Skip to main content
close search
site logo
Dive Brief

CISA: K-12 cybersecurity change falls on leaders, not just IT staff

Published Jan. 26, 2023
Anna Merod's headshot
Reporter
Image depicts the implementation of cybersecurity with a lock displayed over a screen.
The Cybersecurity and Infrastructure Security Agency released anticipated guidance to improve K-12 districts' cyberdefense. The report was mandated by Congress through the K-12 Cybersecurity Act of 2021. anyaberkut via Getty Images

Dive Brief:

  • Recognizing schools’ growing vulnerability to cyberthreats, the Cybersecurity and Infrastructure Security Agency released anticipated guidance Tuesday outlining recommendations on how districts can strengthen their cyberdefenses. The CISA report was mandated by Congress’ passage of the K-12 Cybersecurity Act of 2021, which requires the agency to report risks the K-12 sector faces in the cybersphere.
  • Among CISA’s key recommendations for school systems is taking meaningful steps in security investments, such as implementing multi-factor authentication and running a strong cybersecurity training program. District leaders should also work with peers and partners in the education space to raise awareness around the issue, the agency said.
  • K-12 leaders need to ensure cybersecurity is a bigger priority and use available grant programs to improve a district’s networks, CISA said. The agency’s report began with a message that these recommendations “must come from the top down” with leaders emphasizing a “cybersecure culture.” The burden to take on these changes cannot fall squarely on IT and cybersecurity staff alone, the guidance said.

Dive Insight:

Citing the nonprofit K12 Security Information Exchanges’ 2022 annual report, CISA noted that reported cyberattacks against school districts have increased from 400 in 2018 to an accumulated total of more than 1,300 incidents by 2021. 

On top of that, K-12 leaders typically have small budgets to commit to taking on these security threats.

A November report by the Multi-State Information Sharing and Analysis Center found the average school spends about 8% of its IT budget on cybersecurity measures. As CISA collected feedback through listening sessions with K-12 leaders, many stakeholders told the agency they were struggling with cybersecurity and IT staffing shortages. 

On Monday, the Maryland Office of the Inspector General for Education released more details about a 2020 ransomware attack that cost Maryland’s Baltimore County Public Schools over $9.6 million. The accumulated costs are tied to recovery efforts from the cyberattack, upgrades to the district’s system, and a switch to a new platform. 

The inspector general’s investigation said the incident originated from a phishing attack addressed to a school staff member. The email attachment could not be initially opened, and a district tech liaison found the email to be suspicious. However, when the tech liaison forwarded the message to a district IT contractor for help, the contractor accidentally opened the attachment with an unsecured Baltimore County schools email account. That action became the entry point for undetected malware into the district’s IT system, the investigation said.

Meanwhile, the Los Angeles Unified School District indicated to the California Department of Justice that last year’s major ransomware attack occurred earlier than initially reported — meaning the incident went undetected for a month. 

In an October report, the U.S. Government Accountability Office highlighted the lack of coordination on school cybersecurity between the U.S. Department of Education and CISA with other agencies and the K-12 community. 

According to CISA’s report, the new guidance is just one step the agency is taking toward improving school cybersecurity.

“Going forward, CISA will continue to partner with the K-12 education community, and work with technology providers to encourage provision of free or low-cost security tools and products that are secure by default and design,” the CISA report said.

Given the consistent amount of ransomware attacks impacting school districts nationwide, Doug Levin, national director of K12 Security Information Exchange, said in a statement that the CISA report was released “not a moment too soon.”

“This landmark federal report clearly and concisely communicates the cybersecurity challenge the U.S. K-12 education sector is facing and recommends common sense steps that stakeholders — including superintendents, school administrators, school board members, and state policymakers—can take to bring about needed change,” Levin said.

Recommended Reading

Editors' picks

Company Announcements

View all | Post a press release
Education Nonprofit Brings International Economics Olympiad to United States
From Certell, Inc.
November 12, 2024
Dallas Independent School District Approves CoderZ and RoboX For Pre-engineering and Robotics …
From Intelitek
November 05, 2024
Schools and Districts Nationwide Partner with TinkRworks to Engage Students in STEAM Project-B…
From TinkRworks
November 21, 2024
Salary Alone Not a Cause of Teacher Turnover; 43% of Educators Would Continue Teaching with Im…
From Study.com
November 16, 2024
Editors' picks
Latest in Technology
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell