Due to the growing number of cyber incidents in schools, cybersecurity has become an important part of K-12 education in recent years. In fact, statistics say that K-12 cyberattacks more than tripled over the pandemic, from 400 reported incidents in 2018 to over 1,300 in 2021.
Many states have passed K-12 cyber compliance requirements in response to these worries. One of the most important parts of the cyber compliance requirements for K-12 schools is the requirement to use basic security measures like implementing cybersecurity policies, cyber risk assessments, and cyber awareness and training. The requirement that schools report any cyber incidents is another important part of K-12 cyber compliance laws. By reporting these events, schools can work with federal and state agencies, along with other cybersecurity experts, to find potential threats and take steps to stop them.
Protecting schools from cyberattacks
The efforts towards protecting schools from cyberattacks seem to be gaining traction, according to V3 Cybersecurity, a unique company focused on contextualizing security programs from a business perspective. They are the purveyors of the Minerva EDU Cybersecurity Risk Management platform and VCISO provider.
According to the company's Founder and CEO Jorge Conde-Berrocal, "While it is generally accepted that legislation in K-12 is a continued need at the state and federal level, our data and research tell us that how the regulation is crafted plays a significant role in its effectiveness."
Effectively defined K-12 cyber regulatory requirements give schools a clear path to follow regarding cybersecurity. Even with these requirements, many schools don't have a clear idea of the cybersecurity risks they faced or how to deal with them.
"The popularity of ransomware, zero day attacks, and the loss of personal data make for a good news cycle, our data shows that most organizations lack the necessary resources needed to effectively reduce the risk associated with, or recovery from, such events," Conde-Berrocal elaborates.
By making K-12 cyber compliance requirements, for example, risk assessments, schools will be better able to spot possible risks and protect their systems before they happen. K-12 cyber regulatory requirements provide schools with a mandate to secure the data privacy and digital safety of students and staff. Unfortunately, this requirement has become a challenge and a pain point for most school districts that do not have the resources to achieve compliance. Gaining access to these critical resources has become one of the biggest challenges facing an increasingly digitized and underfunded K-12 sector.
Facing the challenges
It's important to remember that even though K-12 cyber regulatory requirements (TEC 11.175 and NY ED Law 2d) are working to protect schools from cyber risk, schools still have to deal with a lot of problems. The cost of setting up and maintaining cybersecurity protocols is one of the most vital ones. Many schools, especially those in low-income areas, might not have the money to implement the necessary security steps.
In this regard, former Texas Education Agency CISO and CEO of ATX Cybersecurity Strategies, Frosty Walker, emphasized the importance of pairing well defined legislation and funding:
"Cybersecurity legislation can be effective in the K-12 community, but without proper funding, the process can take much longer to get cybersecurity to the anticipated levels. After Texas Education Code 11.175 was passed, we saw an increase in cybersecurity posture awareness and prioritization. We are seeing some schools using a structured risk assessment framework to analyze their security posture acquire 1 million dollars worth of cybersecurity insurance at an affordable rate, indicating the insurance companies understand the value of a structured cybersecurity framework in a K-12 environment."
Another challenge is the rapidly evolving nature of cybersecurity threats. As bad actors become more sophisticated, schools must continually update their cybersecurity protocols to avoid potential online hazards. Conde- Berrocal added, "Cybersecurity is a journey not an event. Implementing affordable and sustainable cyber solutions is the key to addressing the needs of K-12 organizations."
At the moment, K-12 cyber regulatory requirements are a step in the right direction towards keeping schools better prepared for cyber incidents. By implementing basic cybersecurity strategies, reporting incidents quickly, and having a clear cybersecurity plan, schools can better identify and mitigate risks. V3 Cybersecurity plays a significant role in helping schools achieve and maintain compliance with these newly defined laws. Through the use of automation and intelligent technology, companies like V3 Cybersecurity are elevating the status quo in K-12 cybersecurity.