CISA sends schools back to the classroom on security
Oy, teacher, protect those kids online
A report by the US government's Cybersecurity and Infrastructure Security Agency on security shortcomings at America's K-12 schools isn't good news.
The Protecting Our Future: Partnering to Safeguard K–12 organizations from Cybersecurity Threats study and its accompanying digital toolkit conclude that K-12 organizations, which cover American schoolchildren from the age of five up until graduation around the age of 18, are all suffering from a lack of resources, clarity, and prioritization of IT security needs.
To address those issues, CISA is recommending all K-12 districts invest in solving their most serious security shortcomings, identify and address resource constraints and work to build a collaborative threat sharing network.
Toss a rock at cybersecurity best practices and you'll probably hit some version of those same problems and solutions in other sectors, too. But schools, NIST said, are the most "important institution to the future prosperity and strength of the United States," so suck up those funding shortfalls, educators - you've a job to do.
Just one more problem for US schools
CISA said in its report that cyberthreats against schools have continued to escalate, rising from 400 reported incidents in 2018 to 1,300 in 2021. The US Information Sharing and Analysis Center (MS-ISAC), CISA said 29 percent of ISAC's member school districts reported falling victim to a cybersecurity incident last year.
The US Government Accountability Office separately reported last year that loss of learning following a cyberattack lost year ranged from three days to three weeks, while monetary losses per victim reached as high as $1 million. The GAO said that phishing, ransomware and DDoS attacks were the most common issues, while trolls disrupting video conferences has also been on the rise since the pandemic.
There are plenty of examples of attacks on educational institutions to cite, too, like a university-shuttering ransomware incident last year, a ransomware attack against Chicago Public Schools in 2021 that disclosed 500,000 student and faculty records, and various others.
- We're just shouting into the void, says US watchdog offering cybersecurity advice
- Finally, ransomware victims are refusing to pay up
- What keeps this FBI director up at night? China's AI work, for one
- Homeland Security, CISA builds AI-based cybersecurity analytics sandbox
Attacks targeting schools in the US have become so bad that the FBI, CISA and MS-ISAC even issued a joint advisory in September of last year warning that The Vice Society threat group appeared to be settling on the US education sector as its target of choice.
"School districts with limited cybersecurity capabilities and constrained resources are often the most vulnerable," the trio wrote in their advisory.
In other words, most of the schools in the country, as defined by CISA's report, fall into the "most vulnerable" category.
Familiar fixes make for easy improvements?
There's a lot of difference between a private-sector company and a school, but the solutions for the education sector's security shortcomings aren't any different from those CISA has recommended before.
CISA's high-priority fixes, for example, start off with one we've all heard: Implement MFA. After that, CISA said schools should address known security flaws, then perform and test backups. After that, schools should minimize exposure to common attacks, develop and rehearse an incident response plan and finally build a training and awareness campaign at all levels.
To address resource constraints, CISA said schools should apply for CISA and FEMA's State and Local Cybersecurity Grant Program, make use of free security tools, ask more of tech providers and minimize security burden by cutting on-prem services.
Resource sharing, CISA said, can be done by joining an organization like MS-ISAC, as well as making contact with local CISA and FBI cybersecurity representatives.
One final familiar bit of advice comes in the "caveat" CISA said it's issuing with the report: "change must come from the top down."
Per the agency, "leaders must establish and reinforce a cybersecure culture. Information technology and cybersecurity personnel cannot bear the burden alone," it said - again, echoing the same advice that applies to everyone. ®