Cyber Click and Go Web Badge

Access resources on planning for cybersecurity:

Fact Sheet #REMSontheAir Podcast Series Cybersecurity Tabletop Exercise Live and Virtual Training by Request Training Materials Online Course Webinar Addressing Adversarial and Human-Caused Threats That May Impact Students, Staff, and Visitors

CYBERSECURITY PREPAREDNESS FOR K-12 SCHOOLS AND INSTITUTIONS OF HIGHER EDUCATION

K-12 schools and institutions of higher education (IHEs) increasingly rely on technology to carry out effective and efficient academic, operations and business functions, thus making a robust and resilient cybersecurity posture of critical importance. Cyber threats represent one potential human-caused threat that can impact schools and IHEs, with potentially devastating consequences. Cyberattacks can be incredibly costly to respond to and recover from and can disrupt operations and education services, cause immense harm to the victims involved, leave a school or IHE vulnerable to further attacks, cause legal liabilities, and damage relationships between the school or IHE and the surrounding community. To ensure that schools and IHEs are well prepared to manage a potential cybersecurity incident, cybersecurity should be considered a priority in emergency management planning. Comprehensive, high-quality plans, including a Cybersecurity Annex and incident response plan (IRP), should be developed and integrated in the school or higher ed emergency operations plan (EOP) that adequately prepares for a cyberattack and considers cybersecurity best practices.

Cyber Threats

Schools and IHEs can improve their cybersecurity posture by first understanding the landscape of cyber threats facing K-12 and higher education communities.

A data breach occurs when an individual obtains unauthorized access to sensitive, protected, or confidential data and subsequently views, copies, alters, publicizes, or steals the data or transmits it to a third party. Schools and IHEs are targeted in data breaches because they contain an abundance of valuable student and staff records, including personally identifiable information (PII). PII includes any information that can be used to identify an individual, such as names, addresses, Social Security numbers, birthdates, school identification numbers, etc. PII and other student and staff records are valuable to malicious cyber actors, as this information can be used to commit identity theft, sold to other threat actors, and used to develop and carry out other cyberattacks.

Intentional
Intentional data breaches can be carried out by any number of individuals, both known and unknown to a school or IHE, and can be caused by other cyber threats, such as phishing, ransomware, or denial-of-service (DoS) attacks. Malicious cyber actors can carry out data breaches with criminal intent, such as stealing PII to sell it, but students and staff can also carry out data breaches. Students who learn to exploit system vulnerabilities or who gain access to staff members’ login information may attempt to change their grades, test scores, or attendance data. Staff members may also attempt to alter or remove their data, such as disciplinary records. Additionally, vendors and contractors with access to student or staff records can be perpetrators of intentional data breaches.

Unintentional
Unintentional data breaches also occur, typically due to improper data handling or weak cybersecurity controls. For example, a staff member may cause a data breach accidentally by emailing a student’s information to the wrong recipient, using public files to store PII, or uploading sensitive or confidential information to a public Website. Weak cybersecurity controls can cause data breaches, such as unauthorized individuals finding that they have access to PII, or vendors with weak cybersecurity settings that leave stored data vulnerable to a cyberattack.

Involvement of students, teachers, and school/campus community members
Data breaches that involve the PII of students, staff, or school or campus community members can have serious and lasting financial, physical, and emotional effects. Students or staff members with leaked PII may become the victims of identity theft, causing financial damage for years into the future. Other types of data breaches can cause emotional harm to students and families, such as embarrassment or stigmatization caused by a leak of information on students’ special education services, referrals to mental health services, family income data, disciplinary information, medical records, or housing status. Data breaches can also cause physical harm to school community members, potentially through retaliation for a leak of PII related to bullying or school violence. The consequences of data breaches are far reaching and can damage trust and relationships between schools and IHEs and their communities, straining partnerships and engagement efforts.

