A look at the first-of-its-kind, focused report on the state of K-12 cybersecurity
The K-12 Cybersecurity Research Center was established by Douglas Levin to increase awareness of how the use of technology is schools is being managed, and the inherent cybersecurity risks involved. Since January 2016, Levin’s K-12 Cyber Incident Map has recorded 425 cyber publicly disclosed K-12 cybersecurity incidents.
Levin decided it was time for someone to produce an in-depth analysis of how these cybersecurity incidents are impacting schools, students, and other stakeholders. His report, The State of K-12 Cybersecurity: 2018 Year in Review, is the first of its kind. Widely cited research studies, such as Verizon’s annual Data Breach Investigations Report and Ponemon Institute’s Cost of a Data Breach Study, combine K-12 and post-secondary institutions, public and private institutions, and U.S. and global institutions into a singular category that is simply too broad to truly focus on the impacts to K-12. He decided it was time for a K-12 specific focus on the issue.
K-12 Cybersecurity Data: 2018
The K-12 Cybersecurity Incident Map and its underlying database captures information from K-12 schools, districts, charter schools, and other public education agencies (such as regional and state agencies) public disclosures. The database also collects detailed information on several different characteristics about the public school district (including charter schools) that have reported a cyber incident.
Overlaying these two data sets allows us to analyze not just cyber threat trends itself, but also answers questions about district characteristics that may make it more or less likely to experience and incident.
It’s worth noting that K-12 cybersecurity incident reporting of any kind is incomplete at best. Mandatory reporting requirements for K-12 vary by state, and many disclosures are not publicly accessible or are limited by incident type and size. Finally, given the common lack of awareness or investment in cybersecurity in K-12, it’s likely there are incidents which occur that school districts are not aware of.
Types of K-12 Cybersecurity Incidents
In 2018, The K-12 Cybersecurity Resource Center’s Incident Map cataloged 122 publicly-disclosed incidents. These incidents occurred in 38 states and affected 119 school districts. The good news is that, at least within 2018, there was a relatively low rate of incident recurrence.
The bad new is that this represents, on average, a cybersecurity incident happening every three days. This is astonishing considering just how much personally identifiable information K-12 school districts as a whole store. Students, parents, faculty, and staff can all be exposed when a data breach occurs.
The most common type of cybersecurity incident experienced by K-12 school districts in 2018 were data breaches. According to the report, most data breaches that occurred could be categorized as
- Unauthorized disclosures of data by current and former K-12 staff, primarily due to human error
- Vendors/partners with a relationship to a school district data breaches
- Unauthorized student access to data, often out of curiosity or to modify school records, such as grades, attendance records, or financial account balances
- Unknown external actors, often for malicious purposes
About half of the data breaches that occurred in 2018 were caused by members of the school district, meaning students, faculty, and staff. Overall, student data was included in 60% of the data breach incidents in 2018! Student data breaches and identity fraud have been on the rise, and will continue to trend upward as long as the information is so easily accessible—and profitable for cyber criminals.
According to public disclosures, the primary K-12 cybersecurity incident types in 2018 break down as follows:
- 46.72% – Unauthorized Disclosure/Breach
- 18.85% – Other Incident
- 15.57% – Phishing
- 9.84% – Denial of Service
- 9.02% – Ransomware
K-12 Cybersecurity Lessons for 2019 & Beyond
The upward trend in the number of K-12 cybersecurity incidents is unlikely to level off in the coming years. As school districts increasingly rely on technology and broaden the scope of student data collected, they will only become more lucrative targets. The lack of cybersecurity funding and resistance to changing the paradigm in K-12 certainly doesn’t help.
Ultimately, this is an issue that impacts virtually all of us. The 2018 K-12 Cybersecurity Report found that these incidents resulted in the theft of millions of taxpayer dollars. They also resulted in stolen identities, tax fraud, altered school records, website and social media defacement, and the loss of access to school technology and IT systems for weeks or longer.
As Levin puts it:
“Ultimately, the goal of K-12 stakeholders must be to reduce and better manage the cybersecurity risks facing increasingly technologically-dependent schools…It won’t be solved solely by an infusion of money, new technologies, new policies and regulations, or a cybersecurity awareness campaign; all are likely necessary, but how they are implemented and evolve over time to meet the specific and idiosyncratic needs and constraints facing public K-12 schools will matter most of all.”