Use the Framework to Help Tame K-12 Cybersecurity Threats
The National Institute of Standards and Technology (NIST) is a federal agency that doesn’t impose regulations. Its focus is to act as an unbiased agency that provides scientific data and publishes best practices for a variety of things, including cybersecurity. The NIST Cybersecurity Framework was originally released in 2014 and continues to be updated since then.
As states look for ways to improve student data privacy laws and K-12 cybersecurity resilience, several are using the framework to guide new regulations and guidelines. As a district IT leader, it’s a good idea to familiarize yourself with the NIST cybersecurity framework to develop, audit, and strengthen your own cybersecurity infrastructure.
A Brief History of the NIST Cybersecurity Framework
In 2013, Executive Order 13636 called for an effort to share cybersecurity threat insights, and to create a framework for reducing the risk to the nation’s critical systems. NIST was chosen to fulfill this Executive Order because of its reputation for establishing partnerships with private sector industries, educational institutions, and other government agencies to address critical national issues.
NIST conducted a process that included obtaining information from its partners to describe existing best practices for cybersecurity, to identify critical areas that weren’t included in existing best practices, and to develop plans for closing those gaps.
NIST reviewed the information they received and held framework workshops to encourage debate on a range of security issues. In July 2013, NIST published a preliminary Cybersecurity Framework that was widely discussed and NIST held additional workshops.
In February 2014, NIST released Version 1.0 of the Framework. The agency continues to encourage review by holding workshops to refine the Framework. NIST released Version 1.1 of the Framework in April 2018.
Why Do K-12 School Districts Need a Cybersecurity Framework?
It’s no secret that K-12 school districts collect and store an extraordinary amount of sensitive data. That data ranges from personal information about students to data used to run the business side of a school district. Protecting this information is critical, and using a framework to plan and execute your district’s cybersecurity strategy can be helpful. A 2016 survey found that 95% of IT security professionals that use some kind of cybersecurity framework experience benefits including greater security operations effectiveness, improved compliance, and a greater ability to present security readiness information and issues to leadership.
K-12 districts are near the top of the list of organizations that cybercriminals attack. Districts reported a 62% increase in cyber incidents in 2019 compared to 2018, and a 256% increase in data breaches. It’s obvious that K-12 cybersecurity is a significant issue for district leaders.
The NIST Cybersecurity Framework offers many benefits to school districts in managing the cybersecurity threat because it:
- provides a systematic approach to cybersecurity
- can be incorporated into your existing cybersecurity program
- can be tailored to meet your needs
- helps you identify areas where you need to strengthen your defenses
- helps you communicate clearly within the district and other stakeholders
- helps staff at all levels address cybersecurity issues in their areas of responsibility
Understanding and Applying the NIST Cybersecurity Framework
The NIST Cybersecurity Framework identifies five steps you can take to avoid cyberattacks. Here’s a brief summary of each step.
- Identify Function: Start by listing all equipment, software, vendors, and data you use. Create a district cybersecurity handbook and update school board policies concerning employee and student records.
- Protect Function: Take steps to track traffic, encrypt sensitive data, update software regularly, change passwords periodically, and train employees and students about cybersecurity.
- Detect Function: Monitor computers and web use for authorized access, and identify any unusual activities.
- Respond Function: Establish a business continuity plan, notify anyone whose data may be compromised, report attacks to authorities, contact your cyber insurance carrier, and update the cybersecurity handbook based on experience.
- Recover Function: After an incident, repair any equipment that was affected, and keep everyone involved up to date with your response and recovery actions.
Including Cloud Security into Your Cybersecurity Framework
Does your school district use G Suite, Office 365, or both? If so, keep in mind that perimeter-based cybersecurity tools, such as a next gen firewall, aren’t enough.
A variety of unique K-12 cloud risks increases a district’s vulnerability. And, the native security administration tools in G Suite and Office 365 make it difficult and time-consuming to configure settings, detect incidents, and find the information you need to respond. You can address those issues by including cloud security into your district’s cybersecurity framework.
- Identify: Include asset management and governance for cloud apps in your list of things to monitor. Set up periodic and automatic risk assessment audits and reporting in your plans.
- Protect: Provide layers of protective technology specifically for unique cloud risks, and ensure data security in cloud storage.
- Detect: Account for the fact that once hackers gain access to an account, or if you experience an insider threat, firewalls won’t be able to detect unauthorized behavior. Establish continuous monitoring of cloud apps on a 24/7/365 basis.
- Respond: Set up systems to quickly identify the account, files(s), or app that is causing an incident and take action. In many cases, you can automate action to respond in milliseconds.
No school district can afford to ignore the cybersecurity risks they face. Unchecked cybersecurity risks can disrupt schools and the district’s business operations. There’s also a real risk of financial repercussions, harming students and employees, and degrading student data privacy. A cybersecurity attack can cost the district money, time, frustration, and often a reduction in the community’s faith in the district’s ability to protect their children.
Using the NIST Cybersecurity Framework, whether required by state regulations or not, provides a great guide to strengthen your district’s defenses. Learn how you can implement a K-12 NIST Cybersecurity Framework in your district to better protect student, staff, and financial data.