6 Essential K-12 Cybersecurity Protections for the 2022-23 School Year

Key Takeaways From K12 SIX’s 2022/23 Essential Cybersecurity Protections Webinar

ManagedMethods recently sponsored a webinar hosted by K12 SIX, a non-profit organization dedicated to protecting the K12 community from emerging cybersecurity threats. Securing student, staff, community, and financial data is critical for school districts. We’re far beyond the point of denying that serious cybercriminals are targeting K-12 schools. Ransomware incidents like the ones impacting Los Angeles Unified School District (LAUSD), Albuquerque Public Schools, and many more make the days when student-triggered DDoS attacks were tech directors’ headaches feel quaint.

As Doug Levin, National Director of K12 SIX and the webinar’s host, put it: “Cybersecurity risk management can be described as a ‘wicked’ problem. It’s one that defies easy solutions and quick fixes, in part because cybersecurity risks are constantly evolving. For K-12 organizations, the cybersecurity challenge is compounded by limited resources and staffing, a lack of compliance mandates, and loosely coordinated, complex IT operations.”

During this session, Levin shared practical insights and tips for protecting your district’s data based on his extensive research. He was joined by two Augusta County School District technology department representatives, who volunteered their time to share how they’re making cybersecurity a priority in their district. Here, we’re going to outline some of the key takeaways from this discussion. Let’s jump in!

6 Key Takeaways from Essential Cybersecurity Protections for the 2022-23 School Year Webinar

1. Ransomware is a problem, but it’s not the only one

Ransomware incidents get a lot of media attention, particularly since LAUSD, the second-largest district in the US, became another victim over Labor Day weekend. But they’re by no means an outlier. At least 26 US school districts have dealt with a ransomware attack in 2022 alone.

But ransomware is far from the only cybersecurity problem schools are facing. This became abundantly clear earlier in the year when news of the Illuminate Education data breach broke–then grew as the true scope of the impact trickled out to the public. Then, more recently, came the news that Seesaw was hacked. This resulted in students’ parents/guardians being exposed to explicit content via the messaging app.

According to Levin’s K-12 cybersecurity research, the biggest cyber incident trends impacting districts in 2022 are:

1. Ransomware
2. Data breaches and leaks
3. Phishing scams (including email, texts, and business email compromises)
4. DDos
5. 3rd party vendor incidents

2. Cyber smarter, not harder

We all know that districts are woefully underfunded and understaffed when it comes to… everything… but particularly cybersecurity. In the impossibly extensive list of education priorities, cybersecurity hasn’t been able to make it high enough up the list to warrant proper resourcing.

But, as Levin put it, it’s not a matter of “cybering harder”. He shared that these malicious actors often exploit common weaknesses in security controls, misconfigurations, and poor practices to gain initial access to schools’ systems. In many cases, the damage could be avoided, or at least mitigated, with relatively simple and low-cost (or free) steps that districts can take to better protect their data. These are:

1. Control access
2. Limit the ability of a local administrator account
3. Harden credentials
4. Implement MFA (at least for administration leadership and district staff)
5. Establish centralized log management
6. Use antivirus solutions
7. Employ detection tools
8. Operate services exposed on internet-accessible hosts with secure configurations
9. Keep software updated

3. Technology department structure matters

Molly Shiflet, ITRT Coordinator, and Jeremy White, Systems Security Admin, at Augusta County Public Schools shared that their technology department was restructured around 2020. Their tech director lobbied for the restructuring because the department, like almost every school district, had two primary priorities:

1. Enabling high-quality teaching and education outcomes via integrated technology
2. “Keeping the lights on” via reliable hardware, networks, and security

Thus, the department is now structured under the tech director into two branches: the network team and the instructional technology team. Keeping both in the technology department benefits the district as a whole because they are able to ensure that new instructional tools, practices, and processes are set up and configured with a data privacy/security-first approach.

4. It’s possible to do a good job with security and the other things

White acknowledged that he’s a bit of an outlier as the only district security admin in the area. But he was also quick to point out that he does a lot of other things because that’s just the nature of the beast in K-12 education. He took the approach of creating a working group of others on the network team that has an interest in working on the district’s cybersecurity problems. His “security team” consists of two other techs that meet on a weekly basis to identify an area to focus on and work on solving the problem. A few examples of cybersecurity challenges that the team has focused on in the past are planning for the future, and/or are currently working on include:

1. Implementing multifactor authentication (MFA)
2. Hardening email security
3. Auditing Google Workspace data security and file sharing practices
4. Running a National Cybersecurity Review audit

Importantly, you can’t expect to do everything all at once. It’s helpful to understand where your risk factors are, prioritize them, and then start working on improving them as you can.

5. MFA isn’t as scary as you might think

Until about a year ago, there was a lot of resistance to multifactor authentication in K-12. There still is some resistance, but many districts (and, importantly, administrative leadership) are accepting the concept. Not only is it among the most effective and easiest things you can do to secure your district from an attack, but it’s also required by most insurance companies providing cyber insurance to the education market.

White and Shiflet emphasized what we’ve heard from many districts that either have implemented MFA or are in the process of it: that you don’t have to roll it out to everyone all at once. It’s a great idea to start with executive staff/administration leadership. The benefits of starting here are:

1. They’re usually the group whose accounts are going to be the most targeted by cybercriminals
2. There is a smaller number of them in the group/OU, so you can roll it out to a smaller number of people and then adjust your communications, training materials, etc. from there to help make additional implementation smoother
3. Once the leadership team is comfortable with using MFA, they can help provide the top-down initiative support you need to bring others along

Shiflet and White recommended taking baby steps. They started with their executive staff, then building admins, then anyone with access to students’ personally identifiable information (PII).

6. IT and instructional technology need to work together on purchasing

Another recommendation from White and Shiflet is that instructional technology and IT need to work together to formalize a purchasing process for both hardware and software. This improves the likelihood that technology dollars are well-invested in tools that are going to be beneficial to students and faculty, as well as secure and safe.

“Blended learning is here to stay,” said Shiflet. “infrastructure cannot be siloed from instruction and vice versa so that we’re all using instructional technology effectively and safely.”

Levin, White, and Shiflet shared these insights and much more during this webinar. If you missed it, would like to re-watch it and/or would like to download the slide deck, you can access the recording and materials at any time by registering on K12 SIX’s website here.

If you would like to take a piece of Jeremy White’s cybersecurity advice and audit your district’s Google Workspace data security and file-sharing practices, you can sign up for an audit 100% FREE by filling out the form here.

The post 6 Essential K-12 Cybersecurity Protections for the 2022-23 School Year appeared first on ManagedMethods.

*** This is a Security Bloggers Network syndicated blog from ManagedMethods authored by Katie Fritchen. Read the original post at: https://managedmethods.com/blog/essential-k12-cybersecurity-protections/