Report: K-12 Orgs Concerned about Security Budget, Threats
The Multi-State Information Sharing and Analysis Center (MS-ISAC) is uniquely positioned to view both the cybersecurity preparedness and the cybersecurity threats facing U.S. State, Local, Tribal, and Territorial (SLTT) government organizations. We are an official partner of the Nationwide Cybersecurity Review (NCSR), which provides a broad picture of cybersecurity maturity across various SLTT communities. We also maintain the largest threat database specific to SLTT government organizations. It consists of more than 200 sources of threat intelligence, including real-time threat indicators provided by our no-cost cybersecurity services.
Recently, we've noticed a unique situation among K-12 school districts: cyber threat actor (CTAs) frequently target them as a group, but they lag behind other sectors in cybersecurity preparedness. We decided to take a closer look at the K-12 sector as a whole and publish our findings in the MS-ISAC K-12 Report: A Cybersecurity Assessment of the 2021-2022 School Year.
In this blog, we’ll provide an overview of our report findings. We’ll explore where K-12 organizations stand in terms of their cybersecurity resources, examine the threats they’re confronting, and discuss how they can overcome them.
K-12 School Districts’ Cybersecurity at a Glance
K-12 respondents to the 2021 Nationwide Cybersecurity Review (NCSR) reported several noteworthy security concerns. Chief among them was a lack of sufficient funding. The average K-12 school district revealed that they dedicate 8% or less of their IT budget to cybersecurity, for example, while nearly one in five (18%) of respondents in this sector said that their cybersecurity spending amounts to less than 1% of their IT budget.
Sophistication of threats also topped K-12 organizations' list of security concerns. These threats take on many forms. Here are some of the most common:
- Ransomware: A ransomware attack encrypts an infected machine's files and demands that the victim pay a ransom in exchange for a decryption key. The period between infection and recovery can be disruptive for the victim. When a K-12 school district falls victim to a ransomware attack, for instance, they may need to delay in-person and/or virtual classes. K-12 victims may also spend months remediating a successful ransomware attack; depending on the nature of the infection, this process could cost more than $1 million. Those costs may or may not include damages associated with data exfiltration and disclosure.
- Malware: Between August 2021 and May 2022, the MS-ISAC observed two malware families targeting K-12 entities more than others. The first, Shlayer, is a threat that targets Apple macOS devices. It masquerades as legitimate software so that it can infect an Apple macOS system and drop other macOS malware and adware. The second, CoinMiner, is a malicious cryptocurrency miner that relies on malspam or droppers for distribution. Once it's infected a system, it uses Living off the Land (LotL) techniques to spread across the network and use infected systems' resources for mining cryptocurrency.
- Web Security Threats: The Malicious Domain Blocking and Reporting (MDBR) service is a no-cost MS-ISAC membership perk that blocks IT systems from connecting to web domains known for distributing malware, ransomware, and other threats. Between August 2021 and May 2022, MDBR handled more than 225 billion DNS requests for enrolled K-12 entities. It blocked 423 million of those requests, with 78% of that blocked activity associated with malware.
Ongoing Cybersecurity Improvements for K-12 Organizations
When it comes to addressing the concerns discussed above, K-12 school districts vary in their security-related competencies. According to the 2021 NCSR, organizations in the K-12 sector do well in Identity Management and Access Control, Awareness and Training, and Business Environment. In general, they struggle in areas such as implementing protective technologies such as audit log management and malware defenses.
These discrepancies need not exist, however. The MS-ISAC K-12 Report offers several recommendations that K-12 organizations can follow to improve their cybersecurity posture going forward.