In August, Google announced its updated K-12 Cybersecurity Guidebook. The guidebook starts with key points from CISA’s Protecting Our Future report and covers NIST’s (National Institute of Standards and Technology) updated Cybersecurity Framework. For certain, cybersecurity is keeping people up at night. Since October is Cybersecurity Awareness Month, let’s take a moment to explore these changes and potential implications.
CISA’s Protecting Our Future Report
The CISA Protecting Our Future report revisits the idea that malicious cyber actors are targeting K-12. These attacks can have “catastrophic impacts on students, their families, teachers, and administrators.” The report’s authors hope it assists schools in reducing the risks of a cyber catastrophe.
What makes up a catastrophe? Any and all the following:
- Data breaches
- School ransomware attacks
- Deleted school data
- Misused data
You can see that reported incidents have risen from 2018 to 2021, from 400 to 1,300 events.
Some key findings include:
- Schools need to deploy multi-factor authentication (MFA) and mitigate known exploited vulnerabilities. They also suggest implementing and testing backups. Additionally, they advocate for exercising an incident response and training plan aligned with national frameworks.
- District leaders must be creative in seeking funding and securing resources. This includes grants, low-cost services and products, and relying on secure cloud and trusted management services.
- The report encourages engaging in information sharing with other school districts. Two forums include the Multi-State Information Sharing and Analysis Center and the K12 Security Information eXchange (K12 SIX).
CISA also offers additional resources, such as:
- K-12 Media Kit: Key Findings
- K-12 Media Kit: Key Findings and Recommendations
- K-12 Media Kit: Implement Most Impactful Security Measures
To plug the breach, organizations like Google Workspace are stepping up.
Not only have these attacks disrupted school operations, but they also have impacted students, their families, teachers, and administrators. Sensitive personal information – including, student grades, medical records, documented home issues, behavioral information, and financial information – of students and employees were stolen and publicly disclosed. Additionally, sensitive information about school security systems was leaked online as a result of these attacks.
The White House, “Biden-Harris Administration Launches New Efforts to Strengthen America’s K-12 Schools’ Cybersecurity“
Google for Education’s Cybersecurity Guidebook
Google’s K-12 Cybersecurity Guidebook restates the problems K-12 schools face. It seeks to offer solutions specific to Google products and services. For example, some of the solutions include:
- Using secure authentication to protect sensitive information
- Strong passwords and two-step verification (or multi-factor authentication), passkeys, and password managers
- Put in place zero trust principles to restrict access to those who need it
- Update and upgrade systems (including Chromebooks)
- Rely on real-time alert and monitoring systems for devices on the school network
- Protect against inappropriate account logins, file sharing, phishing, malware, and other threats
- Provide training to teachers, staff, and students
Google’s guide offers specific suggestions, including relying on data encryption and isolating accounts. Isolating accounts ensures “users only have access to their own information.” To underscore these solutions, the following statistics are cited from the Sophos State of Ransomware paper:
- 100 million phishing attempts are blocked by Gmail daily
- 300,000 unsafe websites are identified by Google
- 46% of ransomware attacks are harder to stop due to sophistication
- 38% of organizations expect to be targeted
This data supports Google’s assertion that implementing its solutions can protect your school. At least, insomuch as your school relies on Google Workspace for Education.
An Important Read for Google Admins
If you are a Google Workspace for Education admin, the CISA report and Google Cybersecurity Guidebook are must-reads. Put the practices into place. While not sufficient to safeguard your entire enterprise, these provide very valuable information.
Featured Image: Screenshot by author: CISA, Partnering to Safeguard K-12 Organizations from Cybersecurity Threats (page 1)
