IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

CISA Offers Advice, Cybersecurity Resources for K-12

A new report and toolkit aims to help K-12 schools and school districts identify funding and low-cost resources, identify high-priority risk reduction steps and stay informed about emerging cyber threats and risks.  

A person working on a laptop with symbols like an open book, a graduation cap and a magnifying glass hovering above the keyboard.
As K-12 schools and districts struggle against cyber attacks, a new report and toolkit aim to provide practical advice for reducing their risks. The report comes from the Cybersecurity and Infrastructure Security Agency (CISA) and recommends steps like adopting certain impactful security measures, seeking grants and low-cost solutions and connecting with cyber information-sharing organizations.

Even small school districts with slim budgets are at risk, and it’s not just their own setups they need to worry about: during 2016-2021, 55 percent of K-12 school data breaches “were carried out on schools’ vendors,” according to the report, which cited data from the K12 Security Information eXchange (K12 SIX).

Some school districts lack full-time IT personnel, and many lack CISOs. Districts with cybersecurity staff may have little budget for professional development to keep skills fresh, and CISOs may struggle to get leadership buy-in, CISA found. Any investments intended to ease cyber needs also must be designated specifically for cybersecurity, to avoid funds being diverted into other, competing school priorities.

K-12 stakeholders often told CISA during roundtable and feedback sessions that they were overburdened with responsibilities they lacked the resources and time to meet, and that there was too much cyber information out there to easily sort through. The new report and toolkit seek to cut through the confusion.

SECURITY MEASURE PRIORITIES – THE BASICS


Certain steps can go a long way, and K-12 entities should:

  • Adopt multifactor authentication (MFA).
  • Patch, prioritizing actively exploited flaws listed on CISA’s Known Exploited Vulnerabilities Catalog.
  • Backup critical data and store the backups offline, where they’re disconnected from the operational network. Also: practice restoring from these backups.
  • Minimize exposure to common kinds of attacks. Free vulnerability scanning and advice on reducing attack surfaces can help.
  • Establish cyber awareness and training campaigns for all personnel, so everyone knows their part. Various resources can help with this effort.
  • Create a written cyber incident response plan and practice it. Find tips here and here.

NEXT-LEVEL SECURITY MEASURES


Once those are completed, organizations can plan for near-term improvements and

After, entities can look farther ahead and


FIND FUNDING


  • Find grants — like the State and Local Cybersecurity Grant Program — that can be used to fund K-12 cybersecurity.
  • Look for free and low-cost resources, like these.
  • Consider migrating identity services, email systems and other often-targeted systems from on-prem to the cloud, to improve resilience and reduce the security maintenance work required from staff. (But remember cloud brings its own security needs.)

DEMAND MORE SECURITY FROM VENDORS


  • During vendor procurement and contract renewal, push providers to offer MFA, logs and other security features by default, for no additional fees.
  • Learn how to securely configure new procurements, by reviewing products' hardening guides.
  • Work with other schools, ISAC members and CISA’s regional cybersecurity advisers to consider how to push vendors to improve the security of their offerings.

COLLABORATE AND SHARE INFORMATION


  • Keep alerted to new threats and vulnerabilities by joining or working with information-sharing groups like:
  • Connect with federal entities that can provide alerts and assist with cyber defense or response like:
Jule Pattison-Gordon is a senior staff writer for Governing and former senior staff writer for Government Technology, where she'd specialized in cybersecurity. Jule also previously wrote for PYMNTS and The Bay State Banner and holds a B.A. in creative writing from Carnegie Mellon. She’s based outside Boston.