an alarming 827 percent over 2021.

As educational institutions store a wealth of sensitive information and rely heavily on interconnected systems, the importance of cybersecurity in K-12 school districts cannot be overstated. Unfortunately, the State of EdTech District Leadership 2022 report highlights that more than half of the IT professionals (52%) said their schools lack adequate staffing to support and protect teachers, while 77% of districts reported not having a full-time employee dedicated to network security.

The Growing Threat Landscape

K-12 school districts have become attractive targets for cyberattacks due to the sheer volume of valuable data they hold, ranging from personal student and staff information to financial records. These attacks can take various forms, including ransomware attacks that cripple school operations, data breaches that compromise personal information and distributed denial of service (DDoS) attacks that disrupt online learning platforms.

One might assume that K-12 institutions are not high-priority targets for cybercriminals compared to larger organizations or corporations. One would be wrong. This misconception overlooks the well-publicized vulnerabilities present in school networks. Known for limited IT resources and varying levels of cybersecurity awareness, schools can be seen as low-hanging fruit by opportunistic hackers.

In response to the cybersecurity needs of K-12, congress passed, and the president signed the K-12 Cybersecurity Act of 2021. This bill requires the Cybersecurity and Infrastructure Security Agency (CISA) to study the cybersecurity risks facing elementary and secondary schools and develop recommendations that include cybersecurity guidelines to assist schools in meeting those risks. CISA has published its ongoing work in Protecting Our Future: Partnering to Safeguard K-12 Organizations from Cybersecurity Threats.

On August 7, 2023, the federal government announced an additional $200 million in competitive grants over three years to help schools and libraries guard against cyber threats. Funding that will help schools to protect critical data and systems from cyber-attacks.

Data Privacy and Compliance

Protecting student and staff data is a moral obligation and a legal requirement. Laws in the United States, like the Family Educational Rights and Privacy Act (FERPA), mandate that educational institutions safeguard the privacy of student records. Failure to comply with these regulations can lead to severe penalties, including cease and desist orders, freezing federal funding, removing eligibility for federal funding, and employee or school investigations.

Educational data is a goldmine for cybercriminals, who can exploit this information for identity theft, financial fraud, or targeted phishing attacks. For example, theft of a student’s social security information might not be detected until years later when a student first goes to work. Therefore, robust cybersecurity measures are essential to meet legal obligations and maintain the trust of parents, students, and the community at large.

Disruption of Learning

The COVID-19 pandemic emphasized the importance of digital tools for remote learning. However, it also exposed vulnerabilities in school districts’ IT infrastructure. Instances of “Zoombombing,” where unauthorized individuals gained access to virtual classrooms to post inappropriate content and other disruptions, highlighted weak cybersecurity in many schools.

Downtime caused by cyberattacks can severely impact the learning process. According to the US General Accountability Office Critical Infrastructure Protection Report, “Officials from State and Local entities reported that the loss of learning following a cyberattack ranged from 3 days to 3 weeks, and recovery time could take anywhere from 2 to 9 months.

The financial impacts on schools can be broad. Officials reported monetary losses to school districts ranging from $50,000 to $1 million due to expenses caused by a cyber incident. Students may lose access to online coursework, while teachers might struggle to manage virtual classrooms effectively. This disruption affects academic progress and can lead to frustration and a loss of confidence in technology-mediated education.

Building a Cybersecure Educational Environment

1. Awareness and Training: Educators, administrators, and students require education about cybersecurity best practices. This instruction should include recognizing phishing attempts, creating strong passwords, and understanding the risks of sharing personal information online.

2. Conduct Risk Assessments: Cybersecurity audits or assessments can help to identify gaps in security controls, processes, training, and technology.

3. Third-Party Risk Evaluations: Software procured from 3rd party companies for use in K-12 should undergo rigorous security testing and a corresponding evaluation of the company’s cybersecurity processes before the release of software for use by schools within the district.

4. Identity & Access Management: Implementing identity and access management, including two-factor authentication, is essential to ensuring that authorized users can access only the required data to perform the function they need as administrators, teachers, students, and parents.

5. Robust Network Security: Implementing firewalls, intrusion detection systems, and regular security audits can fortify the school’s network against potential threats.

6. Regular Software Updates: Keeping all software, including operating systems and applications, up to date is crucial. Many cyberattacks exploit known vulnerabilities in outdated software.

7. Data Encryption: Sensitive data, both at rest and in transit, should be encrypted to prevent unauthorized access.

8. Incident Response Plan: A well-defined plan for responding to cyber incidents can minimize damage and downtime. This plan should include isolating affected systems, assessing the impact, and communicating effectively.

9. Backup and Recovery: Regularly backing up critical data and systems ensures the school can restore operations quickly, even if a cyberattack occurs.

Conclusion

Integrating technology in K-12 education brings numerous benefits but also exposes educational institutions to new and evolving cybersecurity threats. Safeguarding sensitive data, maintaining the trust of students and parents, and ensuring uninterrupted learning experiences all hinge on the implementation of robust cybersecurity measures. By prioritizing and investing in cybersecurity, K-12 school districts can create a safer and more secure digital environment that empowers students to learn and thrive in the digital age.

Understanding vulnerabilities and creating a cybersecurity roadmap to closing gaps is essential to protecting students, parents, and staff. School districts should rely on a structured approach to performing this evaluation using industry standards and the heuristic knowledge of experts in the industry. A cursory review by district staff is insufficient and will put critical data and systems at risk for compromise.

“Just as we expect everyone in a school system to plan and prepare for physical risks, we must now also ensure everyone helps plan and prepare for digital risks in our schools and classrooms,” Education Secretary Miguel Cardona said in a written statement. “The Department of Education has listened to the field about the importance of K-12 cybersecurity, and today we are coming together to recognize this and indicate our next steps.” We at CxO Expertise could not agree with Secretary Cardona more and stand ready to assist school districts in meeting the challenges they face. But school districts will need help in understanding both their cyber threats and gaps in their cybersecurity strategy. Engage our knowledgeable K-12 team of technology experts to architect required improvements to your cybersecurity strategy. Don’t become the next victim of a cyber-attack.

Richard Cocchiara is the former Chief Information Security Officer (CISO) for the largest school district in the country, the New York City Department of Education. He is a retired IBM Distinguished Engineer having spent over 30 years helping to minimize and mitigate IT risk at companies and government agencies around the world. He has been featured as a keynote speaker at numerous IT Risk conferences and has been published in several industry publications. He holds patents for IT risk evaluation methodologies.

Peter Quinn is the former Chief Information Officer (CIO) for the New York City Department of Education. He is also the former Chief Information Officer (CIO) for the State of Massachusetts. He is a seasoned six-time CIO, who excels in rectifying dysfunctional business and IT organizations, as well as turning around large-scale failing projects and programs. Mr. Quinn’s expertise extends across retail and commercial banking, credit card services, wealth management, mortgage servicing, mutual fund operations, corporate stock transfer, trust, insurance, and more, both domestically and internationally.