Blog Viewer

K-12 Cybersecurity Questions Asked and Answered!

By Denise Caccavari posted 06-17-2021 01:49 PM

  

Cybersecurity is a prevalent issue across all industries, and increasingly so in the K-12 education sector. We know there are a lot of unanswered questions lurking in the minds of superintendents, treasurers, technology directors, and other school administrators. To help, I'll answer the most pressing questions we’re hearing from districts right now about cybersecurity. Let’s get started…

Q. Why did the education sector account for over 60 percent of all reported cyber attacks in the US in 2020? 

A. Not surprisingly, criminal activity capitalizes on opportunity. The education industry, and, in particular, the K-12 subset technology environments, are perceived as underfunded and undersupported. For example, private sector and enterprise environments are far better funded and use significantly more aggressive IT staffing models (eg. 1 IT employee per 75 devices/assets).

Q. How did COVID-19 affect this unprecedented targeting of education?

A. The value of the data a school holds is valuable. The increase in education-related cyber crime directly escalated significantly in March 2020 - directly correlating with the spread of COVID-19. With this, districts had to respond at a moment’s notice to deploy remote learning tools districtwide, many of which were untested and unvetted. The remote learning environment expanded exponentially in the past year, and, consequently, so did the technology surface attack area, making the data and information a district holds more at risk than ever before.

 

Q. Why should district administrators make cybersecurity a priority?

A. The implications of escalating cybercrime are far-reaching. Administrators should be most concerned about meeting their responsibilities regarding: 

1. The prevention of financial loss from ransomware and fund transfer fraud.
2. The prevention of exfiltration of sensitive data; IEP’s, PII, SS#’s, etc., and compliance with federal and state data privacy laws.
3. The prevention of disruption to instruction and operations due to network outages and ensuing technology unavailability.

 

Q. What should you expect with regard to cyber insurance coverage regarding the anticipated increase in the complexity and cost of cyber insurance coverage in the K-12 space?

A. Cyber insurance premiums are expected to increase. Additionally, experts expect to see exclusions or restricted coverage for certain sectors and industries that represent the greatest exposure, to possibly include public education. The education sector represented over 60 percent of all reported cyberattacks in the U.S. in 2020, and the FBI reports that Ohio was among the top 5 in overall public and private sector attacks in the nation this same year.

As the industry begins to better understand cyber risk, better data will be available surrounding the connection between preventative behavior, such as implementing better technology and cultural security controls, and the behavior’s impact on private and public sector entities in the case of a cyber event. There is even speculation that this could lead to month-by-month premiums or credit mechanisms for add-on services based on a reevaluation of the risk and rewards for positive behavior. 

Q. What do these potential insurance industry trends mean to district treasurers seeking to renew or increase cyber risk coverage?

A. Applications for coverage are increasingly designed to reveal districts’ technology environment vulnerabilities. Review and analysis of the responses to these applications can restrict the types and/or level of qualifying coverage. Treasurers and business managers should work closely with their technology coordinator and technology vendors to understand how these applications reveal deficiencies in preventative best practices they could deploy to significantly improve their cybersecurity posture and potentially ensure the most appropriate insurance coverage. 

 

Q. What is the gold standard of cybersecurity best practices?
A. There are approximately 47 internationally recognized cybersecurity frameworks that define these best practices. Regulators, legislators, and technology developers use these standards to form policy, law, and develop technology solutions for the marketplace. Two of the most widely adopted cybersecurity frameworks are authored by U.S. based entities; The Center for Internet Security (CIS) and the National Institute for Technology and Standards. Note that the Ohio Data Privacy Act references both in describing “reasonable conformance” criteria for Safe Harbor qualification.

 

Q. What is a reasonably affordable cybersecurity strategy for the K-12 space with consideration to restrained budgets?

A. There is good news. The most responsive technology vendors have anticipated these escalating exposures, the best of which have developed affordable K-12 specific managed cybersecurity solutions. Solutions to consider should be developed in alignment with the CIS and NIST Cybersecurity Frameworks and at a minimum include (i.) User Awareness Training, (ii.), Next Generation Cyber Technology and enterprise-class software deployment, (iii.) 24/7 monitoring and real-time triage of malware on all critical district infrastructure, and (iv.) be an integrated and trusted incident response partner in the event of a cyber event.

 

Q. Is there funding available for K-12 cybersecurity?

A. Districts should be encouraged to learn that ESSER II (Cares Act*) funding can be approved for cybersecurity technologies and user awareness training. To plan for long-term closures and the acceptance of the increasing need for secure remote environments, districts' networks must be secure to ensure the availability of these networks for uninterrupted remote learning and to protect the exfiltration of personal student and employee data in compliance with data privacy laws. 

Additionally, districts are encouraged to seek grants and other financing mechanisms to address their respective cybersecurity-related exposures.

(*The ODE Office of Federal Programs confirmed ESSER II Funds can be appropriated for this purpose.) 

 

Q. Where do we start?

A. Contact your technology vendors to explore solutions and be certain to include your superintendents, treasurers and IT directors, all stakeholders in the process.

0 comments
66 views

Permalink