The K-12 Report: A Cybersecurity Assessment of the 2021-2022 School Year

Image

The K-12 Report breaks down the cyber risks faced by public schools across the country and is sponsored by the CIS (Center for Internet Security) and the MS-ISAC (Multi-State Information Sharing & Analysis Center).

Published “to prepare K-12 leaders with the information to make informed decisions around cyber risk”, the report provides a data-driven analysis of what went well, what could be better, and what exactly is threatening our K-12 schools.

The MS-ISAC is federally funded by CISA and a division of the CIS.

What security risks are K-12s concerned about?

When considering the security concerns facing K-12 school districts, respondents stated their top five as:

1. Lack of funding | Most schools devoted less than 8% to security, with nearly 20% dedicating less than 1%.
2. Increasing sophistication of threats | Almost one in three (29%) MS-ISAC K-12 member organizations reported being the victim of a security incident.
3. Lack of documented processes | Over one-third (37%) of K-12 members lacked an incident response plan.
4. Lack of a cybersecurity strategy | Eight in ten had not fully implemented MFA, and roughly three in ten had no MFA at all. Interestingly, 83% had invested in cyber insurance (which requires little to no technical expertise).
5. Not enough available cybersecurity professionals | Nearly half of the schools (49%) had a total IT and cybersecurity staff of five people or less.

Compounding these vulnerabilities are the real-world risks that these schools face. As listed in the report, they are:

• Ransomware disrupting in-person and remote learning
• Cyber threat actors becoming more brazen, emailing students and parents
• Malware attacks (Shlayer and CoinMiner comprising 64%)
• Exploited vulnerabilities (“exploitation activity”)
• Malicious DNS requests (over 423 million blocked by MS-ISAC in the 2021 school year)

The problems facing K-12 schools are roughly the problems we see across the board, but in these “data-rich and resource-poor" environments, the sensitive, personal nature of what’s at stake makes the situation all the more critical.

How prepared are schools to meet them?

This year, schools earned just over 50% in ‘Average Cyber Maturity’ with a passing grade in Identity Management and the “highest participation rate for K-12 school districts in the NCSR’s 10-year history”. Noting an overall 3% YoY increase in maturity scoring, schools are off to a good (albeit very gradual) start.

Let’s review the high points. Schools performed well in:

• Identity Management and Access Control. Schools are good at limiting access to authorized personnel and activities.
• Awareness and Training. Security education is typically a strong point. Partners are trained to be cyber conscious and in line with stated policies.
• Business Environment.  There’s good top-down communication about the mission of the schools and what cybersecurity objectives should come of that.

Now, let’s look for areas of opportunity. Referenced to a relevant NIST Cybersecurity Framework Category, these are the areas in which schools were “generally performing poorly”:

• Protective technologies. To improve here, schools can:
  • Encrypt data on USBs and other removable media
  • Collect audit logs
  • Disable Autoplay for USBs and other removable media
• Supply chain risk management. Organizations can tighten this up by:
  • Setting up a data recovery process for when incidents occur
  • See if service providers can prove compliance with national standards (SOC 2, PCI DSS)
  • Otherwise vet vendors for security adherence: questionnaires or “other appropriately rigorous processes”
• Data security. To remediate this lack, schools should:
  • Engage in threat modeling before code is created. This means assessing and addressing design flaws before the code is run.

Just like eight out of ten schools were cyber insured, it’s interesting (and perhaps logical) that in an area where trained cyber professionals are hard to come by and there has been no historical groundwork for cyber infrastructure, the areas in which schools are performing the best are the ones leveraging the skills they already have (teaching, communicating, policy adherence).

It’s fair to say this is one piece of evidence that schools are doing the best – and in some cases, all – they can. While a lean towards these ‘security soft skills’ leaves some obvious technical gaps, this bias could prove an unlikely advantage. As the Verizon 2022 Data Breach Investigations Report notes, 82% of breaches are the result of human error, and tightening up that margin through security awareness and governance could be a small way to shut a large door.

How can schools improve their security posture?

In addition to some focused efforts on remediating the above “areas of opportunity”, there are a few things K-12 schools can do across the board to get those security grades up. They were listed in the report as follows:

1. Get in the security community. Especially for organizations with no formal background in cybersecurity measures (or even IT, in many cases) just plugging into the hive can keep schools abreast of security changes and best practices for others in their same position.
2. Benchmark where you are. As every educator should know, you can’t identify areas for improvement unless you know honestly how the student is doing – and every student is different. While this report covers general patterns, each organization should complete the NCSR to gauge their own cyber maturity and see where they need to begin.
3. Check off IG1 of the CIS controls. Implementation Guideline 1 (IG1) of the CIS Critical Security Controls is the starting place, the foundation, of basic cybersecurity practices and the jumping off point for both enterprises and middle schools alike.
4. Be aware of the cyber threats. To do this, schools can sign up for the MS-ISAC Indicator Sharing Program.
5. Network and endpoint defense. An intrusion detection system (IDS) and an endpoint detection and response (EDR) system are a great place to start.

In its final pages, the report outlines a host of free cybersecurity resources available to schools and districts looking to improve their security posture. Admittedly, it’s a new world for many of these organizations, and MS-ISAC, among others, is an organization committed to protecting what K-12 institutions have to offer.

The good news? This is just a pop quiz. If school administrators take the time to study, they can be ready for the real test. A test, hopefully, no school will have to face.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.