In a 2019 post about increasing cyber risks in K-12 schools, we cited a report, “The State of K-12 Cybersecurity: 2018 Year in Review,” that contained sobering information about cybersecurity in local school districts across the country. According to that report, in 2018, there were 122 publicly-disclosed cybersecurity incidents affecting school districts across 38 states. Not much has changed. A more recent article looking at ransomware activity in 2023 reports there being 120 attacks against school districts thus far in the year.
Yesterday, the Biden administration announced “new actions and private commitments to bolster the nation’s cyber defense at schools.” Among the actions:
Secretary of Education Miguel Cardona and Secretary of Homeland Security Alejandro Mayorkas, joined First Lady Jill Biden, to convene school administrators, educators and private sector companies to discuss best practices and new resources available to strengthen our schools’ cybersecurity, protect American families and schools, and prevent cyberattacks from disrupting our classrooms.
Perhaps more impactful in the short term are references in the announcement to (i) additional funding sources for schools, and (ii) recently released guidance, “K-12 Digital Infrastructure Brief: Defensible & Resilient,” jointly published by the U.S. Department of Education and the Cybersecurity and Infrastructure Security Agency (CISA). In particular, the guidance outlines, among other things, some “High-Impact Recommendations,” such as implementing multifactor authentication. Potential sources for increased funding include an FCC proposed pilot program to provide $200 million over three years. School districts might also consider possibly allocating funds that remain available from the Elementary and Secondary School Emergency Relief Fund (ESSER Fund) established during COVID-19. Also, AWS recently pledged $20 million to a grant program designed to support for training and incident response at schools.
While it is true that school districts are often understaffed and underfunded, including in the area of cybersecurity, there some areas of potential low-hanging (and relatively inexpensive) fruit more schools might be to address more readily. One of those is incident response.
Even if a district is not in a potion to take all the steps it might want to in order to prevent an attack, it might be able to vastly improve its plans to respond to an attack. Doing so, could significantly impact the disruption to students and related communities.
The White House report notes that during the prior academic year four school had to cancel classes or close completely in response to an attack.
Below are a few basic elements that should be included in an incident response plan (IRP):
- identifying security incidents;
- responding to security incidents; and
- mitigating harmful effects of security incidents.
Certainly, each of these elements might look different district to district considering size, number of locations, information systems, prior experience, cyber insurance policies, type of personal information, and state laws. But they are important elements for any plan.
More specifically, school boards will want to think about who will be doing the responding – who is on the “security incident response team.” This is a team that is organized and trained to effectively respond to security incidents. Areas to consider when forming and building a team include:
- A strong balance of skill sets among team members (IT, legal, communications, etc.)
- Ensure lines of communication will be available among team members during a crisis
- Consider external parties that can provide specific expertise concerning incident response
- Commit to regularly practicing incident response procedures for different types of attacks.
Among other things, the IRP should help direct the team on mitigation efforts. Mitigation efforts are facilitated through measures such as contingency planning, robust data backup, and recovery processes. These are areas that should not be thought about by the school board or superintendent when a security incident occurs. For example, knowing that you have a backup of student data is not enough, regularly making sure you are able to restore from backups while maintaining integrity is key to minimizing disruption to the district.
There is a lot that can be said about steps to take toward preparedness and IRP development, but the point is these are examples of measure that can be implemented more quickly and at less cost to help a district affected by a breach. Importantly, they can minimize the impact of the breach on the district and get kids back in the classroom more quickly.