In some cases, certain types of data breaches may also violate Federal or state laws requiring the protection of student data. Schools and IHEs should be aware of applicable laws, including the Family Educational Rights and Privacy Act (FERPA), which protects students’ personally identifiable education records; the Protection of Pupil Rights Amendment (PPRA), which establishes rules regarding the collection and use of student survey or evaluation data; the Health Insurance Portability and Accountability Act of 1996 (HIPAA); and the Children's Online Privacy Protection Rule (COPPA), which requires operators of Websites or online services to protect children’s data.

Phishing is a common cyber threat in which threat actors attempt to gain access to sensitive or confidential information by sending victims unscrupulous email or text messages that include hyperlinks to fraudulent Websites. These messages are crafted to trick victims into clicking on the hyperlink by using slight variations of legitimate and familiar email addresses or company names. Victims who click on the embedded hyperlink are directed to what appears to be a legitimate login Webpage and are deceived into disclosing addresses, usernames, and passwords. Once these data are harvested through a phishing attack, threat actors can use the stolen credentials to access online databases and systems. Phishing is one type of cyber threat that makes use of social engineering tactics, where individuals are manipulated and deceived into giving threat actors access to sensitive information.

Ransomware is malicious software designed to encrypt data or files to render them unusable or to block a user or organization from accessing them. A ransomware attack involves a malicious cyber actor infecting a system or device with ransomware; threatening to permanently damage, block access to, or publicize the data; and then demanding money from a school or IHE in exchange for the safe return of the data or files. Ransomware attacks can be incredibly costly and damaging, as there is no guarantee that the threat actor will release the data or files undamaged to the school or IHE once the ransom is paid.

Business email compromise (BEC) scams are like phishing attacks in that they involve an email message, disguised as being from a familiar source, that urges the victim to take action, typically sending the threat actor money. For example, a staff member receives an invoice from a contractor with an updated mailing address and a request for immediate payment. Without reviewing the sender’s information carefully and contacting the contractor to confirm the legitimacy of the invoice, the staff member who pays the fee has fallen victim to a BEC scam. BEC scams rely on social engineering and a false sense of urgency to convince victims to act quickly, making costly cybersecurity mistakes more likely.

Denial-of-service (DoS) attacks occur when malicious cyber actors deliberately overload a server or network with traffic so that it shuts down and becomes inaccessible to authorized users. DoS attacks can disrupt teaching and learning services and render email, Websites, online learning systems, or databases unusable for hours or even days. A distributed DoS attack occurs when a threat actor uses several devices to coordinate an attack on a single target, causing more damage and making it harder to identify the source of the attack.

Website or social media defacement involves a threat actor changing or adding content on a school’s or IHE’s Website or social media account. Threat actors carry out this attack either by hacking into a server that hosts a target Website or by using stolen login credentials to access a social media account. Threat actors can then remove important information; change account settings; spread misinformation; and add harmful images, videos, or text to the Website or social media account. In some instances, Website and social media defacement may be linked to a data breach, as threat actors may publicly post stolen and sensitive or confidential information. Website or social media defacement quickly communicates to the public that a school’s or IHE’s technology infrastructure has been compromised. These cyberattacks can disrupt education services, damage a school’s or IHE’s reputation, cause confusion due to miscommunication and the removal of important information, and cause harm by exposing the community to inappropriate content.

Malicious cyber actors can invade online class and school meetings by stealing or guessing login credentials or compromising videoconferencing software. Threat actors can then record online classes or meetings; distribute inappropriate messages, images, or videos; or steal information shared in the online class or meeting. Meeting invasions offer an opportunity for malicious threat actors to communicate with students and staff and can compromise the school or campus community’s trust in online learning infrastructure and expose students and staff to harmful content.

Cyber Threat Prevention and Mitigation Strategies

While cyber threats pose substantial risks to schools and IHEs, there are several strategies and best practices to prevent, protect against, mitigate potential impacts of, respond to, and recover from cyber threats. Schools and IHEs can leverage these high-impact strategies to reduce cybersecurity risks and build the foundation for a strong cybersecurity posture.

