Cybersecurity in K-12 Institutions
Jeffrey W. Harris October 17, 2019
Cybersecurity is at the top of K-12 IT Directors’ priority list for the second year in a row. That is not surprising since in 2018 the K-12 Cyber Incident Map cataloged 122 publicly-disclosed cybersecurity incidents affecting 119 Public K-12 education agencies across 38 states. The graph below shows that almost half (46.34%) of these reported incidents took the form of unauthorized disclosure or data breach.
Another big area of concern: the number of successful phishing attacks targeting school staff and "intended to redirect large payments from legitimate school contractors/partners to criminal accounts." The largest attack cost a Texas district about $2 million; additional strikes in school systems in Idaho, Louisiana, New Jersey and Texas cost those districts between $300,000 and $988,000.
As alarming as this sounds, the full truth is probably much more alarming. Having been a K-12 Technology Director myself, I believe that the total number of cyber incidents and the monetary effects are grossly underestimated. According to the National Center for Education Statistics, there were 132,853 K-12 schools in the United States in 2015/16. If we only consider incidents to be:
data breaches by hackers,
data breaches by unauthorized release,
malware that propagated to two or more machines,
ransomware that resulted in lost data or ransom paid,
denial of service attack, or
phishing/spear phishing/vishing/smishing/CEO Fraud/etc.,
then I think the true number of cyber incidents in one year would be in the tens of thousands.
Budget constraints and lack of resources continue to top the list as number one top challenge for K-12 IT leaders, as they have done for six of the seven years, and this only compounds the problem of school districts staying ahead, or at least on top of, cyber-attacks. K-12 institutions need to take cybersecurity seriously and provide enough staffing and funding to at least allow their technology departments to implement the basic core cybersecurity controls necessary to provide a basic level of protection:
1. Inventory and Control of Hardware and Software Assets
2. Patching on Operating Systems and Software
3. Password Security
4. Audit Logs
6. Network Equipment Configuration (deny all traffic and selectively allow as needed)
7. Data Backups
8. Protection of Sensitive Data in Transit and At Rest
9. Staff Training (password security, phishing)
10. Planning (Incident Response, Business Continuity, Incident Recovery)
Jeffrey W. Harris is an IT Consultant specializing in Fiber-Optic WAN Design, and ERate, and can be reached at firstname.lastname@example.org