In this article

This past August, the Center for Internet Security's Multi-State Information Sharing and Analysis Center (MS-ISAC), which serves state and local governments, reported that it expects an increase of as much as 86 percent in cybersecurity incidents aimed at K-12 school systems over the course of the current school year. Attacks on schools had already dramatically increased during the rush to distance learning as a result of the COVID pandemic. Having found some fairly easy targets, attackers are now piling on with threats like phishing schemes that can lead to ransomware, data theft and other criminal activity.

K-12 organizations almost never attract the highly sophisticated types of attacks used for stealing national secrets. However, they are regularly attacked by a plethora of hackers looking for a quick buck or worse, wanting to steal the personally identifiable information of teachers, staff and especially young students with blank-slate credit histories ripe for exploit.

Countering these rampant threats is especially difficult when factoring in one of attackers' most valuable victim profiles: children. Growing up in a continually connected world, the internet is integral to the lives of today's young students. But digital natives aren't necessarily being taught about proper cyber hygiene practices needed to safeguard their home or school technologies. For schools, the risks are compounded by the increased number of personal devices being connected into the school network, where hidden threats can quickly spread. Once hackers gain a foothold in the system, poor cyber hygiene also improves their ability to move laterally and escalate privileges as they go, compounding the damage.

Consequently, it's very important for K-12 organizations to prioritize cyber hygiene practices that can help limit exposure from pervasive attacks. The following policies and actions will support schools' preparedness:

Make cyber-hygiene everyone's top priority.

A recent study by IBM shows that human error remains the main cause of 95 percent of cybersecurity breaches. That's especially hard to overcome when we are talking about the behaviors of children. A lot of attempted attacks can be thwarted by simple actions like:

  • Following prompt, effective patch management policies
  • Running regular scans to detect and eliminate open ports to the Internet
  • Making it impossible for users to select easy-to-guess passwords like "password" instead of complex combinations of random numbers, letters and symbols

Good cyber-hygiene ultimately comes down to buy-in from every individual from the top down, promoting a culture that takes cyber threats seriously — and is willing to act.

Require multi-factor authentication (MFA).

Whether in the form of a one-time PIN sent to email or instant message, or proximity to a recognized device such as a smart phone, MFA offers an extra level of user verification.

Have a solid plan in place before an incident.

Train and drill staff on specific areas of responsibility and procedures for different "what if?" scenarios:

  • How to proceed in mitigating or remediating an incident
  • Whom to contact, and in what order
  • What not to do

Even with good cyber hygiene, mistakes still happen; attackers may still get in. So it is equally important to build up cyber resilience to defend against successful intrusions.

Create and test frequent backups.

In addition to regularly backing up data, it's also important to back up structures such as Active Directory, as well as the hardware housing the back-ups. Then test them at a regular interval to make sure they work reliably before you need them.

Consider running "chaos engineering" exercises.

Randomly shut down servers or data centers to test the response; if your detection systems fail to register a problem, then your preparations have failed. This will reveal where you need to improve.

Establish and nurture critical relationships.

It's good to have allies outside of your organization that you can reach out to in the event of an attack, including colleagues who can offer their material support and guidance.

The right technology stack is of course integral to implementing these best practices. Outdated technology stacks make it much harder to adequately perform these types of cyber resiliency actions. School districts need to leverage modern technology tools to effectively detect, resist and recover from attempted cyber attacks. Because product options can seem overwhelming, it's important to seek the right guidance to help you understand what those tools are, how they work and how to apply them most effectively.

Don't leave money on the desk.

Fortunately, for the first time, there is now significant federal funding available to help K-12 organizations address their increased cybersecurity needs. These funds go well beyond limited E-rate basics. The $2.2T Coronavirus Aid, Relief, and Economic Security Act (CARES Act) provides emergency funding assistance that K-12 schools can use to advance their technology capabilities for distance learning and ensure continuity of operations. A strengthened cybersecurity posture is essential to that purpose. In particular, the Elementary and Secondary School Emergency Relief Fund (ESSER) was allocated as part of the CARES Act Education Stabilization Fund provision, tying directly back to addressing cybersecurity concerns. Other funding is available under the American Rescue Plan Act (ARPA) and the Coronavirus Response and Relief Supplemental Appropriations Act (CRRSA).

The pandemic clearly brought forward the need to focus on big problems like ransomware and bolstering cyber posture. Under these special funding programs, K-12 organizations can deploy needed solutions for little to no money coming from their existing budget. More information can be found on each Act's website.

These are temporary relief programs, so there is no time to wait. There has never been a more critical time to safeguard schools' and children's digital lives.