Schools and IHEs should proactively develop plans and policies to ensure a strong cybersecurity stance and to prepare for a potential cyberattack. First, multidisciplinary planning teams can develop a comprehensive Cybersecurity Annex that is integrated in the school or higher ed EOP and that includes goals (broad, general statements that indicate a desired outcome), objectives (specific, measurable actions that are necessary to achieve the goals), and courses of action (specific procedures that are used to accomplish the goals and objectives) for before, during, and after a cyberattack. Examples of courses of action that schools and IHEs can implement before a cyberattack include developing responsible use policies for student and staff technology use, ensuring secure data storage methods, regularly reviewing network and system access privileges, and ensuring that the Cybersecurity Annex complies with appropriate privacy laws, including FERPA, PPRA, COPPA, and the Children’s Internet Protection Act. During a cyberattack, schools and IHEs can plan to follow reporting protocols and notify law enforcement, contain the threat, and limit damage. The Cybersecurity Annex should also document courses of action to follow in the aftermath of a cyberattack, including restoring continuity of operations, conducting damage assessments, remediating affected devices and systems, and conducting an after-action review culminating in an after-action report. The Cybersecurity Annex should complement and include references to relevant functional annexes in the EOP, such as the Continuity of Operations Annex, Recovery Annex, Security Annex, and Communications and Warning/Notification Annex.

In addition to a Cybersecurity Annex, schools and IHEs should consider developing a detailed and tailored incident response plan (IRP). High-quality IRPs should also be created through a collaborative process by an incident response team. The incident response team should consist of school or IHE leaders, IT staff, legal counsel, vendors, contractors, facilities management, and/or communications or public information staff. To develop the IRP, the incident response team should first assess available resources, taking inventory of all hardware, software, storage locations of sensitive data, and access privileges. Second, the incident response team should conduct a risk assessment, deciding which cyber threats the school or IHE may be vulnerable to and what the potential damage of such a threat might be. Finally, the IRP should contain detailed plans for responding to the prioritized cyberattacks that consider short- and long-term outcomes.

A Cybersecurity Annex and an IRP are similar, but a Cybersecurity Annex covers the “before, during, and after” time frames of a cyberattack and considers the five National Preparedness System mission areas (prevention, protection, mitigation, response, and recovery), while an IRP focuses on responding to a cyberattack. Together, they are valuable plans that can help prevent cyberattacks, mitigate their impacts, reduce response times, and aid in continuity of operations and recovery processes. Schools and IHEs should consider how to create a truly comprehensive plan or annex that encompasses all key elements of cybersecurity incident management and that aligns with the Cybersecurity and Infrastructure Security Agency (CISA) Cross-Sector Cybersecurity Performance Goals (CPGs). In addition to the above components, both the Cybersecurity Annex and the IRP should also include the following:

  • Key contacts, with information on how to reach them
  • Roles and responsibilities of those involved in implementing the plan or annex
  • Timelines for implementing documented courses of action
  • Protocols for disposing of or destroying data
  • An established training and exercise plan
  • Details on how the plan or annex complies with relevant local, state, and Federal laws and guidance

School and IHE leaders, as well as staff both in and outside of the IT department, should conduct annual risk assessments (an assessment of risks and current vulnerabilities; prevention, protection, and mitigation policies and resources; and the potential impacts of a cyberattack) and routine exercises (e.g., tabletop exercises, drills, functional exercises, or full-scale exercises) to practice their IRP or Cybersecurity Annex and to make revisions based on lessons learned. As the cybersecurity landscape advances, schools and IHEs should be sure to regularly revisit the annex or IRP to practice, update, and maintain it.

