Cybersecurity Top K–12 IT Priority with Lousy Follow Through

Most K-12 districts lack a dedicated cybersecurity staffer. According to a recent survey by the Consortium for School Networking (CoSN), 23% of school systems have a full-time employee dedicated to network security. The survey among 390 participants found that urban districts were the most likely (41%) to have a cybersecurity specialist on staff, while rural and town districts were least likely (each with 15%); 19% of suburban districts reported a specialist.

The "Ed Tech Leadership Survey Report" found that the lack of a dedicated position was made up for in 53% of districts by spreading the responsibility across several roles. A third (32%) combined network security with one other position. Six percent outsourced the work. And six percent dealt with incidents in an "ad hoc" manner, which the report called "arguably the worst approach to adopt." Without a "formal [security] strategy," author Paula Maylahn noted, "they put themselves, their students' data, and staff's data at risk."

Cybersecurity training isn't readily adopted by schools. Half of districts said they require training for all staff, with another 18% planning to do so. A sliver of respondents said teachers are currently or will be required to be trained (3%) and only 2% said the same about administrators and support staff. This too is far from being best practice. As the report noted, "TRAIN, TRAIN, TRAIN! Make sure everyone knows security awareness is their job and who to talk to if they make a mistake."

One bright spot is that backup and offsite storage are in use by more than seven in 10 districts (72%). However, the report added, those practices in themselves won't stop attacks. Among the strategies in use in K-12:

  • Training IT staff, used by 70% of respondents;

  • Regular updating of passwords (63%);

  • Using cybersecurity software (63%);

  • Using intrusion detection (54%);

  • Using encryption (43%);

  • Running cybersecurity audits (41%);

  • Developing formal cybersecurity plans (41%);

  • Including security safeguards in vendor negotiations (37%);

  • Using two-factor authentication (29%);

  • Pulling together a cybersecurity team (22%);

  • Creating a cybersecurity line-item in the budget (18%); and

  • Using more complex encryption (18%).

In spite of evidence that the education sector is a ripe target for criminal exploitation, 84% of district IT leaders don't rate cybersecurity as a big risk. As the survey found, not a single type of threat received a high-risk rating by a majority of participants -- not even phishing, which just 16% rated as a high risk and 29% rated as a medium/high risk. More than half of the respondents (54%) said they had a "relatively high degree of confidence" in their abilities to address cybersecurity events as they surfaced.

One level of preparation was the purchase of cybersecurity insurance, which is on the rise. While 18% of districts bought dedicated policies in 2020, that shot to 32% in 2021. At the same time, including such coverage as part of an umbrella policy declined, from 56% to 49%. The report suggested that the decline was possibly due to "limitations found in umbrella policies, which tend to provide inadequate coverage for a cybersecurity incident." Choosing a dedicated cybersecurity policy, however, comes with greater responsibility, the report stated: "Cybersecurity insurers may demand greater 'cyber hygiene' from the policy holder and stipulate conditions, such as regular phishing security tests or use of multifactor authentication." Also, the cost is going up as the number of attacks on K-12 rise. Still, the number of school systems that don't purchase cybersecurity insurance fell from 20% last year to 12% this year.

This year's CoSN survey and report were conducted with the support of CDW•G and the Ed-Fi Alliance, and in partnership with AASA, The School Superintendents Association, MDR and Forecast5 Analytics. The report is openly available through the CoSN website.

About the Author

Dian Schaffhauser is a former senior contributing editor for 1105 Media's education publications THE Journal, Campus Technology and Spaces4Learning.

Featured

  • Stylized illustration of an AI microchip connected to a laptop, server rack, and monitor with a chart

    HPE and Nvidia Expand AI Infrastructure Partnership

    Hewlett Packard Enterprise and Nvidia have announced an expanded partnership to accelerate enterprise artificial intelligence adoption through new modular infrastructure and turnkey AI platform offerings.

  • shield with an AI microchip emblem hovering above stacks of gold coins

    Report: AI Security Spend Surges While Traditional Security Budgets Shrink

    A new report from global cybersecurity company Thales reveals that while enterprises are pouring resources into AI-specific protections, only 8% are encrypting the majority of their sensitive cloud data — leaving critical assets exposed even as AI-driven threats escalate and traditional security budgets shrink.

  • digital learning resources including a document, video tutorial, quiz checklist, pie chart, and AI cloud icon

    Quizizz Rebrands as Wayground, Announces New AI Features

    Learning platform Quizizz has become Wayground, in a rebranding meant to reflect "the platform's evolution from a quiz tool into a more versatile supplemental learning platform that's supported by AI," according to a news announcement.

  • teen studying with smartphone and laptop

    OpenAI Developing Teen Version of ChatGPT with Parental Controls

    OpenAI has announced it is developing a separate version of ChatGPT for teenagers and will use an age-prediction system to steer users under 18 away from the standard product, as U.S. lawmakers and regulators intensify scrutiny of chatbot risks to minors.