K-12 schools are at a high risk of cyberattack, according to a new report from the Center for Internet Security, the Multi-State Information Sharing & Analysis Center, and the Nationwide Cybersecurity Review.

The report states that attackers are highly likely to target K-12 school districts and associated data in the 2022-2023 school year, either as part of financially motivated cybercrime or via hacktivist-driven campaigns. Many K-12 school districts are data-rich and resource-poor, making them attractive targets for financially motivated attackers, such as ransomware operators, and relatively easy targets for hacktivists, those who break into a computer system.

The K-12 community displayed an overall average maturity score of 3.55 out of seven. Results from the Nationwide Cybersecurity Review (NCSR) risk-based assessment have shown the K-12 sector is improving in its cybersecurity, though lags behind other sectors when comparing cybersecurity program maturity.

The top five security concerns for K-12 school, includes:

• Lack of sufficient funding – The average K-12 school allocated 8% or less of their IT budgets to cybersecurity with 19% dedicating less than 1% of their IT budget.
• Increased sophistication of threats – 29% of K-12 institutions reported being a victim of a cyber incident.
• Lack of documented processes – 37% of schools did not have an incident response plan.
• Lack of a cybersecurity strategy – Some 83% of organizations had cyber insurance to mitigate their cyber risk; 81%  had not fully implemented multi-factor     authentication (MFA); 29% had not implemented MFA on any systems.
• Inadequate availability of cybersecurity professionals – 49% of schools has between one to five cyber/IT employees.

In 2020, the Cybersecurity Coalition submitted comments to the Federal Communications Commission supporting the use of E-rate Category Two funding to cover the costs of network security software in the 2020 and2021 funding years. The comments recommended that school districts should be provided the flexibility to select a variety of solutions, including end point, network, cloud, and device security solutions, as they tailor their cybersecurity protections to meet their unique risk profiles. The request was denied.

Recommendations

As K-12 organizations face increasingly sophisticated attacks the report has five recommendations:

• Lack of sufficient funding – The average K-12 school allocated 8% or less of their IT budgets to cybersecurity with 19% dedicating less than 1% of their IT budget
• Increased sophistication of threats – 29% of K-12 institutions reported being a victim of a cyber incident
• Lack of documented processes – 37% of schools did not have an incident response plan
• Lack of a cybersecurity strategy – Some 83% of organizations had cyber insurance to mitigate their cyber risk; 81%  had not fully implemented multi-factor     authentication (MFA); 29% had not implemented MFA on any systems.
• Inadequate availability of cybersecurity professionals – 49% of schools has between one to five cyber/IT employees

The full K-12 report can be downloaded here.

‍