The Cybersecurity and Infrastructure Security Agency (CISA) released its report and a special toolkit for K-12 institutions to help address systemic cybersecurity risk and fortify themselves to fend off cyber threats.
The report, “Partnering to Safeguard K-12 Organizations from Cybersecurity Threats,” highlights the importance of resources, simplicity and prioritization to effectively reduce cybersecurity risk. Education is a prime target of cyber criminals because school districts typically lack the necessary resources to defend against hacking attacks. Managed security service providers specializing in education security will certainly benefit from CISA’s report.
Helping Schools Reduce Security Risk
CISA provides three macro recommendations to help K-12 leaders build, operate, and maintain resilient cybersecurity programs:
- Invest in the most impactful security measures and build toward a mature cybersecurity plan.
- Recognize and actively address resource constraints.
- Focus on collaboration and information sharing.
Commenting on the security risk scenario for schools, CISA Director Jen Easterly said:
“As K-12 institutions employ technology to make education more accessible and effective, malicious cyber actors are hard at work trying to exploit vulnerabilities in these systems, threatening our nation’s ability to educate our children. Today’s report serves as an initial step towards a stronger and more secure cyber future for our nation’s schools, with a focus on simple, prioritized actions schools can take to measurably reduce cyber risk.”
Start Small, Seek Grants
Key findings from the report include:
- K–12 entities should begin with a small number of prioritized investments: deploying multifactor authentication (MFA), mitigating known exploited vulnerabilities, implementing and testing backups, regularly exercising an incident response plan, and implementing a strong cybersecurity training program.
- Schools should leverage available grant programs, work with technology providers to benefit from low-cost services and products that are secure by design and default, and reduce the security burden by migrating to secure cloud environments and trusted managed services.
- Participation in an information sharing forum, such as the Multi-State Information Sharing and Analysis Center (MS-ISAC) and/or K12 Security Information eXchange (K12 SIX), as well as establishing a relationship with CISA and FBI field personnel, is advisable.
More CISA recommendations include:
- Invest in the most impactful security measures and build toward a mature cybersecurity plan by taking these three steps:
- Implement highest priority security controls.
- Prioritize further near-term investments in alignment with the full list of CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs).
- Over the long-term, develop a unique cybersecurity plan that leverages the NIST Cybersecurity Framework (CSF).
- Recognize and actively address resource constraints:
- Work with the state planning committee to leverage the State and Local Cybersecurity Grant Program (SLCGP).
- Utilize free or low-cost services to make near-term improvements in resource-constrained environments.
- Expect and call for technology providers to enable strong security controls by default for no additional charge
- Minimize the burden of security by migrating IT services to more secure cloud versions.
- Focus on collaboration and information sharing:
- Join relevant collaboration groups, such as MS-ISAC and K12 SIX.
- Work with other information-sharing organizations, such as fusion centers, state school safety centers, other state and regional agencies, and associations.
- Build a strong and enduring relationship with CISA and FBI regional cybersecurity personnel.