Strategies for Advancing Cyber Resilience in K-12 Schools
In early 2024 the Federal Communications Commision (FCC) advanced its proposal to launch a pilot program that would allocate $200 million for cybersecurity resources in schools. For school districts, actions like these can’t come fast enough.
While other industries talk about building cyber resilience and adopting the newly expanded NIST’s CSF 2.0 framework, few schools have the staff, let alone the funding, to combat the growing cyber threat to education.
However, at a time when cyber attacks are a matter of when, not if, schools have to start somewhere. That first step involves gaining a full understanding of network vulnerabilities to ensure existing resources are deployed efficiently and effectively.
The Current State of Cybersecurity In Our Schools
Comments in response to the FCC’s proposal have already sparked calls to shorten the pilot duration, accelerate funding, and update E-rate program firewall definitions, so that advanced security features can qualify.
According to the May 2023 CoSN State of EdTech Leadership report, cybersecurity remains respondents’ top priority for the fifth year in a row. However, 66 percent of school districts do not have a full-time cybersecurity position, and more than one in five have no funding for cybersecurity defense.
The latest numbers, according to the Government Accountability Office (GAO) show, as of 2021, 647,000 K-12 students were affected by ransomware attacks, and school district costs of downtime from such attacks were estimated to be $2.38 billion.
These incidents have no doubt increased since then, and are now making regular news headlines, including hackers that targeted Los Angeles Unified, the second largest US school district in the country, in 2023. And the New York City school district breach, which compromised an estimated 45,000 students’ data last year.
These attacks are not limited to larger school districts, and are increasing in frequency. Already in 2024, Park City school district was impacted by a computer security breach. St. Paul investigated a potential cybersecurity threat. And a New Jersey school district was shut down by a cyber attack. The K12 Security Information eXchange (K12 SIX) provides a map citing school incidents between 2016 - 2022.
E-Rate Program: A Beacon of Hope?
The FCC’s E-rate program has been a crucial funding source for schools and libraries to obtain affordable internet access. By building out a separate pilot program dedicated to cybersecurity, the FCC can ensure the E-rate program remains focused on its core mission.
That said, many believe the FCC should expand the definition of E-rate eligible solutions. In fact, according to a survey of schools and libraries by Funds for Learning, 93 percent agree or strongly agree that the E-rate program should include “support for comprehensive network security solutions.”
What’s more, school districts now have stronger broadband, especially following the pandemic’s influence on online learning, so while the FCC’s new pilot program awaits formal comment this year, opportunities exist to explore firewall solutions embedded within E-rate funding criteria.
Leveling the Cyber Playing Field
Along with taking full advantage of E-rate funding to strengthen firewall protections, school districts must gain complete visibility of their networked environments. In fact, this not only includes their own set ups, but also third-party vendors.
According to a report from the Cybersecurity and Infrastructure Security Agency (CISA), which cited data from the K12 SIX, during 2016-2021, 55 percent of K-12 school data breaches “were carried out on schools’ vendors.”
In fact, in early 2024, more than four million school records held by a school safety software company were accidentally exposed. While the leak has since been patched, the data included thousands of documents detailing emergency plans, such as lockdown procedures, medical files, and court documents.
See our case study to learn how a school district patching Windows servers created a risky system opening that UncommonX was able to contain.
The CISA recommends that schools take impactful security measures, such as implementing multi-factor authentication (MFA) and prioritizing patch management, all of which school districts should follow. However, without fact-based asset discovery and management, most schools will have an incomplete view of their network inventory and its potential cyber risks, including those from third-parties.
By combining the first steps of the CISA recommendation along with a complete inventory of assets, including their functional role, location, subnet, support group and all associated vulnerabilities, school districts can take the first step toward building better cyber resilience.
Do You Have Complete Visibility?
As education IT leaders face the daunting task of enhancing cyber resilience within their institutions, it's crucial to acknowledge the overwhelming nature of this responsibility, especially when navigating challenging leadership conversations and strategizing for the future. However, the time to act is now.
The journey toward cyber resilience begins with understanding your current cybersecurity posture and identifying the most critical areas for improvement. We partner with IT teams in this endeavor, offering tailored exercises, complimentary assessments, and in-depth discovery discussions to uncover your specific needs.
Together, we can build a secure and resilient digital environment for our schools, ensuring the safety and success of our students in an increasingly complex cyber landscape. For more information about how we can help your school to create a more resilient connected environment, contact us today at hello@uncommonx.com.
