A look at the state of K-12 cyber safety & security in 2019 and today
2020 is shaping up to be a doozy of a year for everyone. K-12 school districts, in particular, are going through a lot. From COVID-19 to remote learning to impending budget cuts, teachers, staff, student, and parents are finding ways to adapt to the times.
Through it all, much of everyone’s focus is on enabling learning continuity and accessibility. This focus is necessary, and with good reason, to achieve the mission of our school system and continue to work to prepare students for adulthood.
Out of this necessity, some of the focus on the less direct impacts on student achievement results have fallen by the wayside. Among them are the needs to secure sensitive information districts store and the need to monitor for cyber safety signals in school technology. In the crisis-induced shift to K-12 remote learning, many IT managers discovered that they lacked the visibility and control to manage cyber safety and security risks in a distributed cloud environment.
The problem has been there all along. COVID-19 made it obvious.
Decisions had to be made within the constraints of time and financial resources, and most of the resources went toward enabling as many students as possible in an astronomically short period of time. In accomplishing this, districts did an extraordinary job. But now, IT teams are taking this moment to begin looking at the long-term technology needs of their students, faculty, and staff through the lens of a potential hybrid learning environment. They’re taking the summer months to adjust to projects that will help their district monitor for student safety, secure sensitive information, and fulfill compliance requirements no matter where people are accessing school technology from.
To help K-12 IT teams in their planning, we’re taking a moment to look at the state of K-12 cyber safety and security in a series of blog posts, culminating in a live webinar on June 25. The goal is to help district IT leaders make sense of it all, learn from each other, and prepare for the 2020/21 school year as best they can.
The K-12 Cybersecurity Resource Center has been collecting publicly-disclosed cybersecurity incident data in the K-12 education industry since January 2016. The aim of this work is to draw attention to the emerging cybersecurity threats facing U.S. schools and to help inform district leaders and policymakers.
In February 2020, The K-12 Cybersecurity Resource Center released its annual The State of K-12 Cybersecurity report. Included in the report is a concerning, and disappointing, 3x increase in data incidents reported in 2019 compared to the year before. Here are some of the key findings.
K-12 Cybersecurity Incidents
The K-12 Cybersecurity Resource Center identified 348 publicly disclosed school incidents in 2019. As previously mentioned, that number is almost three times as many incidents as were publicly disclosed in 2018.
It’s important to note that many districts don’t report many cybersecurity incidents due to the sensitive nature of the data involved. So, while we can’t identify the exact number of incidents that took place in 2019, we do know that the number is significantly higher than 348. Types of cybersecurity incidents that impacted K-12 schools in 2019 include:
- Student and staff data breaches
- Ransomware and other malware outbreaks
- Phishing attacks and other social engineering scams
- Denial-of-service attacks
Unauthorized disclosure or breach of data incidents accounted for 60% of all cybersecurity incidents in 2019. Those data breaches primarily involved the unauthorized disclosure of student data. This is a continued trend from 2018, when data breaches were also the most common type of incident K-12 schools experienced.
Classifying incidents is a continuing challenge. In 2019, only 8% of attacks were classified as phishing attacks. However, cybercriminals leverage previously leaked credentials and contact information to wage successful attacks that include data breaches, malware, and ransomware attacks. These attacks have resulted in the theft of millions of taxpayer dollars.
K-12 Cybersecurity Lessons for 2020 and Beyond
The K-12 Cybersecurity Resource Center suggests a number of things that district leaders can do to improve their risk resistance in 2020 and beyond.
- Invest more in IT security capability tailored to school districts. Placing a Chief Information Security Officer in every school district isn’t feasible, but districts can provide school IT staff with training and ongoing development such as the Certified Information Systems Security Professional (CISSP) certification. Districts can also benefit from central support at the regional, state, or national levels. For example, there are managed security service providers who specialize in providing customized solutions for K-12 leaders who could be a central source of support.
- Enact regulations to require baseline practices. Right now, school districts and their vendors aren’t held accountable under federal or many state laws for implementing even the most basic cybersecurity systems, or for reporting incidents. Besides that, districts don’t all follow one standard set of best practices against which they could be measured. It’s critical to establish clear expectations for all districts and vendors and to provide resources to help districts comply. In many states, there is a change in the wind when it comes to securing district data and reporting on incidents. There has been some level of federal activity in this area as well.
- Support K-12 cybersecurity information sharing and research. Formal sharing among school district IT leaders can help schools prioritize cybersecurity projects, respond to emerging threats, and develop a set of best practices. Research on the challenges school districts face and the most cost-effective solutions is necessary to define those risks and solutions accurately.
- Invest in K-12 specific cybersecurity tools. Cybersecurity vendors need to develop products specifically for K-12 education. Those products need to take into account unique requirements, budget restrictions, and the sometimes limited level of cybersecurity expertise that district IT staff possess.
