Having endured a tough environment of remote learning and, in some places, mixed virtual and in-person schooling, K-12 school systems have also been seeing a steady increase in cyberattacks. The "new normal," that students, parents, teachers and school administrators are navigating has opened many avenues for cybercriminals to launch ransomware attacks or try to steal funds or data. Nothing is off-limits anymore and malicious cyber-actors are targeting K-12 schools just as much as any other company or organization.

These elevated threats have prompted the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) to issue a Joint Cybersecurity Advisory. From ransomware and malware to video conference disruptions and social engineering threats, the Advisory raises awareness and highlights the urgent need for K-12 schools to be prepared and act on these threats.

The education sector has been traditionally underserved on cybersecurity, and now compounded by resource limitations and overstretched school systems, it's easy to see why cybercriminals are seeing success targeting K-12 schools.

Despite what appears to be a daunting threat environment, in our experience K-12s can take elementary steps to better position themselves to handle cyberthreats. Cybersecurity, like schooling, is about continuous improvement and learning. To that end, K-12 schools can start with simple steps to evaluate their cybersecurity posture and focus on manageable activities aimed at reducing risks.

Risk Assessment

A key component of good cybersecurity is performing an overall risk assessment. Much like a teacher assessing a student and creating an educational curriculum, schools can use a risk assessment to assess their posture and create a roadmap for handling cybersecurity challenges.

A risk assessment can help schools identify critical assets, prioritize risks associated with those assets, conduct cost-benefit analyses, identify security controls and vulnerabilities and even establish a plan for cybersecurity improvement. For example, the switch to distance learning and video-based tools has led to new threats like disrupted live-video classroom sessions. Understanding the risks inherent to distance and video learning can help schools and educators be prepared to handle disruptions.

Security Framework and Controls

We are also proponents of using security frameworks, which provide a baseline set of technical and organizational measures a school can adopt. A framework will include controls, policies, procedures and processes that address privacy and security (among other things). Adopting a security framework has the benefit of relying on industry experience and expertise.

Frameworks such as the US National Institute of Standards and Technology's (NIST), Cybersecurity Framework (CSF) or the Center for Internet Security's CIS 20 Controls are commonly used, and adopting one can help schools prioritize activities, simplify its decision making and determine appropriate security controls.

Training

Teachers and school administrators are well aware of the importance of training to create quality educators. Similarly, training on cybersecurity is also essential to creating a resilient organization. An organization's personnel are the first line in defending against cyberthreats. Training personnel to identify cyberthreats and how to react can significantly mitigate and even thwart cybersecurity attacks.

K-12 schools should consider providing training on fundamental topics like phishing, ransomware, social engineering and other common cybersecurity best practices. For example, do personnel in the organization know how to spot a phishing email; what are common best practices for passwords; or what are common privacy issues related to student data and how to prevent them?

An organization with trained personnel is a simple and crucial component of overall cybersecurity resilience.

For more information on how your school can prepare for and respond to cyberattacks, consult Ice Miller's Data Security and Privacy team. Guillermo Christensen, a former CIA intelligence officer and a diplomat with the U.S. Department of State, is a partner in the Data Security and Privacy and White Collar practice based in DC and New York. Sid Bose, a former IT systems engineer, is an associate in the Data Security and Privacy practice, focusing on various data security, privacy and compliance matters.

This publication is intended for general informational purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader's specific circumstance.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.