In 2020, CoSN partnered with Security Studio (S2) to develop a free, entry-level risk assessment designed explicitly for K12 schools. This blog highlights what we have learned between May 2020 and May 2021.  The assessment itself covers the following areas: background information, administrative controls, physical controls, and technical controls.
 
The data that was collected from more than 120 school systems ranged from districts with 16 to 350,000 students.  The mean technology team size was 4 FTE. 15 % of responding organizations indicated one or fewer full-time technology staff.
 
 A Snapshot in Time…. May 2021
  • Note:  The data does not reflect or include the role of the responder. So, it’s possible that responders could have overestimated their degree of security based on their role in the organization.
  • The results are based on self-reporting and have not been validated.
Most school systems that used the Risk Assessment during this time period had a mean score of 636 out of 850. Using the assessment’s rating scale – which is labeled as “progressing.” What does “progressing” mean?
  • Your edtech leadership team, school, or school system has done some good things concerning your information/cybersecurity. However, significant gaps/risks still exist. Some of the foundational components of the program are in place, and it’s time for the program to mature into a more formal initiative.
    • Note: this is the point in the program where information/cybersecurity efforts and investments need to provide real and tangible results. The question, “where should we focus our time and investments?” is important to support with facts instead of gut instinct.
 
As is common in K-12 education, most schools and districts rank high in physical controls and are lacking in administrative and technical controls. If your school and school district is not already examining the areas below, we recommend broadening your scope to include the topics below.
  • Risk Management A majority of responding schools and districts do not have strong risk management programs. However, a small majority have cybersecurity liability insurance.  Please note the risk assessment did not differentiate between full coverage and coverage under an umbrella plan.
  • Human Capacity 76.8% of responding schools and districts indicate that someone is designated with the responsibility for cybersecurity, however over half of those responding don’t have a formal cybersecurity program supported by leadership. 
  • Employee Training Employee training is one of the top steps a school or district can take to protect from cybersecurity incidents. Yet, only 44.8% of respondents indicate they have any cybersecurity awareness or training program.
  • Administrative Rights While over 70% of respondents report their users don’t have administrative rights on their machines, this is inconsistent with other K12 reporting sources and may indicate an area where the respondents made an incorrect assumption about the security of their systems. Access to privileged accounts and accumulation of rights across systems are both significant cybersecurity threats.
  • Encryption During a cybersecurity incident that involves data theft or loss, encryption is considered the gold standard for avoiding having to avoid declaring a data breach.  However, less than 35% of respondents use data encryption to protect data in transit and at rest.
  •  Backups: While most respondents report conducting regular data and system backups, only about half of the test and validate their backups regularly.  It is important to note that the risk assessment does not distinguish between air-gapped vs. online backups. Given the low rates of encryption at rest reported, it is unlikely that the majority of these respondents are encrypting their backups.
  • Independent Reviews Upon reviewing the technical controls, the responses are higher than what has been observed when reviewing K12 organizations. These respondents may have overestimated their capabilities, given that only 28% of them have an outside independent party annually conduct a security review, audits, or assessments.
 So, What’s the Bottom Line?
The analysis of a years’ worth of aggregated risk assessments further verifies the results of the 2021 CoSN State of IT Leadership Report which reported “Specific cybersecurity risks are generally underestimated even though cybersecurity and the privacy/security of student data are the top two technology priorities.” Schools and school systems continue to struggle in crucial prevention areas and would benefit by focusing on achieving three specific steps in the next year:
  1. consistent implementation of security awareness training for all employees
  2. encrypting data in transit and at rest
  3. implementing and testing air-gapped backups to ensure recoverability of data in a ransomware attack or disaster event.  
CoSN’s Home Connectivity Study, funded by the Chan Zuckerberg Initiative, is an additional resource that can help schools as they work to meet the needs of their community.
A Joint effort of CoSN (Consortium for School Networking) and our Data Collection Partner, Security Studio, S2