Privacy & Security

3 Ways Schools Can Reduce Cybersecurity Risks

By Lauraine Langreo — January 25, 2023 4 min read
Illustration of Internet network data computer laptop security shield and lock symbol.
  • Save to favorites
  • Print

Cyberattacks are now a daily threat for K-12 schools, but new guidance from the federal Cybersecurity and Infrastructure Security Agency provides “simple, prioritized actions” schools can take to protect against these threats.

Recommendations include investing in “impactful security measures,” building toward a “mature cybersecurity plan,” taking advantage of different grant programs that reduce the cost of cybersecurity efforts, and working together to share information.

The report comes more than a year after the K-12 Cybersecurity Act of 2021 was signed into law. It established a K-12 cybersecurity initiative and required CISA to publish a report on the risks K-12 schools face, along with recommendations and resources to help schools reduce risks and maintain resilient cybersecurity programs.

It also comes as cyberattacks on schools have increased in recent years, with schools’ use of technology growing as cyber criminals become more sophisticated. Most recently, the Des Moines public school district, the largest in Iowa, was a victim of a cyberattack on Jan. 9, which led to the district’s servers being shut down and classes being canceled for two days.

Keith Krueger, the CEO of the nonprofit Consortium for School Networking, praised the report and its recommendations, calling it “a powerful step forward.” Krueger said he especially appreciates the report’s suggestion to leverage available grant programs, such as the Federal Communications Commission’s E-Rate program.

CISA, through listening sessions with K-12 leaders, found that there’s a shortage of cybersecurity professionals in K-12 institutions; there’s a need for clear, easily adoptable guidance; there’s a need for centralized governance to help with resource allocation; and there needs to be more effective oversight and accountability.

To address those challenges, CISA recommended these key steps:

  • Implement effective security measures: This includes using multi-factor authentication, fixing known security flaws, developing an incident response plan, and implementing a training and awareness campaign. It also means using CISA’s cybersecurity performance goals and the National Institute of Standards and Technology’s cybersecurity framework.
  • Address resource constraints: States and districts can do this by leveraging the State and Local Cybersecurity Grant Program, which requires states or districts to establish a cybersecurity planning committee to develop a cybersecurity plan. The report also suggested using the FCC’s E-rate program, which subsidizes telecom and broadband-related services for schools.
  • Focus on collaboration: K-12 districts should join information-sharing forums, such as the Multi-State Information Sharing and Analysis Center and the K-12 Security Information Exchange. Districts should also build a relationship with their regional CISA adviser and local FBI field office.

See Also

Image shows a glowing futuristic background with lock on digital integrated circuit.
iStock/Getty Images Plus
Privacy & Security Explainer School Cyberattacks, Explained
Alyson Klein, February 11, 2022
12 min read

Tony Dotts, the network systems administrator for Illinois’ Community High School District 99, said the recommendations seem feasible.

The steps to securing K-12 districts’ networks are “not always necessarily technical in nature,” Dotts said. “Things like implementing [multi-factor authentication], while they have a technical side to them, a lot of that really comes down to getting buy-in from your admin, from your superintendent, and others. Implementing change is probably the more complicated piece than the technical aspects.”

For example, if a district is already using Google as its email system, it can easily implement multi-factor authentication because it’s already something Google offers, Dotts said. “A lot of it is really just getting buy-in for procedural changes,” he added.

Doug Levin, the national director of the K12 Security Information Exchange, a nonprofit focused on helping schools prevent cyberattacks, said he has heard similar challenges from other district technology leaders.

“We hear time and time again of school district IT leaders who are trying to do the right thing for their school communities and implement some of these protections, but then get stymied by their leadership who has other priorities [and] is maybe not willing to let anyone be inconvenienced, even though that inconvenience could mean the difference between a ransomware incident or not,” Levin said.

The CISA report will hopefully help other K-12 district leaders, as well as policymakers, understand “the risks and risk mitigations that school districts really can and should be putting in place,” he added.

While this is a landmark report, experts say there is still a long way to go to help the K-12 community.

Levin said he would have liked to see a “stronger call for additional resources” and funding, as well as “a call for a stronger role for the U.S. Department of Education,” which is supposed to be playing a role in helping school systems ward off cybersecurity threats, according to the Government Accountability Office.

See Also

Image of lock on binary code background.
DigitalVision Vectors/Getty

Related Tags:


This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Student Achievement Webinar
How To Tackle The Biggest Hurdles To Effective Tutoring
Learn how districts overcome the three biggest challenges to implementing high-impact tutoring with fidelity: time, talent, and funding.
Content provided by Saga Education
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Student Well-Being Webinar
Reframing Behavior: Neuroscience-Based Practices for Positive Support
Reframing Behavior helps teachers see the “why” of behavior through a neuroscience lens and provides practices that fit into a school day.
Content provided by Crisis Prevention Institute
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Mathematics Webinar
Math for All: Strategies for Inclusive Instruction and Student Success
Looking for ways to make math matter for all your students? Gain strategies that help them make the connection as well as the grade.
Content provided by NMSI

EdWeek Top School Jobs

Teacher Jobs
Search over ten thousand teaching jobs nationwide — elementary, middle, high school and more.
View Jobs
Principal Jobs
Find hundreds of jobs for principals, assistant principals, and other school leadership roles.
View Jobs
Administrator Jobs
Over a thousand district-level jobs: superintendents, directors, more.
View Jobs
Support Staff Jobs
Search thousands of jobs, from paraprofessionals to counselors and more.
View Jobs

Read Next

Privacy & Security A New Federal Taskforce Targets Cybersecurity in Schools
The “government coordinating council" aims to provide training, policies, and best practices.
3 min read
Illustration of computer and lock.
iStock / Getty Images Plus
Privacy & Security Q&A Why One Tech Leader Prioritizes Explaining Student Data Privacy to Teachers
Jun Kim, the director of technology for an Oklahoma school district, helped build a statewide database of vetted learning platforms.
3 min read
Jun Kim, Director of Technology for Moore Public Schools, poses for a portrait outside the Center for Technology on Dec. 13, 2023 in Moore, Okla.
Jun Kim, is the director of technology for the Moore school district in Moore, Okla., He has made securing student data a priority for the district and the state.
Brett Deering for Education Week
Privacy & Security A Massive Data Leak Exposed School Lockdown Plans. What Districts Need to Know
More than 4 million records held by school safety software company Raptor Technologies were left inadvertently exposed online.
5 min read
Concept image of security breach, system hacked alert with red broken padlock icon showing vulnerable access.
Nicolas Herrbach/iStock/Getty
Privacy & Security As Cyberattacks Mount, Lawmakers Double Their Efforts to Protect Schools
But the legislative push is not matched by funds to build better cyber defenses.
2 min read
Conceptual illustration of computer with a pixelated lock on screen.
Nanzeeba Ibnat/iStock/Getty Images Plus