A recently published report from the US Government Accountability Office (GAO) has warned that official security guidance from the Department of Education is out-of-date, and needs to be refreshed to address the increasing reports of ransomware and other cyber threats.

According to the GAO report, the current plan for addressing threats to K-12 schools was developed and issued in 2010 and has not been updated to deal with the changing nature of cybersecurity attacks, such as ransomware:

“Among other things, schools have increasingly reported ransomware and other cyberattacks that can cause significant disruptions to school operations, thus highlighting the importance of securing K-12 schools’ IT systems. According to data from K-12 Security Information Exchange, schools publicly reported 62 ransomware incidents in 2019, compared to 11 ransomware incidents reported in 2018. However, Education has not updated its 2010 plan and has not determined whether sector-specific guidance is needed for K-12 schools to help protect against cyber threats.”

Anyone who follows the cybersecurity news headlines, and reads blogs such as Tripwire’s State of Security, is only too aware that digital threats have evolved considerably in the past 11 years.

The GAO says that the Education department blamed the failure to update its guidance for schools on another government department – the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) – which it said had not told it to make any updates.

However, the GAO says that it is the Department of Education’s responsibility to determine if an update to guidance is required – and this failure may have left schools less able to mitigate against attacks:

“…the department is responsible for updating its sector plan and determining the need for guidance. As a result, K-12 schools are less likely to have the federal products, services, and support that can (Read more...)