It takes an ecosystem to secure the future of K‑12
We all have a stake in the future. Because of that, we all have a stake in the education of our children. With that in mind, we’ve been given a wake-up call. All the stakeholders need to work together to answer it.
There has been a more than 300 percent rise in reported cyberattacks on schools in recent years. In 2018, there were 400 reported incidents, and more than 1,300 in 2021, the latest good data available. That’s also “reported” incidents, so the actual number of attacks is likely higher, and it wouldn’t be surprising to learn that the numbers have gone up since 2021.
All this comes from a report released earlier this year by the US Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA). The report was commissioned by Congress as part of the K-12 Cybersecurity Act of 2021. The report is cautionary, prescriptive and very clear that its findings are just a “starting point.”
With that starting point, it’s clear that we have a long way to go. Reading the report calls to mind the adage, “It takes a village to raise a child.” Increasingly, it takes an ecosystem to secure that child’s education. And it’s a challenge to be addressed by everyone: industry, schools, government, parents and communities. We all have a role to play.
And we can do this. Let’s look at some points from the report to rally around.
No school is an island
Schools became bigger targets when education largely moved online because of the pandemic and the enhanced threat continues. Ransomware demands grew dramatically. We all know hospitals have become big targets for this crime and to a ransomware criminal a school looks similar to a hospital. They both need access to their data to operate and because the law demands they protect their data – patient data on one hand, student data on the other – they are more likely to quietly pay and avoid shaking the public’s faith in them with a more public approach.
The reason schools have become attractive targets goes beyond ransomware, though. Schools possess lots of confidential data on a wide variety of people – students but also parents and staff. The report notes incidents where data was deleted or misused. Also, because a given school is connected at several levels – districts, counties, states and federal agencies – they can also offer hackers backdoor access to other systems.
No school or district is immune, and it’s noted that disadvantaged districts are most vulnerable. So, this report sounds an alarm that must be taken seriously. Yet, no one wants to see this scenario play out: School administrators with limited resources feeling they must make a choice between hiring an IT person or hiring a teacher; presuming such a person is even available. There is a shortage of cybersecurity experts across the economy. School districts come in all shapes, sizes, and locations, so attracting and retaining such unique talent is a major challenge.
To avoid that situation, many of us in industry, government and elsewhere must respond to this alarm on an ecosystem-wide basis. A coordinated response is crucial for many reasons. In one stark example for those providing technology services to schools, the report states that more than half of school cyber-attacks from 2016 to 2021 were carried out through vendors providing services to schools such as web hosting. Security must come built-in for any technology services provided to schools. The report specifically urges districts to demand that providers deliver security by default protocols. To turn that point around, service providers need to architect their offerings with security as a top priority.
We should also recognize that an ecosystem is composed of people, not just organizations and technologies. Everyone – students, parents, teachers, administrators – should be made aware of the risks and trained on information security. Does everyone know what to do if they see something suspicious? Training programs are available from parts of the ecosystem and the report has a list of resources.
The spirit of ecosystem support and collaboration threads through many of the recommendations in the report.
- Work with state-level committees to leverage the State and Local Cybersecurity Grant Program as well as other grant programs.
- Join collaboration groups such as MS-ISAC and K12 SIX.
- Develop relationships with regional FBI personnel as well as CISA.
As to industry specifically, the report notes the challenge of implementing and monitoring advanced security protocols and technologies for school districts. CISA urges districts to move key services to the cloud where providers can maintain security. That’s part of it, of course, and Lumen helps organizations make that migration as smooth as possible. But there’s more such as security assessments to identify, prioritize and mitigate potential risks, and 24/7 monitoring in Lumen Security Operations Centers, providing incident handling, and expert remediation recommendations.
There’s more in the report and more to talk about. Change must come from the top down, and leaders must embrace and reinforce the cultural shift necessary to reduce risks. Districts can band together to create a unified effort across multiple communities. It takes an ecosystem to secure our students’ future, so let’s get together to plan your security roadmap.
This content is provided for informational purposes only and may require additional research and substantiation by the end user. In addition, the information is provided “as is” without any warranty or condition of any kind, either express or implied. Use of this information is at the end user’s own risk. Lumen does not warrant that the information will meet the end user’s requirements or that the implementation or usage of this information will result in the desired outcome of the end user. All third-party company and product or service names referenced in this article are for identification purposes only and do not imply endorsement or affiliation with Lumen. This document represents Lumen products and offerings as of the date of issue.