Resources from CITE, as well as other organizations
View or Download Full PDF here
Cybersecurity Realities, Risks, Resposibilities
A guide prepared for local educational agency (LEA) board members and staff.
What is Cybersecurity?
Cybersecurity is the practice of protecting computer systems, networks, programs, and data from digital attacks, misuse, and criminal exploitation.
More Devices = More Targets
With efforts to go 1:1 and provide connectivity during the pandemic, districts have more devices than ever. Each device can become a target for cyber attacks.
Schools Expect Integration
LEAs are increasingly reliant on educational and operational technologies and connectivity. Systems are more connected than ever, and each year, systems, apps, phones, laptops, Chromebooks, and other devices become more integrated to work together. An attack on one can open the door on all other systems like payroll, financial, and student records.
Attacks are Public and Costly
Cyber attacks are becoming more common, more costly, and more visible to the public.
- According to K12Six, over 1,300 attacks on K-12 districts have been reported since 2016, though many are kept quiet by school districts.
Student Data is in High Demand
K-12 data is attractive to hackers because student records are "clean" - their information can be sold and used to create fake profiles, credit cards, and more.
Source: A Cyberattack Illuminates the Shaky State of Student Privacy, New York Times, July 1, 2022
Ways to Attack Are Widely Shared
Many attacks are led by organized crime rings, who share methods, targets, and expertise. Attacks are increasing in frequency and complexity.
California Now Requires Reporting
A new state law requires all K12 cyber attacks to be reported to the Office of Emergency Services. Breaches of over 500 individuals must also be reported to the CA Attorney General (CA Education Code 35265-35267).
Cybersecurity is a Process
Cybersecurity is a process, not a product. It is a team effort requiring preparation, ongoing maintenance, and continuous improvement. Safety and security requires recurring investment.
Incidents Put Us All at Risk
The school district is legally responsible to ensure student and staff data is protected. Student information about disabilities, families, and identifiable information can affect them for many years.
Cyber Attacks Affect Insurability
Cyber insurance is becoming more difficult to obtain with the significant increase in attacks. California districts are being dropped across the state for not having a strong cybersecurity program in place. Insurance claims may only pay a small fraction of costs required to recover.
Instruction & Operations May be Interrupted
In serving students, LEAs must remain functional both instructionally and operationally. In recent years, cybersecurity incidents, such as ransomware, has halted LEA bussing/transportations systems, and a wide variety of other platforms. These incidents result in school closures and lost instructional minutes.
Recovery Costs Affect Budgets
The state does not provide dedicated funding for districts to pay ransoms if data is held hostage or to bring systems back online after an attack. One district's data was held ransom for $32,000, but the recovery ended up costing $1,200,000 over 3 years.
Recovery Can Take Weeks or Months
Recovering from an attack includes not only restoring data, but also evaluating process and policy to ensure the attack cannot happen again. It is important for the LEA to work closely with authorities and to properly fund the recovery.
LEAs Have Legal Liability
Without a strong cybersecurity program in place, LEAs may be subject to lawsuits brought by staff or parents after a breach.
LEAs Hold the Community's Trust
An attack can affect an LEA's reputation and efforts for years.
LEAs Must Protect All Data
Social security numbers, paystubs, W2s, driver's license information, health, and legal information all bring a high price on the black market. Employees and students could be subject to identity theft and LEAs could face lawsuits. Lack of security could mean difficulties in bargaining negotiations and reduced morale.
LEAs Provide Instruction & Essential Services
Shutdowns of schools or systems (transportation software, phones, nutrition equipment, and other technologies) can affect instruction. Cybersecurity incidents can negatively impact learning, keeping students from attending classes. This can create childcare issues for families and potentially reduce funding because of lost instructional days. Additionally, schools have increasingly been a provider of nutrition services for students who are food ensecure. Recent incidents have shown nutrition & food distribution systems can also be harmed by attackers.
What Can We Do?
- Direct resources to implement multi-factor authentication.
- Review board policies and administrative regulations related to technology use by staff and students, record storage and retention, and others recommended by the Superintendent and Chief Technology Officer.
- Determine is your LEA has a cyber liability insurance policy and determine if staff understand the requirements to stay insured.
- Support the district and/or COE's ability to hire cybersecurity and technology staff.
- Encourage and support cybersecurity and digital citizenship professional development at all staff levels.
- Support and encourage investment in IT systems and services that improve the organization's cybersecurity posture and operational resilience.
Common cybersecurity-related terms and concepts in public school districts and County Offices of Education.
Ransomware: A type of malicious software designed to extort money by blocking access to files.
DDoS: Distributed Denial of Services (DDoS), pronounced "D-Dahs." An attempt to disrupt a network or server by flooding with electronic requests from various systems on the internet which can prevent users from accessing your agency's resources.
Malware: A type of software (commonly called a virus) designed to gain unauthorized access or damage a computer.
Phishing: An attempt to have someone click on a link with the intent on stealing your password or other login credentials or provide private information via email, text, or other forms. Used in conjunction with other items like malware.
Social Engineering: Describes the efforts by attackers to use methods like phone calls, in-person visits, or similar tactics to gain sensitive information.
MFA: Multi-factor authentication (MFA) is the use of a second method of verification besides a password to allow authorized access to a system. Increasingly this is a requirement for all cyber insurance.
Business Email Compromise & Wire Fraud: The use of social engineering and phishing to trick employees into processing fraudulent payments to criminal actors.
CITE's Privacy Service Program helps with all of your privacy contract needs.
Multi-State Information Sharing and Analysis Center is a helpful for resources and services in dealing with and preventing attacks.
FBI Cybercrime Information is the FBI's database of information and resources about cybercrime.
CDE's Tips for a More Secure IT Environment for information from the California Department of Education on building a more secure environment.
BREACHES - should be reported to the California Cybersecurity Integration Center | California Governor's Office of Emergency Services by sending an email message to firstname.lastname@example.org.