The K-12 Cybersecurity Act was signed into law on October 8, 2021, and it presents support for organizations and businesses involved with elementary and secondary school education. It directs the CISA (Cybersecurity and Infrastructure Agency) to analyze the risks that these schools face, and to create recommendations and guidelines to help schools address them. Here’s what you need to know about this new law, and steps that should be taken to comply with it.
What Does the K-12 Cybersecurity Act Require?
The COVID pandemic ignited a revolution of education, with teachers and students using online platforms as the norm. Some classrooms remain virtual and/or hybrid, with the rise of all virtual schooling around the country. The increased use of technology has its good points, but it has also led to a high risk for cybercrime.
In 2020, there were 408 cybersecurity threats reported across 40 states in 377 districts; this equals approximately two or more incidents a day and includes sophisticated phishing and ransomware attacks.
These districts have a large amount of valuable data, like academic records, family information, medical files and Social Security information. Cyber criminals profit from this information, as it can be sold for credit purposes, identities and other reasons.
The CISA has to evaluate the IT services that are used by schools, as well as student and employee records. The CISA is required to create online training tools for school officials as well; they also have to share their findings, the toolkit and their guidelines on the Department of Homeland Security’s website. Use of these recommendations will be voluntary, though – unless that changes.
Actional Steps to Protect Students and Families
Once the guidelines are shared, there should be actionable, manageable guidelines to work with. Some feel that while the frameworks have to be “robust” and “deep,” and that they can’t be “paralyzing” for schools. The best solutions will be easy to work with and effective for prevention, detection, response and resilience. CISA’s report is still being developed, but this doesn’t mean that school districts need to wait for it to put a plan of action to work.
As with other industries and organizations, the best defense against cyber attacks is advance preparation. This starts by developing and promoting policies for responsible use – students, parents and staff should undergo cybersecurity training on the system before being allowed to use it. A Responsible Use Policy can be developed and used in compliance with local, state and Federal regulations. All data should be stored securely and be in alignment with the Family Educational Rights and Privacy Act.
Working With an IT Provider
The school district’s IT provider will have to back up the data often as a safeguard against accidental/deliberate data corruption or destruction. There can also be firewalls, plus approved lists for those who can have access to the networks and systems.
The networks must be continually monitored to assess threat risks as well. Should a breach occur, community members should know which protocols to follow. The first point of contact is usually the school’s IT provider or IT services team manager.
Here are a few more tips about K-12 cybersecurity:
- Make sure that all network permissions that separate student networks from faculty/staff networks are updated
- Make endpoint security (tablets, laptops, desktops) a priority
- Create/update an incident response plan that will bring all of the important stakeholders together
- Have a cyber-informed culture that keeps students and staff trained on the best security practices.
A highly experienced Managed Services Provider (MSP) with a background of working with schools can install, administer and maintain cybersecurity systems to protect student and faculty information from predators.
TAG Solutions recognizes the importance for reliable technological infrastructures that support educational institutions and has worked in the field for many years, delivering customized solutions within school budgets. We also specialize in cybersecurity training for staff and students. To find out more, contact us today or call our Albany, NY offices at 800-724-0023.