There’s no question that K-12 school districts are strained when it comes to cybersecurity. After years of increasingly devastating incidents, the court of public opinion seems to agree that something must be done to mitigate the problem.
Luckily, we’re witnessing a step in the right direction. In January 2023, the Cybersecurity & Infrastructure Security Agency (CISA) unveiled its multi-year research into data security challenges within the K-12 school system. Alongside its report, CISA released a list of recommendations — known as a “toolkit” — for institutions to better protect student data and uphold privacy standards across the country.
While overall the report is a net positive for districts that have been on the frontlines of these attacks, I wanted to focus on the topic of cloud computing—security in particular—because, well, that’s what we do! Let’s take a closer look at what spurred CISA’s research and what the agency got right and wrong about cloud security.
The state of cybersecurity in K-12 education has been a bit bleak. In fact, according to the K12 Security Information Exchange (K12-SIX), the average school district experiences at least one cyber incident per school day in the United States.
As cyber threats evolve and grow increasingly more sophisticated, it’s become exceptionally difficult for K-12 schools to keep up the fight. Whether it be a ransomware attack or a school data leak, incidents are hitting the headlines on a regular basis.
Finally, the federal government decided to take action. In October 2023, President Biden signed into law the K-12 Cybersecurity Act — a bipartisan bill that ordered CISA to conduct research into how schools can better protect their data. By law, the agency had 120 days to review the threat landscape and 60 days to create guidelines off the back of its results.
According to CISA’s report, cyber incidents tripled during the pandemic as an onslaught of various threat vectors targeted their new technological advancements.
However, research also indicates that most districts lack staff with the expertise to match today’s cybersecurity challenges. Per the report, “most districts do not employ full-time cybersecurity personnel, and some smaller school districts may not even employ full-time IT staff.”
Furthermore, districts are highly concerned about managing their third-party vendors. Few districts have the time or resources to comb through vendor security policies. Worse yet, there are little to no standards or minimal requirements for K-12 suppliers, making it difficult for schools to access cloud services with confidence.
CISA’s landmark research has brought more attention to the many cybersecurity challenges that school districts are facing. It also provides some practical, effective solutions for districts to start moving in the right direction.
But I do have some (possibly controversial) opinions about the report’s characterization of cloud computing for schools.
CISA’s Protecting Our Future report is great, and I encourage everyone to read it and start putting it’s recommendations in place—just getting started toward improvement is the key. It’s heartening to see the federal government and others finally beginning to take this issue seriously, and putting together practical, actionable resources for schools.
It’s important to keep in mind that there is no “easy button” when it comes to cybersecurity—no matter what industry you’re working in. This research won’t fix all our problems. But it is a step closer to the end goal, which of course is to keep sensitive student information safe at all costs.
Unfortunately, it lacks a clear and helpful representation of cloud security for K-12. With more schools operating in the cloud than ever before, this is a huge blind spot that can’t go undiscussed.
By implementing cloud layer of protection, your district can gain visibility into what is going on in your cloud domain. More importantly, you can safeguard information, detect threats, and more effectively keep students safe. At the end of the day, that’s what matters most.