K-12 Cybersecurity Megatrends

NetAlly is proud to have partnered with K12Leaders¹ in the just released “A Framework for K-12 Cybersecurity: Practical Guidance for K-12 Leaders and Teams” resource guide which you can download here. Packed with tons of outstanding information, it’s an excellent “go-to” resource for teams responsible for all aspects of cybersecurity in K-12 organizations and beyond, including higher education.

That said, while you look to find time to read the entire document, I’ve gone ahead and summarized some key takeaways in a series of three blogs. Let’s jump right in with the first blog, “K-12 Cybersecurity Megatrends”.

K-12 Cybersecurity is Different

Effective K-12 cybersecurity in an educational environment demands a paradigm shift. Why? Because unlike any other environment, everything revolves around learning. Having spent years serving in the academic world, I can speak from first-person experience. Successful learning requires erring on the side of student access and keeping their needs front and center. Of course, this does not mean you can drop your guard or security defenses, but it does mean feet-on-the-street coaching and guidance on cybersecurity best practices that actually work in the classroom are essential. A couple of examples:

• Test policies in limited rollouts before districtwide adoption
• In-person faculty and staff training are better than webinars
• IT staff provide “walk-up” help

There are material up-front costs, but as the paper calls out:

Deteriorating Threat Landscape

As with most organizations, when it comes to threats ransomware is front and center with the attack vector remaining phishing attacks. Malefactors know overworked teachers and faculty get tons of emails from many sources (e.g., parents, community stakeholders), so they are more likely to open and then click on links. Now add new vectors like Smishing (text-based scams) and voice phishing (AI-generated calls) from everyone or anyone, even “Principles” or other “Teachers”!

Attacks fall into three broad categories:

1. External actors – The typical troublemakers including ransomware gangs and criminal groups who target school districts as they know there are limited staff often lacking in the latest tools because of budgetary constraints
2. Internal missteps – staff forwarding malicious emails “for verification” or students experimenting with hacking tools (students are amazingly clever and knowledgeable)
3. Unsecured devices – The bane of every K-12 IT staff member, rogue access points, personal hotspots, and IoT gadgets appearing on networks daily often from students and teachers with no malice but still potentially serious negative security consequences

The Growing Importance of Cybersecurity Frameworks

In time’s past, for many school districts (especially smaller ones), cybersecurity frameworks were a nice-to-have but viewed as too complicated. Others took the approach of attempting to rigorously implement the more stringent frameworks like NIST 800-53. Now, the trend is not too hot (rigorous) or too cold (nice-to-have), but rather something in between. For smaller districts, this might mean implementing CIS Critical Controls IG1² which a smaller staff can manage, such as:

• Inventorying all devices — including Chromebooks and IoT sensors
• Securing default configurations
• Enabling MFA for administrators and sensitive apps
• Backing up critical systems daily

Whereas larger districts with bigger teams could add in MITRE ATT&CK³ concepts to better understand adversary behavior to help staff learn what “normal” vs. “malicious” network behavior can look like.

Summary

This first in a series of blogs highlights important sections of the A Framework for K-12 Cybersecurity: Practical Guidance for K-12 Leaders and Teams resource guide. Stay tuned for more details on additional chapters in upcoming blogs.

Additional Resources

Check out this helpful content:

• Overcoming K-12 Budget Challenges with E-Rate
• K-12 Primary/Secondary Education
  

¹K12Leaders
²CIS Controls Navigator v8.1
³MITRE ATT&CK®