Doug Levin, Founder and President of The K-12 Cybersecurity Resource Center, creator of the K-12 Cybersecurity Incident Map, and author of the annual State of K-12 Cybersecurity report, will be the main presenter during our June 25 webinar: The State of K-12 Cybersecurity & Student Data Privacy. He’ll also be joined by two K-12 IT professionals for a panel discussion focused on trends, lessons learned, and planning for next school year.
2019 Cyber Safety and Security: The State of IT Leadership
The Consortium for School Networking (CoSN) is a well-known professional association for technology leaders in school systems nationwide. Their new report, The State of Ed Tech Leadership in 2020 provides many insights about how leaders in education are using technology and the challenges they face.
Cybersecurity is the number one priority for tech leaders in education for the third straight year. Other survey results show that 90% of districts have resources to monitor network security, and 69% say that their network security is proactive or very proactive. It’s also good to see that 77% of districts provide cybersecurity training to their IT staff. These are all encouraging improvements from previous years’ surveys.
On the other hand, it seems that cybersecurity risks are generally underestimated. For example, phishing attacks reached its highest level in the last three years, but only 49% of respondents rated it as a medium/high or high risk.
Only 5% of respondents think student data is at high risk, even though Levin’s data from The K-12 Cybersecurity Resource Center found that 60% of all cybersecurity incidents in 2019 involved unauthorized disclosure or breach of data. This tells us that, while 69% of IT leaders say their approach to network security is either proactive or very proactive, they need to do a better job of aligning perceived risk with actual threats and incidents.
Budget is a high hurdle for basically every school district. Particularly when it comes to investment in cybersecurity. While IT leaders identify cybersecurity as their number one priority, 60% of districts allocate less than 10% of their technology budget to it. This misalignment must be remedied if IT and administration leaders expect to be able to protect stakeholder identities, secure learning continuity, and defend taxpayer funds.
Another apparent area of confusion has to do with the cybersecurity impact of using cloud-based learning management systems (LMS) like Google Classroom and Microsoft Teams. The report indicates that 97% of schools are using LMS, but only 3% are using cloud-based cybersecurity technology. This gap is a big part of the reason why IT teams suddenly realized they were flying blind when entire districts shifted to remote learning. Without traffic traveling through building networks, system admins suddenly realized how much of a security and compliance gap their lack of cloud monitoring created.
COVID-19 Cyber Safety and Security Insights
All of the information regarding 2019 cyber safety and security discussed above was collected before the COVID-19 crisis shut down school buildings and districts transitioned to remote learning. So, where are we today? For the most part, it’s a bit too early to tell. But, there are some informative observations.
- Cybersecurity attacks are ongoing. As of May 13, 2020, there were 84 publically disclosed attacks in K-12 school districts in 2020. It’s too early to tell if this year will see more incidents than there were in 2019, but the smart money says there will be an increase.
- The COVID-19 crisis has slowed reporting and cybersecurity focus. IT teams are busy with implementing remote learning needs like devices, accessibility, and new learning apps. They’re not spending much of their time on cybersecurity. It’s most likely that incidents are going either unreported or (worse) unnoticed.
- K-12 IT teams don’t have proper cloud security tools in place. Cloud security is critical to monitor for and detect cyber incidents in district cloud apps, like G Suite for Education and Microsoft 365. Most districts are still only using network-based firewalls, rather than focusing on a multi-layered cybersecurity infrastructure that includes cloud security monitoring. This issue is a likely contributor to the lack of 2020 cyber incident data.
- Many K-12 IT leaders are now dreading the return to the classroom. When classrooms reopen, IT teams fear the tsunami of malware-infected personal or school-issued devices that may gain access to their network.
So far, we’ve mostly talked about the cybersecurity risks of remote learning in a COVID-19 world. But there are also student cyber safety incidents that have increased during this time. Many schools are dealing with the fallout of early Zoombombing incidents. Others have experienced cyber safety problems with Google Chat, Meet, Classrooms, and other communication and collaboration tools.
The social isolation of remote learning affects students that were already dealing with depression, anxiety, self-harm, thoughts of suicide, and/or abuse. Social tensions are also increasing incidents of cyberbullying and discriminatory behavior.
Looking at 2019 cyber safety and security through the lens of today, you see a problem that is increasing and will likely continue to do so. You also see that while in 2019 IT leaders indicated that cybersecurity was their number one priority, they’re not putting much of their budget toward addressing that priority, and in many cases, they’re underestimating the risks cyber attacks represent.
School district IT leaders will need to resolve some of the inconsistencies in how they handle cyber safety and security to protect their communities, especially in their summer projects and 2020/21 planning.