Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Risk Management

CISA Provides Resources for Securing K-12 Education System

CISA has published a report detailing the cybersecurity risks to the K-12 education system and recommendations on how to secure it.

The US Cybersecurity and Infrastructure Security Agency (CISA) this week published a report detailing the cybersecurity risks the K-12 education system faces, along with recommendations on how to secure it.

Over the past four years, there have been thousands of cyber incidents involving K-12 institutions, where threat actors targeted school computer systems to deploy ransomware, disrupt access, render systems unusable, and steal sensitive information on students and employees, including financial and medical information, and employee Social Security numbers.

The K-12 Cybersecurity Act of 2021 instructed CISA to review the cyber risks to elementary and secondary school, evaluate challenges schools and school districts face in securing information systems, to provide recommendations on improving the protection of these systems, and to develop an online training toolkit for school officials.

Discussions with stakeholder groups relevant to the K-12 education community revealed that the majority of them do not have the time or resources to secure information systems and sensitive student and employee records, or to implement cybersecurity protocols.

“Most reported that the breadth of available cybersecurity information—news coverage, conference panels, webinars, and more—only made matters more complicated. Nearly all reported that they needed simplicity, prioritization, and resources targeted to the unique needs and context of K-12 organizations,” CISA’s report reads (PDF).

According to CISA, “with finite resources, K-12 institutions can take a small number of steps to significantly reduce cybersecurity risk,” such as deploying multi-factor authentication (MFA), patching known vulnerabilities, creating backups, and implementing cyber incident response plans and cybersecurity training programs.

Advertisement. Scroll to continue reading.

The agency’s incursion into the cybersecurity stance of the K-12 education system has revealed that many school districts struggle with insufficient IT resources and cybersecurity capacity, which can be addressed by using free or low-cost services, by asking technology providers for strong security controls at no additional cost, by migrating IT services to more secure cloud versions, and by taking advantage of the State and Local Cybersecurity Grant Program (SLCGP).

CISA also notes that K-12 entities cannot singlehandedly identify and prioritize emerging threats, risks, and vulnerabilities, recommending that they join relevant collaboration groups, work with other information-sharing organizations, and collaborate with CISA and FBI regional cybersecurity personnel.

The agency recommends that all K-12 institutions start by investing in the most impactful security measures, which will allow them to eventually migrate to a mature cybersecurity plan. They should also prioritize investments in line with CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs).

CISA’s Digital Toolkit contains resources and materials in line with these recommendations, as well as guidance on how stakeholders can implement each recommendation. The toolkit also includes additional resources to help stakeholders build, operate, and maintain a resilient cybersecurity program at their institution.

Related: CISA Updates Infrastructure Resilience Planning Framework

Related: CISA Releases Decision Tree Model to Help Companies Prioritize Vulnerability Patching

Related: CISA Urges Organizations to Implement Phishing-Resistant MFA

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

Mark Carter has been appointed Chief Information Security Officer at Socure.

Spektrum Labs has named Mark Cravotta Chief Operating Officer.

More People On The Move

Expert Insights

Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.