Cybersecurity Training Elusive in K–12

• By Dian Schaffhauser
• 02/17/21

K-12 educators haven't, for the most part, received basic cybersecurity training. Just 43 percent said their schools had provided such training, while 48 percent said they hadn't and eight percent said they didn't know or weren't sure. And even though 54 percent of teachers said they were using personal devices for remote learning, a third (35 percent) reported that their school or district hadn't provided any guidelines or resources for protecting those devices.

Those data points surfaced in a survey undertaken for IBM Security by Morning Consult. The survey received responses from 1,000 U.S. educators and 200 administrators in both K-12 and higher education. The goal was to better understand the level of cybersecurity awareness, preparedness and training within schools during the shift to remote schooling.

The survey, which was undertaken in October 2020, was accompanied by an IBM announcement of in-kind grants valued at $3 million to help strengthen cybersecurity in schools.

Most K-12 educators also said they weren't particularly concerned about their schools becoming the target of a cyberattack in the future. While 43 percent of teachers said they were "very" or "somewhat" concerned about a security event occurring, a larger share--55 percent--said just the opposite. (The remaining three percent expressed uncertainty.) Among K-12 administrators, the proportion of people who were concerned at some level was slightly higher--49 percent--with the same percentage saying they weren't concerned.

Yet when asked what their largest concerns were as a result of a ransomware attack at their schools, two-thirds of teachers (65 percent) mentioned worries about personal data of educators being compromised. Sixty-four percent said disruption of classes was high on the list of concerns (referenced by 64 percent), and being unable to communicate with students (63 percent). Among administrators, the biggest worry was the personal data of students being compromised, listed by 78 percent of respondents. Number two was an inability to access email and disruption of classes (both 71 percent). Compromise of educator data came in fourth, referenced by 69 percent.

The survey found high numbers of K-12 teachers unfamiliar with the various forms of cyberattacks. For example, 48 percent of K-12 educators said they had no familiarity with "videobombing." Likewise, the same percentage said they didn't know what denial-of-service attacks were. Four in 10 (41 percent) were unfamiliar with ransomware attacks. More K-12 educators knew something about data breaches (75 percent) and phishing scams (79 percent).

The greatest worry among the K-12 segment was a data breach affecting schools, mentioned by 47 percent of respondents. That was followed by phishing scams, referenced by 44 percent. Among K-12 administrators, specifically, phishing scams dominated the list of concerns (mentioned by 55 percent), followed by data breaches (52 percent).

Administrators were more likely than teachers to say their schools had been hit by a cyberattack, 14 percent compared to nine percent. But confidence was high among both groups that their school or district would be able to manage the consequences of a cyberattack; 72 percent of teachers and 82 percent of administrators said they were "very" or "somewhat" confident of the response.

The biggest barrier to implementing stronger cybersecurity initiatives came down to money. Fifty-three percent of K-12 educators said budget was a "large" or "medium" barrier, while 45 percent referenced either skills or availability of technology, 43 percent designated education and 41 percent cited awareness. Budget was also pinpointed as the big barrier among K-12 administrators (cited by 63 percent), versus availability of technology (45 percent) or skills (44 percent). Awareness and education were also mentioned by 43 percent of K-12 administrators as additional hurdles.

To address budget shortfall in K-12, IBM has begun a new education cybersecurity grant that will help U.S. public school districts better prepare for cyberattacks, including ransomware. A total of six grants of in-kind services, valued at $500,000 each ($3 million in total), will be awarded in 2021 to school districts that apply for the grant via an IBM landing page. Applications are being taken until Mar. 1, 2021, and recipients will be announced shortly after. School districts will be selected to receive the grant based on their level of cybersecurity needs and how they meet the criteria outlined by IBM. Rather than direct funding, the winning school systems will receive resources and hours performed by IBM Service Corps teams of six to 10 people. Volunteers will provide services such as developing incident response plans, providing basic cybersecurity training such as password hygiene and implementing strategic communication plans to use in response to a cyber incident.

"Ransomware attacks on schools have become the new snow day for students," said Christopher Scott, director of security innovation in IBM's Office of the CISO, in a statement. "Stay-at-home orders, and the switch to remote learning, have changed the focus for cybercriminals looking for easy targets as everyone from kindergartners to college professors have adopted remote technologies. And with budgets focused on new ways of learning, many schools are in need of additional resources and technology to change the dynamic and lower the financial ROI for the bad guys targeting them."

The complete results of the survey are openly available on the IBM website.