The framework of recommendations is weighted, which means it allows users to see which steps they need to take first to prioritize the most crucial protections. With only 14 controls, or measures to reduce cyber risk, it is designed to distill school cybersecurity down to its most essential, up-to-date elements, according to school IT experts in a webinar this week.
The online event was hosted by Doug Levin, co-founder and national director of K12 SIX, a nonprofit focused on the unique cybersecurity needs of K-12 schools. During the webinar, Levin said the goal of the K12 SIX Essential Cybersecurity Protections is to help schools quickly pinpoint and implement the most beneficial cybersecurity measures.
“If we help folks to tackle these sort of baseline recommendations, we’re not going to stop 100 percent of the things that are happening to school systems, but we could be stopping 60, 70, 80 percent of them, and that’s important,” he said.
The guidelines were designed by and for K-12 IT leaders, Levin said, noting that they take into account the information K12 SIX collects on how school systems are attacked, along with input from organizations that range from the FBI to cybersecurity insurance providers.
K12 SIX first issued the framework in 2021 and updates it annually based on “threats of the day,” according to April Mardock, chief information security officer and cybersecurity manager for Seattle Public Schools. As chair of the Technical Working Group at K12 SIX, Mardock played a key role in developing the recommendations and was a speaker at Tuesday’s webinar.
“We’re focusing on those things that are essentially how the attackers get their foot in the door to, hopefully, help districts kind of dodge those big frontal attacks with the minimum resources and minimum tooling required to do so,” she said. “You know, it’s kind of crawl, walk, run. We’re at the crawl level, and I’m OK with that.”
RAISING THE BAR
What constitutes a “crawl” looks different each year. An implementation rubric for the framework scores specific cybersecurity measures across four levels of protection: at risk, baseline, good and better. Many of the changes to this year’s framework amount to a raising of the bar as far as what constitutes "good" or "better" versus "baseline."
For example, the email authentication protocols SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) are now considered baseline protections, along with the segmentation of student traffic, tamper protections to prevent antivirus controls from being turned off, restore testing, and MFA for vendors.
“We do MFA for our staff, a lot of us do, but we don’t always get around to taking care of the vendors, and they become a threat if their passwords get stolen,” Mardock said.
In addition, MFA for students has moved from a "better" practice to a "good" one as school IT professionals have seen a growing number of threats coming in through student accounts, according to Mike Potter, IT security analyst for the Northwest Regional Education Service District in Oregon. As a member of the K12 SIX Technical Working Group, Potter was another driving force behind the nonprofit’s framework and a speaker at the webinar this week.
During the event, he said he expects to see an increased focus on MFA for students, and that he would not be surprised if it becomes a requirement set forth by cybersecurity insurance providers. However, tackling this issue may be tricky given the recent wave of cellphone bans in schools.
“One easier way to deploy MFA is by using a smart device like that,” he said. “How do you do an MFA-type situation for a student account, especially if they don’t have the smart device to act as that second factor?”
A USER-FRIENDLY APPROACH
As school IT professionals continue to grapple with such issues, Levin said his hope is that the user-friendly nature of the K12 SIX Essential Cybersecurity Protections will help make their jobs easier. While the recommendations are designed to scaffold to more complex frameworks, there are only 14 controls to tackle here, with a weighted assessment system that will prioritize them according to factors such as impact and cost.
“Obviously, we think this is a great place to start,” Levin said. “But if you already have a mature program and you’re relying on another framework, taking a look at ours is a good way to sort of spot check your work and make sure you’re focused on some of the things that school systems across the country are struggling with.”
John LaPlante, president of the managed services company Vinson, said he tends to direct clients to the K12 SIX framework first due to both its impact and its ease of use. In fact, Vinson bases its own free cybersecurity tools for schools around these specific recommendations, LaPlante said during the webinar.
“We serve a lot of smaller school districts, and they don’t have the bandwidth. Even a CIS [Center for Internet Security] Implementation Group 1, that’s still 56 controls that they don’t have time to evaluate,” he said. “So the K12 SIX really gives them the confidence that they can get through a framework with 14 controls.”
Brad Hagg, educational technology director for the Indiana Department of Education, leader of the state’s cybersecurity task force and leader of the State Educational Technology Directors Association's cybersecurity collaborative, also spoke at the webinar about K-12 IT professionals feeling overwhelmed.
“There’s never enough time to get to everything, and what this set of tools really does that’s different from other cybersecurity frameworks is, it doesn’t overwhelm the IT professional when they pick it up and take a first look at it,” Hagg said. “It really does just get you out of the funk of just being paralyzed by the whole concept and really see that you can begin to take those small steps toward getting better each day, which we should all be trying to do.”