A tour through the busy halls and classrooms of our K-12 public schools would not reveal any clues to the underlying threat they face daily from cyber threat actors intent on disrupting the digital safety and security of students, staff, and their data. K-12 schools have emerged in the past several years as one of the most frequently targeted of our public institutions in the United States. While the hardworking IT and cyber professionals in this sector have made great strides in applying effective cyber defenses, more can be done. The Multi-State Information Sharing and Analysis Center (MS-ISAC) produced our first K-12 Report as a way for K-12 leaders to better understand their cyber risk and take decisive actions to mitigate it.
At the MS-ISAC, we have a unique vantage point to view the cybersecurity challenges and threats faced by various critical infrastructure sectors among state and local governments in the U.S. We manage the largest cyber threat database on U.S. State, Local, Tribal, and Territorial (SLTT) governments, informed by telemetry from thousands of sensors deployed across SLTT networks, the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and more than 200 threat intelligence sources. We process more than 100 petabytes of data each month – the equivalent of two billion four-drawer filing cabinets full of information related to the cybersecurity of state and local governments. While our more than 3,700 K-12 school and district members are among the most highly targeted, they are also among the most active segment of our 14,000 organizational members in the MS-ISAC. Given the cyber threat they face, they have to be.
The cybersecurity threat to K-12 schools is persistent, and the potential harm of cyber attacks threatens both the vital work of our education system and the data security of an entire generation of young Americans. Ransomware remains the most impactful cybersecurity threat to K-12 schools, often resulting in significant financial loss and taking schools offline for days. Some K-12 ransomware attacks have taken months to fully remediate. Cyber threat actors’ demands seemed to have increased over time, with ransom demands exceeding $1 million in some cases. The MS-ISAC has observed cyber threat actors emailing students, parents, and faculty to heighten the pressure on schools to pay. Our report provides further details about the top malware threats to K-12 schools and how threat actors commonly breach their cyber defenses.
So just how prepared are our K-12 schools to face this massive threat? The answer is not as encouraging as we’d like to see. In the 2021 Nationwide Cybersecurity Review (NCSR), a risk-based assessment that gauges cybersecurity preparedness, K-12 schools showed year-to-year improvements but an overall average cyber maturity score of 3.55 out of 7. That is not a passing grade by classroom standards. K-12 respondents to the NCSR reported a lack of sufficient funding as one of their top challenges, with nearly one fifth of schools spending less than one percent of their overall IT budget on cybersecurity. While 29 percent of MS-ISAC K-12 member schools reported they had been victims of a cyber incident, more than a third of K-12 members reported that they did not have an established cyber incident response plan to respond to such an event. Clearly, more should be done to protect our K-12 schools and the students they support.
The MS-ISAC recommends K-12 schools take five decisive steps to effectively address their cyber risk. First, it is important to join a community of peer organizations similarly committed to cybersecurity. At the MS-ISAC, we believe that we are better when we work together, and we offer K-12 schools numerous ways to collaborate with one another, including our active MS-ISAC K-12 Working Group. Second, we recommend that schools complete a cybersecurity assessment so they can benchmark and improve upon their cybersecurity posture over time. We recommend the comprehensive and informative Nationwide Cybersecurity Review as the best measure of cybersecurity preparedness. For those schools looking for an abbreviated preparatory step to the NCSR, we recommend the 32-question Foundational Assessment, available by contacting firstname.lastname@example.org. Third, we recommend K-12 schools complete Implementation Group 1 (IG1) of the CIS Critical Security Controls, a step that has proven effective in defending against up to 86 percent of common cyber attacks. Fourth, we recommend that schools have some means of receiving regular cyber threat intelligence, like the MS-ISAC Indicator Sharing Program. You can only be fully prepared for the cyber threats you know about. Lastly, we recommend that K-12 schools implement an intrusion detection system (IDS) and endpoint detection and response (EDR) to effectively protect their IT environments. Many schools are leveraging solutions offered through the MS-ISAC to fortify their cyber defenses, like Albert Network Monitoring and Management and Endpoint Security Services (ESS). The MS-ISAC’s Malicious Domain Blocking and Reporting (MDBR) DNS security solution, available at no cost to K-12 public schools, has also been highly effective at preventing cyber attacks, blocking an average of more than 624,000 malicious DNS requests for each K-12 entity enrolled in the service.
Cybersecurity is a race without a finish line, and K-12 schools have the daunting task of keeping up with the persistent cyber threat with limited resources. At the MS-ISAC it is far more than just our mission to come alongside state and local government institutions like K-12 public schools; it is our honor to serve organizations that do so much to serve us. We owe it to our school administrators, teachers, and students to ensure they are cyber secure and the ever-important work of education can continue without disruption.