Keeping K-12 Cybersecure–the newsletter of the K-12 Cybersecurity Resource Center–curates the best cybersecurity and privacy news for K-12 policymakers, administrators, IT professionals, vendors, and privacy advocates. The latest edition (Keeping #K12CyberSecure [#24]: “The Opposite of Winning”) provides information on recent updates to the K-12 Cyber Incident Map, other additions to the Resource Center, informed commentary, and curated news you can use.
While there’s much more available in the newsletter itself, here’s a sampling of the must-read articles published since last edition:
- According to reporting from the New York Times: Hackers’ Latest Target: School Districts. The article quotes CoSN executive Keith Krueger who suggests one of the reasons for the surge in cybersecurity incidents in K-12 education is that small school districts have fewer resources to address the issue and are thus more vulnerable. Unfortunately, this assertion is not borne out by the data collected to assemble the K-12 Cyber Incident Map. In fact, publicly disclosed incidents are much more likely to have involved larger school districts.If we are going to help districts address the challenges they face, we need accurate diagnoses of the issues.
- Benjamin Freed reports that the recent ransomware surge affecting school districts and others may be linked to a Russian criminal group.
- Keeping secrets from parents about school cybersecurity incidents is not the best strategy: “All I can say is if they had a data breach and are not notifying us, then trust and believe they are about to have much bigger issues on their hands besides a stinking phone system,” said one parent. Meanwhile in IL, a new law will require schools to notify parents of data breaches sooner.
- The K-12 Cyber Incident Map previously reported on a data breach incident involving services provided by Graduation Alliance. Further investigations claim to debunk the original reporting of a breach (“State, vendor: No student data breach on college, career planning sites connected to TN schools,” and “Probe finds no unauthorized access to Hawaii public school student data“), but the story doesn’t seem to add up. There certainly seems more to tell.
- Leadership for Educational Equity, a spin-off organization of Teach for America, experienced a data breach that exposed information about current and former teacher members.
- K-12 IT systems are not rated as ‘critical infrastructure,’ which may be fine until one realizes they are interconnected with other state and local IT systems (“Some crime cameras went down after school district ransomware attack“).
- Even when public agencies (including school districts) are hit by ransomware and could recover their files on their own, some insurers prefer to pay the ransom. Why? The attacks are good for business (“The Extortion Economy: How Insurance Companies Are Fueling a Rise in Ransomware Attacks“). At the same time, other insurers are re-thinking whether it’s in their best interest to keep offering the plans that help clients recover from devastating cyberattacks (“Demand for cyber insurance grows as volatility scares off some providers“). What’s this all mean for the future of the cybersecurity insurance market? Cory Doctorow breaks it down for us: “Why haven’t cyberinsurers exerted more pressure on companies to be better at security?“
- National Guard cyber response teams have been responsible for getting thousands of school children in Texas and Louisiana back online and into the classrooms following a rash of cyber attacks.
- Steven Singer asks, “What kind of a—hole ransoms school data?” The a—holes we allow to get away with it.
- From the UK, the NCSC and the London Grid for Learning have completed research looking into the cyber security experiences of more than 400 schools. Interesting stuff and worth the read.
Be sure to check out the full newsletter and sign-up to ensure you get all the latest news direct to your inbox. And, as always, please contact us with any feedback, tips, or suggestions.