K–12 Schools Need a Cybersecurity-First Culture
True change always starts at the top, and it’s no different for K–12 institutions.
The K–12 Cybersecurity Act of 2021 charged the Cybersecurity and Infrastructure Security Agency with the task of providing recommendations for how these institutions can combat risk. The top finding from the resulting report: “Leaders must establish and reinforce a cybersecurity culture.”
In my own conversations with school boards, I’ve found that the people in charge of approving budgets and making decisions don’t have insight into the cyber risk their districts face.
Investments in cybersecurity often take a back seat to investments in other educational programs. However, the unfortunate reality is that these programs are impacted the most by cyber disruptions.
There can be no impactful education with the looming threat of a ransomware attack. The loss of learning following a cyberattack can range from three days to three weeks, with recovery time ranging from two to nine months, according to a recent report from the U.S. Government Accountability Office.
Top decision-makers must lose the mindset that cybersecurity is a last-minute conversation. K–12 institutions need a strong cybersecurity voice at the table when budgets are allocated and hiring decisions are made.
Schools often operate as islands, away from the rich sources of information shared in the broader cybersecurity community. To promote collaboration and bring IT staff into the fold, CISA recommends that schools participate in organizations like the Multi-State Information Sharing and Analysis Center and the K12 Security Information eXchange. These communities share best practices and offer peer support for K–12 security leaders.
How to Strengthen Cyber Hygiene in K–12 Environments
Many of the most damaging attacks start through neglect of simple cyber hygiene. Creating a cybersecurity-first culture should include strengthening best practices, and there are a few ways schools can start.
If your IT staff can implement multifactor authentication across the school’s systems, you’re pointed in the right direction. MFA provides an extra layer of defense that goes a long way toward hampering threat actors’ plans. Verizon’s latest Data Breach Investigations Report found that more than 80 percent of hacking-related breaches were caused by stolen or weak passwords.
Another simple best practice is to have a tool in place that continuously monitors for common vulnerabilities. Unpatched vulnerabilities are one of the biggest threats any organization faces. In fact, an organization is almost twice as likely to suffer from a ransomware attack due to old, unpatched vulnerabilities than from a newly discovered zero-day weakness. If K–12 IT departments focused on making sure these holes were patched, their attack surfaces would shrink considerably.
Schools should focus on strengthening the simple fundamentals of cyber hygiene and encourage the entire staff — not just the IT department — to learn what everyone can do to protect themselves.
These healthy cyber habits trickle down from top decision-makers in K–12 education. Districts need cyber experts who are able and willing to advocate for their districts and accurately report on their cybersecurity posture.
Administrators Can Plan a More Targeted Investment
K–12’s No. 1 issue when it comes to cybersecurity — due in part to the lack of a strong cybersecurity culture — is small budgets. It’s no surprise: Recent research reveals the average school delegates only 8 percent of its IT budget to security, and 20 percent of schools spend less than 1 percent on security. Other classroom priorities, such as new educational programs or technologies, almost always take precedence over cybersecurity spending.