CISA Offers Advice, Cybersecurity Resources for K-12

As K-12 schools and districts struggle against cyber attacks, a new report and toolkit aim to provide practical advice for reducing their risks. The report comes from the Cybersecurity and Infrastructure Security Agency (CISA) and recommends steps like adopting certain impactful security measures, seeking grants and low-cost solutions and connecting with cyber information-sharing organizations.

Even small school districts with slim budgets are at risk, and it’s not just their own setups they need to worry about: during 2016-2021, 55 percent of K-12 school data breaches “were carried out on schools’ vendors,” according to the report, which cited data from the K12 Security Information eXchange (K12 SIX).

Some school districts lack full-time IT personnel, and many lack CISOs. Districts with cybersecurity staff may have little budget for professional development to keep skills fresh, and CISOs may struggle to get leadership buy-in, CISA found. Any investments intended to ease cyber needs also must be designated specifically for cybersecurity, to avoid funds being diverted into other, competing school priorities.

K-12 stakeholders often told CISA during roundtable and feedback sessions that they were overburdened with responsibilities they lacked the resources and time to meet, and that there was too much cyber information out there to easily sort through. The new report and toolkit seek to cut through the confusion.

SECURITY MEASURE PRIORITIES – THE BASICS

Certain steps can go a long way, and K-12 entities should:

• Adopt multifactor authentication (MFA).
• Patch, prioritizing actively exploited flaws listed on CISA’s Known Exploited Vulnerabilities Catalog.
• Backup critical data and store the backups offline, where they’re disconnected from the operational network. Also: practice restoring from these backups.
• Minimize exposure to common kinds of attacks. Free vulnerability scanning and advice on reducing attack surfaces can help.
• Establish cyber awareness and training campaigns for all personnel, so everyone knows their part. Various resources can help with this effort.
• Create a written cyber incident response plan and practice it. Find tips here and here.
  

NEXT-LEVEL SECURITY MEASURES

Once those are completed, organizations can plan for near-term improvements and

• Review CISA’s Cross-Sectors Cybersecurity Performance Goals (CPGs) list to identify — and start investing in — near-term efforts that will have the most impact for their organizations.
  

After, entities can look farther ahead and

• Over time, develop a cybersecurity plan for their organizations based on the NIST Cybersecurity Framework.
  

FIND FUNDING

• Find grants — like the State and Local Cybersecurity Grant Program — that can be used to fund K-12 cybersecurity.
• Look for free and low-cost resources, like these.
• Consider migrating identity services, email systems and other often-targeted systems from on-prem to the cloud, to improve resilience and reduce the security maintenance work required from staff. (But remember cloud brings its own security needs.)

DEMAND MORE SECURITY FROM VENDORS

• During vendor procurement and contract renewal, push providers to offer MFA, logs and other security features by default, for no additional fees.
• Learn how to securely configure new procurements, by reviewing products' hardening guides.
• Work with other schools, ISAC members and CISA’s regional cybersecurity advisers to consider how to push vendors to improve the security of their offerings.
  

COLLABORATE AND SHARE INFORMATION

• Keep alerted to new threats and vulnerabilities by joining or working with information-sharing groups like:
  
  • MS-ISAC
  • K12-SIX
  • Fusion centers
  • State school safety centers
• Connect with federal entities that can provide alerts and assist with cyber defense or response like:
  
  • CISA regional cybersecurity advisers
  • FBI field offices