Skip to content ↓ | Skip to navigation ↓

A recently published report from the US Government Accountability Office (GAO) has warned that official security guidance from the Department of Education is out-of-date, and needs to be refreshed to address the increasing reports of ransomware and other cyber threats.

According to the GAO report, the current plan for addressing threats to K-12 schools was developed and issued in 2010 and has not been updated to deal with the changing nature of cybersecurity attacks, such as ransomware:

“Among other things, schools have increasingly reported ransomware and other cyberattacks that can cause significant disruptions to school operations, thus highlighting the importance of securing K-12 schools’ IT systems. According to data from K-12 Security Information Exchange, schools publicly reported 62 ransomware incidents in 2019, compared to 11 ransomware incidents reported in 2018. However, Education has not updated its 2010 plan and has not determined whether sector-specific guidance is needed for K-12 schools to help protect against cyber threats.”

Anyone who follows the cybersecurity news headlines, and reads blogs such as Tripwire’s State of Security, is only too aware that digital threats have evolved considerably in the past 11 years.

The GAO says that the Education department blamed the failure to update its guidance for schools on another government department – the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) – which it said had not told it to make any updates.

However, the GAO says that it is the Department of Education’s responsibility to determine if an update to guidance is required – and this failure may have left schools less able to mitigate against attacks:

“…the department is responsible for updating its sector plan and determining the need for guidance. As a result, K-12 schools are less likely to have the federal products, services, and support that can best help protect them from cyberattacks.”

The GAO’s recently-published findings prompted US Senators to call on the various government departments to take more aggressive steps to strengthen cybersecurity in K-12 schools, agreeing that the current plans were “vastly outdated.”

Emsisoft threat analyst Brett Callow, who has kept track of ransomware outbreaks, reports that attacks have “disrupted learning at ~1k universities, colleges and schools so far this year”, meaning on average three every day are being hit.

With so many in the educational sector under attack, there has never been a greater need to share threat intelligence, enabling institutions and school districts to be aware of the latest ransomware threats targeting the industry.

In addition, schools would be wise to follow advice and tips on how to prevent a ransomware attack, before a network is hit, classes are disrupted, and the sensitive data of pupils and workers stolen.


Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.