Keeping K-12 Cybersecure–the newsletter of the K-12 Cybersecurity Resource Center–curates the best cybersecurity and privacy news for K-12 policymakers, administrators, IT professionals, vendors, and privacy advocates. The latest edition (“Keeping #K12CyberSecure [#27]: “The Thanksgiving Edition”‘) provides information on recent updates to the K-12 Cyber Incident Map, other additions to the Resource Center, informed commentary, and curated news you can use.
While there’s much more available in the newsletter itself, here’s a sampling of the must-read articles published since last edition:
- Share this story (“Student’s email, Facebook ‘hacked’ in Library“) with your students and teachers as a reminder they should always, always remember to log-out of their accounts. And while you are reaching out, be sure to remind them not to re-use their passwords (“Chegg data breach causes uptick in Student Admin attacks“).
- Illinois man’s hacking conspiracy tied to 2016 Franklin Regional (PA) school ‘cyberattack’. Maybe now that law enforcement has caught their big fish, they can let the minnow go.
- Deny, deflate, decry, deflect: what’s next? First, the New Jersey district denied they experienced a significant data breach. Then, they threatened to sue the newspaper for publishing a story about it. Some suspect the breach was symptomatic of a management issue. Now, they are blaming students.
- Reminder: School district networks may be interconnected with other local and state government agencies, including other school districts and, yes, even charter schools: “Here’s how the Las Cruces Public Schools cyber attack affected charter schools.”
- One of the challenges of interfacing with your local school community about school IT and cybersecurity issues: not everyone understands what is under a school district’s direct control and what is not. What’s not? Example 1 (“Officials: Google search for schools include explicit images“) and example 2 (“Vestal School District releases statement regarding ‘inappropriate and false’ text on its website“).
- How transparent should government be after a cyberattack? Probably more transparent, but there are real challenges.
- State of the states:
- For the second time this year, Louisiana activated its cybersecurity team in response to a ransomware attack on state and local agencies. The first time was in response to coordinated ransomware attacks against LA school districts.
- Texas House Bill (HB) 3834 requires annual cybersecurity training for school district employees to be completed by June 14, 2020 by approved providers. To that end, HB 3834 required the Department of Information Resources in consultation with the Texas Cybersecurity Council to certify at least five cybersecurity training programs for state and local government employees. The list of certified programs is now posted.
- In a similar vein, MA recently announced cybersecurity awareness grant program awards to state and local government agencies, including to select public school districts.
- There is (a lot of) work still needed to protect student information against hackers, an audit of the Oregon Department of Education’s student data handling practices finds. Before you react, know that this isn’t the first such audit of the Department: “Protection of Personally Identifiable Information in Oregon’s Statewide Longitudinal Data System” (2016).
- Experts notice an uptick in data breaches and ransomware attacks within schools in Indiana. It’s not just in Indiana, though.
- Voices from the field: Over on the OpsecEdu blog, Nathan McNulty of Beaverton School District is out with the third article in his series, “Using transport rules as a security tool.” Be sure to check out Part 1 and Part 2 if you missed them.
- Some good stuff here if you are looking to build out your cybersecurity library and for a good cause.
Be sure to check out the full newsletter and sign-up to ensure you get all the latest news direct to your inbox. And, as always, please contact us with any feedback, tips, or suggestions.