Cybersecurity Top K–12 IT Priority with Lousy Follow Through

• By Dian Schaffhauser
• 06/01/21

Most K-12 districts lack a dedicated cybersecurity staffer. According to a recent survey by the Consortium for School Networking (CoSN), 23% of school systems have a full-time employee dedicated to network security. The survey among 390 participants found that urban districts were the most likely (41%) to have a cybersecurity specialist on staff, while rural and town districts were least likely (each with 15%); 19% of suburban districts reported a specialist.

The "Ed Tech Leadership Survey Report" found that the lack of a dedicated position was made up for in 53% of districts by spreading the responsibility across several roles. A third (32%) combined network security with one other position. Six percent outsourced the work. And six percent dealt with incidents in an "ad hoc" manner, which the report called "arguably the worst approach to adopt." Without a "formal [security] strategy," author Paula Maylahn noted, "they put themselves, their students' data, and staff's data at risk."

Cybersecurity training isn't readily adopted by schools. Half of districts said they require training for all staff, with another 18% planning to do so. A sliver of respondents said teachers are currently or will be required to be trained (3%) and only 2% said the same about administrators and support staff. This too is far from being best practice. As the report noted, "TRAIN, TRAIN, TRAIN! Make sure everyone knows security awareness is their job and who to talk to if they make a mistake."

One bright spot is that backup and offsite storage are in use by more than seven in 10 districts (72%). However, the report added, those practices in themselves won't stop attacks. Among the strategies in use in K-12:

• Training IT staff, used by 70% of respondents;

• Regular updating of passwords (63%);

• Using cybersecurity software (63%);

• Using intrusion detection (54%);

• Using encryption (43%);

• Running cybersecurity audits (41%);

• Developing formal cybersecurity plans (41%);

• Including security safeguards in vendor negotiations (37%);

• Using two-factor authentication (29%);

• Pulling together a cybersecurity team (22%);

• Creating a cybersecurity line-item in the budget (18%); and

• Using more complex encryption (18%).

In spite of evidence that the education sector is a ripe target for criminal exploitation, 84% of district IT leaders don't rate cybersecurity as a big risk. As the survey found, not a single type of threat received a high-risk rating by a majority of participants -- not even phishing, which just 16% rated as a high risk and 29% rated as a medium/high risk. More than half of the respondents (54%) said they had a "relatively high degree of confidence" in their abilities to address cybersecurity events as they surfaced.

One level of preparation was the purchase of cybersecurity insurance, which is on the rise. While 18% of districts bought dedicated policies in 2020, that shot to 32% in 2021. At the same time, including such coverage as part of an umbrella policy declined, from 56% to 49%. The report suggested that the decline was possibly due to "limitations found in umbrella policies, which tend to provide inadequate coverage for a cybersecurity incident." Choosing a dedicated cybersecurity policy, however, comes with greater responsibility, the report stated: "Cybersecurity insurers may demand greater 'cyber hygiene' from the policy holder and stipulate conditions, such as regular phishing security tests or use of multifactor authentication." Also, the cost is going up as the number of attacks on K-12 rise. Still, the number of school systems that don't purchase cybersecurity insurance fell from 20% last year to 12% this year.

This year's CoSN survey and report were conducted with the support of CDW•G and the Ed-Fi Alliance, and in partnership with AASA, The School Superintendents Association, MDR and Forecast5 Analytics. The report is openly available through the CoSN website.