Dive Brief:

• A new report from the Consortium for School Networking analyzes trends in K-12 provisions in the close to 100 cybersecurity bills introduced in 27 states in 2020.
• Of the cybersecurity proposals, 10 pieces of legislation were passed into law in Alabama, Florida, Louisiana, Massachusetts and Virginia. Those addressing risks in K-12 in particular focused on cybersecurity instruction for students, technical assistance to schools, and investments for improvement in technology and professional development.
• At the federal level, another 10 proposals commonly focused on building a cyber workforce, expanding cybersecurity awareness and training, technology investment, and ongoing research into the K-12 cyber-landscape.

Dive Insight:

K-12 has become a top target for hackers in recent years due to the combination of high-value data available and the sometimes lax level of cybersecurity measures in place, commanding greater attention to the issue from lawmakers and policymakers. Even before the COVID-19 pandemic sent most schools into remote online instruction and created new risks, districts' technology adoption and the increasingly digital nature of classrooms were outpacing what budgets could allow when it comes to hiring personnel with cybersecurity expertise. 

As of December, there had been around 1,110 publicly reported cybersecurity incidents in K-12 since 2016, according to The K-12 Cybersecurity Resource Center. Among them were disclosures of personal data, ransomware, phishing, denial-of-service and other types of incidents that led to school disruptions and unauthorized disclosures. Ransomware in particular has been a particularly popular mode of cyberattack due to the likelihood that districts will pay ransoms to have access to student and personnel data restored quickly.

Security experts say among steps districts can take to mitigate cybersecurity risks are:

• Maintaining a cybersecurity insurance policy.
• Regularly auditing cybersecurity preparedness.
• Regularly changing and strengthening passwords.
• Using two-factor authentication.
• Routinely backing up systems and keeping them offline, or "immutable."
• Evaluating tech inventory to eliminate unneeded internet-facing systems or servers.
• Regularly installing security updates and software patches.

While ransomware and data breaches dropped when the pandemic first hit, experts warned in June that there could just be lulls in public reporting or that incidents were still occurring and hadn’t been discovered.

They also cautioned that devices might not be as well-protected beyond school networks and could be compromised during home use and “waiting” to be reconnected to the school network for malware to activate. The FBI issued a warning last summer in regard to remote desktop risks in K-12.