Multifactor authentication (MFA) is a layered approach to cybersecurity that aims to verify an individual’s identity by requiring more than a simple password before allowing access to an online account and its data. After entering a user’s login credentials, systems with MFA will require users to verify their identity in at least one other way, such as through additional security questions; a one-time-use personal identification number (PIN) sent through text message, email, or phone; a scanned fingerprint; an access badge; or a mobile authenticator application, among other authentication methods. While malicious cyber actors may gain unauthorized access to users’ login information by stealing user login data or guessing passwords, MFA makes it harder for them to bypass the second authentication requirement, thereby protecting sensitive systems and data. However, schools and IHEs should be aware that even MFA can be bypassed by threat actors, such as through a phishing attack that exposes the secondary authenticator. Schools and IHEs should strive to implement phishing-resistant MFA, which is considered the MFA gold standard.

Schools and IHEs use a variety of software every day, from virtual meeting platforms to learning management systems accessed through computers, tablets, and mobile phones. Over time, threat actors learn about commonly used software and find ways to exploit it. At the same time, ongoing technological advances bring security updates to address vulnerabilities and impede unauthorized access. Patch management is a continuous process of identifying and testing vulnerabilities and implementing fixes and updates to fortify software. School and IHE IT teams should prioritize patch management by routinely conducting risk assessments to identify vulnerabilities, developing and testing fixes to reported bugs, checking for known updates, and encouraging all members of school and campus communities to install updates as soon as they become available. Schools and IHEs can also enable automatic updates. These actions can reduce the risk of malicious cyber actors gaining unauthorized access to education data by exploiting software vulnerabilities.

Backing up data involves making a copy of the data and storing it offline. Schools and IHEs that establish and routinely update backups have a contingency plan for potential future cybersecurity incidents and are, therefore, better positioned to mitigate their impacts. For example, schools or IHEs with up-to-date backups that fall victim to a cyberattack like malware may be able to replace lost or corrupted data and restore the damaged system more quickly using their backups. Conversely, schools and IHEs that store all data in one place are more susceptible to a total loss if they become the target of a cyberattack. Schools and IHEs should be sure to routinely practice restoring their systems from backup(s).

Another best practice to bolster a school’s or IHE’s cybersecurity posture is to minimize exposure to common attacks. Malicious cyber actors are more likely to attack an easy target without strong protections in place, particularly for IT systems that are publicly accessible online. Schools and IHEs should continue to learn about modern attack methods and stay up to date on which services are frequently exploited and how. Additionally, schools and IHEs should regularly conduct vulnerability scans, such as by signing up for CISA’s Cyber Hygiene Vulnerability Scanning service. Annual risk assessments can also help to identify vulnerable or commonly exploited systems.

Ensuring protection against ever-evolving cyber threats requires a whole-community approach, with strong cybersecurity controls and ongoing cyber risk management effectively integrated into existing school and campus safety, security, emergency management, and preparedness efforts. First, all school or campus staff should receive regular cybersecurity training that is relevant to their role, with courses covering cyber threats, how to prevent cyberattacks and report suspicious activity, Federal and state privacy legislation, and best practices in data protection. A school’s or IHE’s Cybersecurity Annex or IRP should also be publicized so that policies are well understood and staff members understand their assigned role in implementing the plan or annex. Students should receive cybersecurity training as well, to learn how to keep themselves and their data safe from malicious cyber actors and how to recognize and report a suspected cyberattack. To further instill a culture of cyber preparedness, schools and IHEs can implement cybersecurity awareness initiatives throughout the year, educating the whole school or campus community on cyber threats and cybersecurity best practices and raising awareness of available reporting systems.

Federal Cybersecurity Efforts

The Federal government provides support and resources to help K-12 schools and IHEs strengthen their cybersecurity capabilities and protect their communities from cyberattacks. Schools and IHEs should leverage available Federal resources to learn more about cyber threats, assess their cybersecurity controls, address vulnerabilities, create a Cybersecurity Annex and an IRP, provide consistent trainings to staff and students, and implement cybersecurity best practices. By strengthening their cybersecurity infrastructure and promoting a culture of cyber safety, schools and IHEs can protect students and staff from cyber threats and ensure safe and continuous education services.

