The Value of Cyber Security Risk Assessments in Education

The value of cyber security risk assessments in K-12 are often seen as unnecessary given the limited amount of financial or sensitive information compared to other industries. However cyber security threats are growing in the education space, leading school districts to become educated on how it affects them.

Compared to 2018, there was a 256% increase in data breach incidents in 2019 according to the K-12 Cybersecurity Resource center. In Baltimore a school was hit for millions of dollars in ransom after a cybercriminal attack. Until they paid the ransom, their school information was not accessible. At the Downingtown PA Area School District, senior students hacked test scores and personal information. These are just a couple examples of what is occurring.

“The state of cybersecurity in education software is really bad, and not enough people are paying attention to it,” Bill Demirkapi told Wired, who had identified bugs in popular school software that exposed 5 million records.

With over 122 documented cyber security events at K-12 educational institutions in 2019, there are likely many more that are not reported to the public or have not been detected. These can range from denial of service attacks, phishing, ransomware, data breaches, and more. With more schools migrating to the cloud, IoT, VoIP, and the influx of millions of laptops, Macs, tablets, and Chromebooks into the classrooms, more information is at risk if a cyber security management plan is not in place.

Not surprisingly, more than two-thirds of technology leaders in K-12 surveyed survey by the Consortium for School Networking and the Education Week Research Center said student-data privacy and security is somewhat or much more important priority this year compared with last year.

Cyber security concerns often begin with having a process and security protocols which are communicated and adhered to. With 44% of K-12 technology leaders not having a formal and widely followed policy for passwords opens up the floodgates for future problems. In this case, a cyber security expert would conduct an audit and identify the lack and management of password policies as one aspect that could be resolved immediately.

So what should K-12 technology leaders do to avoid the top cyber security threats in 2020? The first step is to enlist a cyber security expert to conduct an audit to address their security management policies and procedures to ensure they are adequate. A vendor will look at internal policies and ensure they are being followed, conduct penetration testing, and look for other areas to optimize. If there are no cyber security protocols in place, this can be developed by the vendor and implement immediately.

While policies and regulations to support K-12 work to keep up with the threats, the K-12 community will need to share information and best practices between districts, as well as bringing in cyber security experts to minimize threats. Cyber security concerns will continue for years to come, but taking action to minimize potential issues.