Tips for Creating a Successful K-12 Cybersecurity Plan

We’ve all seen the growing number of cybersecurity threats and attacks on schools and districts. At least 45 U.S. school districts suffered ransomware attacks in 2022. In 2021, 166 school cybersecurity incidents affected 162 districts across 38 states. From 2016 to 2021, there were 1,331 cybersecurity incidents impacting schools. 

Cyberattacks are no longer a matter of “if it’s going to happen to our school.” It’s more likely “when it’s going to happen.”

During the COVID-19 pandemic, cybersecurity threats became so rampant that Congress enacted the K-12 Cybersecurity Act of 2021. As part of the Act, the Cybersecurity & Infrastructure Security Agency (CISA) is tasked with keeping track of cybersecurity risks within our elementary and secondary schools and creating cybersecurity guidelines to help improve school cybersecurity.

CISA sums up the issue: “A continuing drumbeat of cyber intrusions is threatening the nation’s ability to educate our children while also placing personal information and school data at risk.” 

Improving your cybersecurity is an entire team effort, starting with administrators, superintendents, and other leaders who need to instill a culture of data security and privacy. According to CISA, K-12 organizational leaders need to elevate cybersecurity risk management as a top priority, taking “creative approaches to securing necessary resources, including leveraging available grant programs, working with technology providers to benefit from low-cost services and products that are secure by design and default, and urgently reducing the security burden by migrating to secure cloud environments and trusted managed services.”

Learn more about securing federal funding for your cybersecurity efforts here.

On the technical side, schools and districts can strengthen their overall data security by implementing secure educational software from vendors that prioritize best practices and best-in-class data security. For example, using a data-as-a-service vendor with stringent, hardened security protocols can eliminate legacy methods of storing and sharing data that pose security risks and volume constraints.

Choosing the right edtech partner can ensure you’re protecting the security and integrity of your data and applications, as well as lessen the burden on your technology staff. Edtech companies that focus on being good custodians of your student data invest heavily in: 

• Industry-leading security protocols 
• Security by design 
• End-to-end encryption 
• Third-party penetration testing 
• Intrusion detection 
• Auditing 
• Mandatory training    

An interoperable edtech system of connected products can also significantly improve your data security. Instead of using an assortment of disparate edtech products for various functions, an integrated system can decrease vulnerabilities in one secure platform, create a more controlled environment, and give you the added benefit of shared data for deeper student insights.

In this blog, we’ll look at more recommendations from CISA and other resources to improve your cybersecurity, along with practical tips for creating a successful cybersecurity plan for your school or district.

Cybersecurity in K-12 Education: Start Small with Focused Investments

You’re facing a wide variety of cyber threats and attacks. Along with well-known ransomware attacks and phishing attempts, there are individual breaches by students, teachers, and school community members, denial of service (DoS) attacks, and online class and school meeting invasions.

With such a wide array of potential threats, CISA recommends starting with focused investments on the most impactful steps, given the limited resources most K-12 schools and districts face. The organization advocates: 

• Deploying multifactor authentication (MFA) 
• Mitigating known exploited vulnerabilities 
• Implementing and testing backups 
• Regularly exercising an incident response plan 
• Implementing a strong cybersecurity training program

4 Core Areas of a Cybersecurity Plan 

1) Mitigation to Reduce the Severity of Threats and Attacks 

When creating a mitigation strategy, it’s crucial to gain buy-in from everyone in the organization. It’s everyone’s responsibility to ensure your system’s security as every individual is a potential entry point for a cyberattack. 

Conduct a basic risk assessment. According to the Consortium for School Network’s (CoSN) “Conducting a Cybersecurity Risk Assessment” guide, “Risk management is critical for districts to successfully implement and maintain a secure teaching and learning environment. Risk assessments identify, quantify, and prioritize risks against criteria established by the district for risk tolerance and objectives. Assessment results guide and determine appropriate district action and priorities for managing information security risks and for implementing controls needed to protect information assets.”

