The onset of the coronavirus pandemic set off a revolution in the classroom as teachers and students traded in textbooks for laptops and chalkboards for Zoom dial-ins, transitioning to what will soon be two years of remote and hybrid learning. While this increased use of technology transformed how teachers deliver instruction and students learn, it also significantly widened the cybersecurity threat landscape.

According to the K-12 Cyber Incident Map, in the 2020 school year alone, 408 reported cybersecurity incidents impacted 377 school districts across 40 states. This represents an 18% increase year-over-year and equates to a rate of more than two incidents per school day — and that’s just what was disclosed publicly. From ransomware to phishing attacks and student and staff data breaches, these attacks are not only becoming more commonplace, but also more sophisticated.

That’s why, on October 8, 2021, President Biden signed the K-12 Cybersecurity Act into law, establishing a timeline in which the Cybersecurity and Infrastructure Security Agency (CISA) would identify and address the cybersecurity issues K-12 school districts face.

Unaddressed at the national, state and local level, the consequences of these attacks include the potential leak of personally identifiable information (PII) of students and teachers and even the shutdown of school operations.

To combat cyberattacks, school districts not only need to increase their awareness and preparedness, but governments and businesses need to join forces to support districts via training, testing and tools to ensure rapid detection, appropriate response and minimal damage.

The national standard

Data from Statista shows that more than 50% of ransomware attacks succeed due to poor user education and practices. Cybersecurity is a complex, multi-faceted issue that requires preparing educators and students to effectively navigate.

When considering the elements of a cybersecurity toolkit, CISA should start by demystifying cybersecurity for teachers, students, caregivers and administrators. It's crucial that school security leaders increase basic understanding of the practical elements of cybersecurity via ongoing awareness training, testing and exercises to create a solid first line of defense at the user level. School districts should implement data governance, including data classification, retention and protection policies and procedures to better secure students’ and teachers’ PII. To help enforce these policies and oversee cybersecurity efforts, districts should appropriately resource and prioritize appointing a cybersecurity professional. This senior professional should be someone with an understanding of cybersecurity and also has practical experience in the field. Districts should also ensure yearly professional development for this position.

Such changes will not be easy, and school districts will need to approach the improvement of cybersecurity capabilities in phases, using a risk-based approach to account for the unique scenarios they may face, working to integrate security into the technology decisions being made. After prioritizing establishing district-based cybersecurity leadership, CISA can work with schools to establish an arsenal of necessary tools, processes, policies and/or people to address cyber threats and elevate each school’s resiliency. To keep this simple, CISA can use this arsenal to first focus on three buckets:

  1. Prevention and detection: Create active, uninterrupted barriers of protection aligned with the district’s digitalization strategy to help address cyber threats.
  2. Response: Mitigate or act quickly upon detecting cyber threats.
  3. Resiliency: Successfully recovering in a timely fashion in the case detection and response are rendered insufficient when mitigating threats.

By clearly defining how to prioritize potential cybersecurity threats, school districts will be able to better digest and implement the recommendations within their new toolkit.  

The long road ahead

For many years, K-12 schools were not necessarily a prime target for cybercrime, but that rapidly changed with the onset of the pandemic. Teaching and learning have grown to rely on technology and data as an essential component of learning. Preventing access to technology through cyber events adversely affects the primary charge of a school. Furthermore, schools store an abundance of important personal and financial information and often have unsophisticated safety measures, making them an easy and increasingly popular target.

The passage of the K-12 Cybersecurity Act puts us squarely on the path toward securing the emerging flexible education environments. The public and private sectors must continue to work together to develop and implement national standards for cybersecurity awareness and response at the K-12 level, while continuously reassessing the evolving threat landscape to ensure districts have the resources to keep students and schools safe from cyberattacks.