Home CTO/CIO Google for Education’s K-12 Cybersecurity Guidebook

Google for Education’s K-12 Cybersecurity Guidebook

by Miguel Guhlin
Google Guidebook

In August, Google announced its updated K-12 Cybersecurity Guidebook. The guidebook starts with key points from CISA’s Protecting Our Future report and covers NIST’s (National Institute of Standards and Technology) updated Cybersecurity Framework. For certain, cybersecurity is keeping people up at night. Since October is Cybersecurity Awareness Month, let’s take a moment to explore these changes and potential implications.

A colorful infographic showing the updated NIST Cybersecurity Framework.
Screenshot by the author: NIST Article “NIST Drafts Major Update to Its Widely Used Cybersecurity Framework” (08/2023) About the image: NIST has added a new “Govern” component. The new component “covers how an organization can make and execute its own internal decisions to support its cybersecurity strategy.” Would you agree schools need to make and execute internal decisions of this kind?

CISA’s Protecting Our Future Report

The CISA Protecting Our Future report revisits the idea that malicious cyber actors are targeting K-12. These attacks can have “catastrophic impacts on students, their families, teachers, and administrators.” The report’s authors hope it assists schools in reducing the risks of a cyber catastrophe.

What makes up a catastrophe? Any and all the following:

  • Data breaches
  • School ransomware attacks
  • Deleted school data
  • Misused data

You can see that reported incidents have risen from 2018 to 2021, from 400 to 1,300 events.

Some key findings include:

  • Schools need to deploy multi-factor authentication (MFA) and mitigate known exploited vulnerabilities. They also suggest implementing and testing backups. Additionally, they advocate for exercising an incident response and training plan aligned with national frameworks.
  • District leaders must be creative in seeking funding and securing resources. This includes grants, low-cost services and products, and relying on secure cloud and trusted management services.
  • The report encourages engaging in information sharing with other school districts. Two forums include the Multi-State Information Sharing and Analysis Center and the K12 Security Information eXchange (K12 SIX).

CISA also offers additional resources, such as:

To plug the breach, organizations like Google Workspace are stepping up.

Not only have these attacks disrupted school operations, but they also have impacted students, their families, teachers, and administrators. Sensitive personal information – including, student grades, medical records, documented home issues, behavioral information, and financial information – of students and employees were stolen and publicly disclosed. Additionally, sensitive information about school security systems was leaked online as a result of these attacks.

The White House, “Biden-⁠Harris Administration Launches New Efforts to Strengthen America’s K-12 Schools’ Cybersecurity

Google for Education’s Cybersecurity Guidebook

Google’s K-12 Cybersecurity Guidebook restates the problems K-12 schools face. It seeks to offer solutions specific to Google products and services. For example, some of the solutions include:

  • Using secure authentication to protect sensitive information
  • Strong passwords and two-step verification (or multi-factor authentication), passkeys, and password managers
  • Put in place zero trust principles to restrict access to those who need it
  • Update and upgrade systems (including Chromebooks)
  • Rely on real-time alert and monitoring systems for devices on the school network
  • Protect against inappropriate account logins, file sharing, phishing, malware, and other threats
  • Provide training to teachers, staff, and students

Google’s guide offers specific suggestions, including relying on data encryption and isolating accounts. Isolating accounts ensures “users only have access to their own information.” To underscore these solutions, the following statistics are cited from the Sophos State of Ransomware paper:

  • 100 million phishing attempts are blocked by Gmail daily
  • 300,000 unsafe websites are identified by Google
  • 46% of ransomware attacks are harder to stop due to sophistication
  • 38% of organizations expect to be targeted

This data supports Google’s assertion that implementing its solutions can protect your school. At least, insomuch as your school relies on Google Workspace for Education.

An Important Read for Google Admins

If you are a Google Workspace for Education admin, the CISA report and Google Cybersecurity Guidebook are must-reads. Put the practices into place. While not sufficient to safeguard your entire enterprise, these provide very valuable information.

Featured Image: Screenshot by author: CISA, Partnering to Safeguard K-12 Organizations from Cybersecurity Threats (page 1)

You may also like

Leave a Comment

You've Made It This Far

Like what you're reading? Sign up to stay connected with us.



*By downloading, you are subscribing to our email list which includes our daily blog straight to your inbox and marketing emails. It can take up to 7 days for you to be added. You can change your preferences at any time. 

You have Successfully Subscribed!