By Patrick Massey, CISA Region 10 Regional Director
The relationship Americans have with the schools their children attend has changed dramatically over the last few years. Now, parents and students alike are interacting with schools and teachers online in a variety of new ways.
From online grading and information on class assignments, to instructor communication, paying lunch balances, and scheduling classes, we have never been more electronically connected to our schools.
While these advances have brought about great conveniences and made education more accessible and effective, malicious cyber actors are hard at work trying to exploit vulnerabilities in these systems, threatening our nation’s ability to educate our children.
The Cybersecurity and Infrastructure Security Agency (CISA) has developed resources to help K-12 schools and school districts address its cybersecurity risk. We also offer simple steps school leaders can take to strengthen their cybersecurity efforts and fight this growing threat.
Schools and districts are particularly vulnerable to cyberattacks and are an especially lucrative and vulnerable target given the presence of sensitive student and staff data. Impacts from cyberattacks have ranged from restricted access to networks and data, delayed exams, canceled school days, and unauthorized access to personal information.
CISA recognizes that many K-12 entities don’t often have the resources needed to defend themselves from cyber threats, like ransomware attacks. They are what we refer to as “target rich and cyber poor.”
To address these issues, CISA provides three recommendations to help K-12 leaders build, operate, and maintain resilient cybersecurity programs:
- Invest in the most impactful security measures and build toward a mature cybersecurity plan. See: Cross-Sector Cybersecurity Performance Goals | CISA
- Recognize and actively address resource constraints.
- Focus on collaboration and information-sharing. Consider joining the Multi-State Information Sharing and Analysis Center: MS-ISAC (cisecurity.org)
Additionally, CISA recently released a report, “Partnership to Safeguard K-12 Organizations from Cybersecurity Threats,” with an accompanying toolkit to give schools targeted resources to improve their cybersecurity.
The report provides recommendations and resources to help K-12 schools and school districts effectively reduce their cyber risk.
The toolkit aligns resources and materials to each of CISA’s three recommendations along with guidance on how schools can implement each recommendation based on their current need. The toolkit also details free cybersecurity trainings and resources available for the K-12 community.
This report is only a starting point. CISA will continue to engage with federal partners, including the U.S. Department of Education, and work closely with state and local officials, school leaders, and the private sector to identify areas for progress and provide meaningful support that measurably reduces risk.
We hope that leaders in the K-12 community—including superintendents, district and school administrators, school boards, and state policymakers—will take advantage of this report and toolkit to better understand their cyber risks and take basic steps to reduce that risk.
There is no more important institution to the future prosperity and strength of the United States than our nation’s K–12 education system. CISA stands ready to partner with schools to improve your cyber defenses and resiliency.
For more information or assistance, please contact the Northwest regional office for CISA at CISARegion10@cisa.dhs.gov
Patrick J. Massey Regional Director CISA Region 10
Patrick Massey serves as the Regional Director of the Cybersecurity and Infrastructure Security Agency (CISA) Region 10 office in Seattle. Prior to joining CISA in 2016, Mr. Massey served for twenty years with the Federal Emergency Management Agency (FEMA) including as the Director, National Preparedness Division. He also served as a U.S. Army Officer in Germany and the First Gulf War.