State

K-12 schools get cybersecurity guidance from industry group

The national director of The K12 Security Information Exchange said "there’s a lack of cybersecurity standards in the K-12 space."

By Benjamin Freed

September 2, 2021

Several school districts around the U.S. have been hit with ransomware as a difficult school year begins. (Getty Images / Scoop News Group)

Worried that the new academic year will bring with it another wave of crippling ransomware attacks, a cybersecurity industry group recently issued a new set of guidelines aimed at improving the IT security postures of school districts that may not be mature enough to implement top-of-the-line practices, but still need to improve their defenses.

The K12 Security Information Exchange, or K12 Six, last month published recommendations for IT administrators in K-12 school districts, especially as their teachers and students are more dependent than ever on digital technology. The recommendations — which largely concern familiar steps like filtering emails, blocking malicious domains and implementing stronger identity practices — are meant as a “short list of actionable cybersecurity controls.”

“K-12 ransomware incidents are not trivial. They are rising,” Doug Levin, K12 Six’s national director and a former White House tech adviser, said during a webinar Tuesday.

Levin’s group reported in March that cyberattacks of all kinds — including ransomware — against K-12 schools and edtech vendors rose by 18% in 2020, fueled largely by the explosion of virtual learning brought on by the COVID-19 pandemic.

Since then, cyber incidents involving school districts have continued ratcheting up, often at great financial expense. A school district in Bexar County, Texas, last month acknowledged paying more than $547,000 to ransomware actors because officials felt they had “no other choice” in regaining access to encrypted systems and stopping the publication of stolen data.

But the broad guidelines that authorities publish — such as those by the National Institute of Standards and Technology and the nonprofit Center for Internet Security — often don’t address the needs or capabilities of school districts, which are frequently small and have few full-time IT staff, Levin said Tuesday.

“There’s a lack of cybersecurity standards in the K-12 space,” he said.

Even larger school districts with dedicated cybersecurity teams may need more tailored guidance.

“We’re not looking at the whole [NIST] cybersecurity framework,” April Mardock, chief information security officer of Seattle Public Schools, said during the webinar. “We’re looking at what we can do.”

The K12 Six recommendations align with elements of the NIST framework and CIS’s suite of 18 cybersecurity controls, though they’re listed as tiered options for “baseline,” “good,” and “better” security. The baseline for endpoint protection, for instance, recommends installing antivirus software on all devices issued to students and staff, which is a relatively low-cost measure with minimal impact on user experience, while the good and better recommendations involve more expensive tools, such as continuous endpoint detection and response monitoring.

Though ransomware actors target organizations across all sectors, attacks against school districts have been a growing concern for local and state government IT and cybersecurity leaders. The National Association of State Chief Information Officers backed recent federal legislation that would create an incident reporting registry for schools and a $10 million annual technology improvement fund aimed at improving K-12 cybersecurity.

Meanwhile, CIS, which runs the Multi-State Information Sharing and Analysis Center, says K-12 school organizations now make up one-quarter of the MS-ISAC’s membership. The organization also forecast last month an 86% increase in the number of cyber incidents against schools this coming year.