U.S. K-12 schools and the 50 million students served by its institutions are confronting more cyberattacks than ever before, according to the Cybersecurity and Infrastructure Security Agency.
The amount of incidents have consistently grown each year, from fewer than 100 in 2016 to more than 1,300 incidents in 2021. The pace of attacks jumped at least threefold between 2018 and 2021, CISA said in a report published Tuesday.
That’s just the incidents that have been reported through 2021.
CISA identified six security measures it considers the most impactful for K-12 schools:
- Multifactor authentication
- Vulnerability patches
- Perform and test backups
- Minimize exposure to common attacks
- Develop and exercise an incident response plan
- Create a training and awareness campaign
The recommendations are an effort it described as a “starting point” for what has become an “untenable burden on our educational institutions and the populations that they serve and protect,” CISA said.
The federal agency presented the first set of steps as prelude to investments K-12 schools should make to align with CISA’s cybersecurity performance goals. The 37 voluntary goals are a “floor, not a ceiling” for reducing cyber risk, and offer a roadmap for under-resourced organizations.
CISA acknowledged K-12 schools are resource constrained, adding “most school districts are doing a lot with a little.” Insufficient funding and IT staffing levels create challenges that could blunt any progress on CISA’s recommendations.
“There is a clear need for increased cybersecurity budgeting and support mechanisms across the community,” CISA said in the report. “This resource shortfall is a major constraint to implementing effective cybersecurity programs across all K-12 entities.”