2020 is shaping up to be a doozy of a year for everyone. K-12 school districts, in particular, are going through a lot. From COVID-19 to remote learning to impending budget cuts, teachers, staff, student, and parents are finding ways to adapt to the times.
Through it all, much of everyone’s focus is on enabling learning continuity and accessibility. This focus is necessary, and with good reason, to achieve the mission of our school system and continue to work to prepare students for adulthood.
Out of this necessity, some of the focus on the less direct impacts on student achievement results have fallen by the wayside. Among them are the needs to secure sensitive information districts store and the need to monitor for cyber safety signals in school technology. In the crisis-induced shift to K-12 remote learning, many IT managers discovered that they lacked the visibility and control to manage cyber safety and security risks in a distributed cloud environment.
The problem has been there all along. COVID-19 made it obvious.
Decisions had to be made within the constraints of time and financial resources, and most of the resources went toward enabling as many students as possible in an astronomically short period of time. In accomplishing this, districts did an extraordinary job. But now, IT teams are taking this moment to begin looking at the long-term technology needs of their students, faculty, and staff through the lens of a potential hybrid learning environment. They’re taking the summer months to adjust to projects that will help their district monitor for student safety, secure sensitive information, and fulfill compliance requirements no matter where people are accessing school technology from.
To help K-12 IT teams in their planning, we’re taking a moment to look at the state of K-12 cyber safety and security in a series of blog posts, culminating in a live webinar on June 25. The goal is to help district IT leaders make sense of it all, learn from each other, and prepare for the 2020/21 school year as best they can.
The K-12 Cybersecurity Resource Center has been collecting publicly-disclosed cybersecurity incident data in the K-12 education industry since January 2016. The aim of this work is to draw attention to the emerging cybersecurity threats facing U.S. schools and to help inform district leaders and policymakers.
In February 2020, The K-12 Cybersecurity Resource Center released its annual The State of K-12 Cybersecurity report. Included in the report is a concerning, and disappointing, 3x increase in data incidents reported in 2019 compared to the year before. Here are some of the key findings.
The K-12 Cybersecurity Resource Center identified 348 publicly disclosed school incidents in 2019. As previously mentioned, that number is almost three times as many incidents as were publicly disclosed in 2018.
It’s important to note that many districts don’t report many cybersecurity incidents due to the sensitive nature of the data involved. So, while we can’t identify the exact number of incidents that took place in 2019, we do know that the number is significantly higher than 348. Types of cybersecurity incidents that impacted K-12 schools in 2019 include:
Unauthorized disclosure or breach of data incidents accounted for 60% of all cybersecurity incidents in 2019. Those data breaches primarily involved the unauthorized disclosure of student data. This is a continued trend from 2018, when data breaches were also the most common type of incident K-12 schools experienced.
Classifying incidents is a continuing challenge. In 2019, only 8% of attacks were classified as phishing attacks. However, cybercriminals leverage previously leaked credentials and contact information to wage successful attacks that include data breaches, malware, and ransomware attacks. These attacks have resulted in the theft of millions of taxpayer dollars.
The K-12 Cybersecurity Resource Center suggests a number of things that district leaders can do to improve their risk resistance in 2020 and beyond.
Doug Levin, Founder and President of The K-12 Cybersecurity Resource Center, creator of the K-12 Cybersecurity Incident Map, and author of the annual State of K-12 Cybersecurity report, will be the main presenter during our June 25 webinar: The State of K-12 Cybersecurity & Student Data Privacy. He’ll also be joined by two K-12 IT professionals for a panel discussion focused on trends, lessons learned, and planning for next school year.
The Consortium for School Networking (CoSN) is a well-known professional association for technology leaders in school systems nationwide. Their new report, The State of Ed Tech Leadership in 2020 provides many insights about how leaders in education are using technology and the challenges they face.
Cybersecurity is the number one priority for tech leaders in education for the third straight year. Other survey results show that 90% of districts have resources to monitor network security, and 69% say that their network security is proactive or very proactive. It’s also good to see that 77% of districts provide cybersecurity training to their IT staff. These are all encouraging improvements from previous years’ surveys.
On the other hand, it seems that cybersecurity risks are generally underestimated. For example, phishing attacks reached its highest level in the last three years, but only 49% of respondents rated it as a medium/high or high risk.
Only 5% of respondents think student data is at high risk, even though Levin’s data from The K-12 Cybersecurity Resource Center found that 60% of all cybersecurity incidents in 2019 involved unauthorized disclosure or breach of data. This tells us that, while 69% of IT leaders say their approach to network security is either proactive or very proactive, they need to do a better job of aligning perceived risk with actual threats and incidents.
Budget is a high hurdle for basically every school district. Particularly when it comes to investment in cybersecurity. While IT leaders identify cybersecurity as their number one priority, 60% of districts allocate less than 10% of their technology budget to it. This misalignment must be remedied if IT and administration leaders expect to be able to protect stakeholder identities, secure learning continuity, and defend taxpayer funds.
Another apparent area of confusion has to do with the cybersecurity impact of using cloud-based learning management systems (LMS) like Google Classroom and Microsoft Teams. The report indicates that 97% of schools are using LMS, but only 3% are using cloud-based cybersecurity technology. This gap is a big part of the reason why IT teams suddenly realized they were flying blind when entire districts shifted to remote learning. Without traffic traveling through building networks, system admins suddenly realized how much of a security and compliance gap their lack of cloud monitoring created.
All of the information regarding 2019 cyber safety and security discussed above was collected before the COVID-19 crisis shut down school buildings and districts transitioned to remote learning. So, where are we today? For the most part, it’s a bit too early to tell. But, there are some informative observations.
So far, we’ve mostly talked about the cybersecurity risks of remote learning in a COVID-19 world. But there are also student cyber safety incidents that have increased during this time. Many schools are dealing with the fallout of early Zoombombing incidents. Others have experienced cyber safety problems with Google Chat, Meet, Classrooms, and other communication and collaboration tools.
The social isolation of remote learning affects students that were already dealing with depression, anxiety, self-harm, thoughts of suicide, and/or abuse. Social tensions are also increasing incidents of cyberbullying and discriminatory behavior.
Looking at 2019 cyber safety and security through the lens of today, you see a problem that is increasing and will likely continue to do so. You also see that while in 2019 IT leaders indicated that cybersecurity was their number one priority, they’re not putting much of their budget toward addressing that priority, and in many cases, they’re underestimating the risks cyber attacks represent.
School district IT leaders will need to resolve some of the inconsistencies in how they handle cyber safety and security to protect their communities, especially in their summer projects and 2020/21 planning.