Don’t Get Schooled by Hackers

Cyber incidents in K-12 schools are on the rise. The total publicly reported cyber incidents in K-12 schools have risen significantly, affecting millions of students and school employees. Cyber incidents include data breaches, ransomware attacks, business email compromise scams, denial of service attacks, website and social media defacement, and online class and school meeting invasions.

Growing reliance on educational technology, including online maintenance of sensitive student and employee information, makes schools potentially vulnerable to hackers. School officials should implement cyber risk prevention measures, including preparing for a data breach.

Cyber Risk Prevention

In 2021, Congress enacted the K-12 Cybersecurity Act that directs the Cybersecurity and Infrastructure Security Agency (CISA) to study cybersecurity risks, evaluate challenges, and provide recommendations to K-12 schools to assist with building, operating, and maintaining efficient cybersecurity programs. Recently, CISA published a report outlining three key recommendations for K-12 schools:

  1. Invest in the most impactful security measures

Recognizing that schools have finite resources, CISA recommends schools first implement the most critical and cost-effective measures. For example, CISA recommends that schools implement multi-factor authentication to secure online accounts.

CISA also recommends that schools create a training and awareness campaign for all employees. Because many school employees have access to sensitive data, all employees should understand how to recognize and report suspicious cyberactivity. CISA states that “[i]investment in training is just as important as investment in cybersecurity capabilities, tools, and solutions.” In furtherance of this goal, CISA provides free training resources.

  1. Focus on collaboration and information sharing

CISA emphasizes that it is critical for schools to report all cyber incidents to allow CISA to gather data, assist with responses, and alert other schools. If your school experiences a cyber incident, you can report it on CISA’s online incident reporting system. A collaborative approach better positions Michigan schools to combat cyber incidents.

  1. Recognize and actively address resource constraints

In CISA’s recent report, CISA identified several resources to assist K-12 schools with cyber risk prevention, including the State and Local Cybersecurity Grant Program. This program is a reimbursable pass-through grant for state and local government organizations to provide financial assistance for cyber risk prevention measures. In Michigan, this program is adminis­tered by the Cybersecurity and Infrastructure Protection division of the Department of Technology, Management & Budget in partnership with the Michigan Cybersecurity Planning Committee.

When contracting for educational technology services, schools should insist that vendors include strong security controls at no additional cost. For example, schools should insist that vendors enable phishing-resistant multi-factor authentication for all secure accounts.

Data Breach Response

A data breach is the unauthorized access and acquisition of data that compromises security or confidentiality. If a school experiences a data breach, it should promptly assess and investigate the breach, which may include contacting legal counsel, insurance carriers, and law enforcement. Schools that purchase cyber insurance should check their insurance policy for any additional requirements.

Michigan’s Identify Theft Protection Act requires school officials to notify each Michigan resident whose personal information was accessed and acquired by an unauthorized user, including encrypted data if the unauthorized user has access to the encryption key, and any other person or organization that owns or licenses data subject to a data breach affecting a Michigan resident. The notice must include:

  • a general description of the data breach;
  • the type of personal information accessed;
  • the school’s response to protect from further breaches;
  • a reminder for notice recipients to remain vigilant for incidents of fraud and identity theft; and
  • a telephone number where a notice recipient may receive assistance or additional information.

For Thrun Policy Service subscribers, this data breach response process is outlined in Policy 3110.

By incorporating CISA’s recommendations and complying with Michigan law, school officials will put their school in the best position to prevent and respond to cyber incidents.