The National Security Agency offers the following steps in its “Top Ten Cybersecurity Mitigation Strategies”: 

1. Update and upgrade software immediately  
2. Defend privileges and accounts 
3. Enforce signed software use policies 
4. Exercise a system recovery plan 
5. Actively manage systems and configurations 
6. Continuously hunt for network intrusions 
7. Leverage modern hardware security features 
8. Segregate networks using application-aware defenses 
9. Integrate threat reputation services 
10. Transition to multifactor authentication

CISA offers additional mitigation efforts in the “Preparing For and Mitigating Potential Cyber Threats” guide, including increasing your organizational vigilance, preparing your organization for rapid response, ensuring your network defenders implement cybersecurity best practices, staying informed about current cybersecurity threats and malicious techniques, and lowering your threshold for threat and information sharing.  

2) Communication throughout Cybersecurity Planning 

Clear communication between your key stakeholders is essential during and after an incident and throughout your planning processes and regular procedures. Make communication part of your daily cybersecurity strategic planning. 

“Using a standard communication path for these smaller issues will create known paths to receive updates,” says Jim Corns, executive director of information technology for Baltimore County Public Schools, in a K-12 Dive article. When Corns’ district suffered a ransomware attack, communication was limited because its website and primary email was down. “We quickly established a second email domain and created a temporary website, but these actions took time. Having them in place before they were needed would have been a huge benefit,” he says.

Ensure that staff, students, and parents are aware of every type of cybersecurity threat. They should regularly hear from the IT department, each school’s principal, or the superintendent.

Digital citizenship is also an important concept to communicate with your schools and districts, especially with increased online collaboration and video conferencing. Offer practical guidelines and policies, including the importance, best practices, and examples of being responsible with software, devices, and platforms.

3) Continuous K-12 Cybersecurity Training for Your Staff

Keeping your data secure and private is everyone’s responsibility within your organization. Because of the sophistication and persistence of cyber threats, current and ongoing training is necessary for all levels of staff, students, and even parents. As with any learning, it takes a lot of repetition, re-reading and re-watching, and practice for users to fully embrace best practices cybersecurity in schools. Reshare your standard protocols with an emphasis on extreme vigilance during this new age of increased online usage.

Training helps build and fortify your “human firewall” and improve your users’ ability to spot and prevent cybersecurity attacks.

Here are some tips to provide cybersecurity training for staff, students, and parents: 

• Include multiple types of training, including classroom, online, and individual one-on-one training—as well as an email newsletter and lunchroom posters 
• Make all information and resources on data safety easily accessible and sharable 

• Make sure awareness and training messages resonate with your team personally so they can fully understand them 
• Have a transparent response process to attacks involving students—what are your immediate and long-term steps if (and when) you are attacked to minimize risk to students? 
• Communicate rules for accessing confidential work on unsecured networks (with public WiFi access) 
• Use email phishing campaigns to increase awareness

4) Remediation to Minimize Impact Promptly

Cyberattacks can devastate a school or district financially and impact students’ education. Schools have reported monetary losses between $50,000 to $1 million because of cyber incidents. And throughout the COVID-19 pandemic, the average overall cost of data breaches across all industries was $4.24 million.

Significant instructional loss occurs when schools are forced to shut down due to a breach or ransomware attack. In general, the overall recovery time for cyberattacks is up to nine months, and the average recovery time for a ransomware attack is 287 days. In addition to education loss, many students rely on their school for medical services, meals, and social and emotional support—all affected when a shutdown occurs.

Creating a remediation plan as part of your overall cybersecurity plan can help you prepare for what to do when an attack takes place to minimize its impact. Here are a few practical steps to include in the plan: 

• Create reliable, current, restorable backups of your system data to help continue operations in any event 
• Create a documented plan for dealing with any situation. An example is using the PICERL process (Preparation, Identification, Containment, Eradication, Recovery, and Lessons) as a best practice to prepare for each step of any security risk.  
• Know how and when to report incidents to the right stakeholders and agencies, including your school board, state department of education, and federal resources 
• Understand the different protocols associated with each type of cyber incident, including typically minimal data breaches and more disruptive and school- or district-wide cyberattacks

Cybersecurity is a Continuous Quest

Cyberattacks and bad actors aren’t going anywhere. If anything, they will increase as we depend more on digital, online systems. And while you can’t make your systems 100% secure from cyberattacks and incidents, you can improve your data security and privacy through best practices, planning, and preventative measures.