The United States K-12 sector saw a three percent increase in cybersecurity maturity from 2021 to 2022 with schools generally performing well in identity management and access control, awareness and training, and business environment.
Despite these advancements, the Center for Internet Security (CIS) still gave the sector a failing score – 3.55 out of seven – for cyber maturity on a Nov. 14 report.
“The K-12 sector is improving in its cybersecurity capabilities over time, though the sector lags behind other sectors when comparing cybersecurity program maturity,” the report, written by CIS’ Multi-State Information Sharing and Analysis Center (MS-ISAC), said.
CIS collected data from 197 school districts during the 2021-2022 academic year to gauge their progress in implementing a cybersecurity strategy and basic practices like multi-factor authentication (MFA), employee training, and incident response planning.
The report found that 81 percent of schools hadn’t fully implemented MFA, with 29 percent not using MFA at all. Schools also registered poor marks when it came to encrypting data on removable media, collecting audit logs, establishing a data recovery process, and assessing their service providers’ cybersecurity practices.
CIS found that cybersecurity accounts for less than one percent of the IT budget at nearly one-fifth of K-12 schools. The average school only spent eight percent of its IT budget on cybersecurity last academic year.
The report stressed the threat of ransomware on K-12 schools and districts, warning that threats are likely to continue to increase this academic year.
“Ransomware attacks are the most impactful cybersecurity threat in terms of total cost and downtime,” the report said. “K-12 ransomware attacks take months, if not longer, to remediate and can cost over $1 million.”
CIS offered the K-12 sector five recommendations to act on and build an effective cybersecurity program able to prevent and defeat cyberattacks:
- Join a cyber defense community;
- Routinely complete cyber maturity assessments;
- Follow globally recognized cybersecurity best practices;
- Engage in real-time cyber threat intelligence; and
- Implement a network and endpoint defense to protect the IT environment.