In 2013, the President issued an executive order, “Improving Critical Infrastructure Cybersecurity”, which focused on efforts to enhance the cybersecurity of critical infrastructure in the United States. The executive order called upon the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) to develop a framework for managing cybersecurity risk. The NIST Cybersecurity Framework, published in 2014 and updated in 2018, can be used by K-12 schools and IHEs to guide their cybersecurity activities and ensure alignment of their plans, policies, and resources to best practices in cybersecurity risk management.

The U.S. Department of Education’s (ED’s) Office of Safe and Supportive Schools (OSSS) is the designated education Sector Risk Management Agency, meaning OSSS is charged with facilitating and coordinating the Department’s collaboration with Federal, state, and local entities to support education cybersecurity and to help education institutions understand cyber threats, vulnerabilities, and risk management and prevent, respond to, and recover from cyberattacks. The Department provides further technical assistance and guidance through several of its offices, including OSSS, the Office of Educational Technology (OET), the Office of Federal Student Aid (FSA), and the Student Privacy Policy Office (SPPO).

  • OSSS administers the REMS TA Center, which provides training and technical assistance to schools and IHEs to improve their preparedness to manage a range of threats and hazards, including cyber threats.
  • OET provides guidance to help schools and IHEs secure their digital infrastructure and improve their understanding of the modern education technology landscape.
  • FSA provides guidance to IHEs on data security and the protection of PII, including details on compliance with relevant laws and regulations. FSA also manages a reporting system where IHEs can report data breaches.
  • SPPO administers and enforces student privacy laws, such as FERPA and PPRA. The SPPO also administers the Privacy Technical Assistance Center, which provides training and technical assistance to help schools and IHEs understand cyber threats and implement data security best practices.

The Federal government supports K-12 schools and IHEs with reporting cyberattacks and cybersecurity incidents. The U.S. Department of Justice’s Federal Bureau of Investigation (FBI) receives reports of cyberattacks and provides investigative support through FBI field offices and the Internet Crime Complaint Center.

The U.S. Department of Homeland Security and its operational lead, CISA, provide critical support to the education sector on cybersecurity. As the national cybersecurity agency focused on managing and reducing cybersecurity risk, CISA has long provided resources and training to schools and IHEs to help them defend against cyberattacks and improve their cybersecurity infrastructure. CISA’s 2023 report, Protecting Our Future: Partnering to Safeguard K-12 Organizations From Cybersecurity Threats, offers research, feedback from stakeholder collaboration, resource considerations, and high-impact strategies for improving cybersecurity. CISA also published CPGs to help critical infrastructure entities, including K-12 schools and IHEs, manage cybersecurity risk. CISA’s CPGs are aligned to subcategories of the NIST Cybersecurity Framework. CISA also offers training on cybersecurity foundations to schools and IHEs through the Federal Virtual Training Environment, which includes tools and tabletop exercises. Schools and IHEs can report cybersecurity incidents to CISA and to the U.S. Secret Service’s Field Offices and Cyber Fraud Task Forces for cyberattacks involving financial crimes.

The U.S. Government Accountability Office (GAO), which conducts research and makes recommendations to the Federal government based on its findings, has also investigated cybersecurity vulnerabilities among K-12 schools. The GAO has published three reports on the topic, including a 2020 report on data breaches; a 2021 report on available Federal supports for K-12 cybersecurity, which included recommendations that ED update its cybersecurity guidance; and a 2022 report on cyberattacks, which included recommendations for the Federal government to better coordinate its efforts to support K-12 schools with cybersecurity.

In Summer 2023, the White House convened a summit focused on strengthening the cybersecurity of K 12 schools. Building on the GAO’s recommendations, the White House developed a whole-of-government plan to improve schools’ cybersecurity amidst increases in cyberattacks. This plan included collaborative initiatives between ED, CISA, and other Federal departments, including the following:

Key Cybersecurity Resources

K-12

Higher Ed