Why We Comply: Breaking Down the Learning Curve in K-12 Cybersecurity Compliance
It’s never been more important to protect our children against cybercrimes. A Sophos survey of school IT professionals around the U.S. estimated that 44% of educational institutions were targeted by ransomware attacks in 2020 — more data breaches than we’d ever seen in prior years. The numbers have only climbed since.
Thankfully, the government is responding with new laws and cybersecurity compliance revisions in hopes to educate, fund and bolster data security initiatives in K-12.
While this is all great news, legal verbiage can be tricky to decipher and it’s easy to get lost in an influx of new information. It can also be challenging for school leaders to break down what new laws mean and what they can do to support pre-existing academic compliance mandates to help secure student data. However, adding two-factor or multi-factor authentication (MFA) cybersecurity may be a good place to start.
What is the K-12 Cybersecurity Act?
The K-12 Cybersecurity Act was signed by President Joe Biden in October of 2021, making it the first grade-school-specific anti-malware law. This bill is excellent news for parents, students and school faculty. This legislature now requires the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA) to team up with the Federal Bureau of Investigation (FBI) to investigate all attacks in K-12 schools. The bill also requires these agencies to produce comprehensive cybersecurity toolkits in effort to help educate school IT professionals, teachers, faculty and students.
The toolkits take a holistic approach to cybersecurity, taking into account school size, online presence and access to funding when developing a strategy against threats like ransomware. Some key takeaways from this literature are:
School administrators should implement access control standards so that each user only has access to the applications they need to use.
All students, faculty, staff and parents should use secure authentication tools like MFA to verify their identity before accessing sensitive school data.
School networks should be secured for both on-premises and remote access through use of a virtual private network (VPN), secure shell (SSH) servers or another secure network product like Duo Network Gateway (DNG).
Districts should insure their data by investing in cyber liability protection (more on this later!).
With all appropriate data security measures in place, schools can help protect their student body and their families, the district’s dedicated staff and even the country as a whole from bad actors. Additionally, these protections can even help satisfy other compliance mandates like Family Educational Rights and Privacy Act (FERPA).
Does FERPA protect student data online?
Prior to the signing of the K-12 Cybersecurity Act, districts were held to three main regulatory compliance mandates that also sought to protect school data from malicious access. As a parent, educator, administrator or CISO in the education sector, you’re likely familiar with:
Family Educational Rights and Privacy Act of 1974 (FERPA), which requires that student and school data be kept private and confidential
Health Insurance Portability and Accountability Act (HIPAA), which requires that health records be kept private and confidential
Freedom of Information Act (FOIA), which requires that all records are available and accessible
FERPA is pretty much a catch-all privacy act for schools. Its mandates supersede that of both HIPAA and FOIA which means that, in a K-12 school district, protecting student health records, transcripts and personal identifying information is required by law The only student data that’s excluded from FERPA is directory information like a child’s name and home phone number.
Does FERPA require MFA?
In the modern classroom, MFA is required. To comprehensively satisfy FERPA guidelines, any school that handles data online must invest in a two-factor or multi-factor authentication product.
While MFA is not named in its documentation, it in fact does satisfy FERPA’s rigid authentication requirements in the context of digital data. This law requires that schools identify and authenticate all parties before granting access to the data it covers, which is exactly what MFA satisfies in online data management.
To protect data stored online covered under FERPA, schools must purchase an MFA product that is able to work in all school applications, including custom applications. Some MFA products, like Duo MFA, offer the whole package with an unparalleled user experience, which eliminates unnecessary added steps for busy educators and IT administrators.
Do K-12 schools need cyber liability insurance?
Per CISA’s recommendations, K-12 schools are now strongly encouraged to enroll in cyber liability insurance. In the event of a school data breach or ransomware attack, a good cyber liability insurance policy will cover data recovery costs, plus any expenses incurred by notifying and helping the individual victims. In any school district, a cyberattack can result in lots of unexpected expenses without this added layer of financial protection.
When considering cyber liability insurance for K-12, the importance of a solid MFA solution comes back into play. Most providers require MFA and access control software integrations as a baseline for coverage eligibility.
Why are K-12 data security attacks on the rise, and what can we do?
Today, school districts have many resources at their disposal to keep our children safe from cyberattacks. The challenge that remains lies in finding the right cybersecurity products, securing the right data protection strategies and obtaining adequate funding to accomplish their unique cybersecurity goals. Tools like The K-12 Cybersecurity eXchange (K12 SIX) K-12 Cyber Incident Map demonstrate the sheer magnitude of online threats in U.S. schools.
In 2020, educators in over 150 pandemic-afflicted nations were forced to display incredible resilience as they navigated an unexpected, rapid shift to remote work. To adapt to unprecedented change, they had no choice but to pioneer educational software-as-a-service (SaaS) tools, adjust curriculum coursework and whip up creative solutions. As if educational IT professionals weren’t already inundated with help desk tickets before the remote learning shift, they now have to carry this learning curve burden for their entire district.
Two years later, the online learning tools employed during the pandemic are now permanent fixtures in classrooms – and schools are still struggling to understand exactly how to secure them. Furthermore, educational budget constraints still pose a challenge for many districts, leaving major gaps in their security strategy.
Fortunately, there are endpoint security solutions out there that can solve these challenges without restricting staff or draining the school budget. These solutions should adequately check MFA boxes and also offer VPN protection for onsite learning and robust remote access solutions for remote learning. Duo’s flexible, effective, user-friendly and easy-to-deploy security products are built for use cases like schools. Products like ours even support lower total cost of ownership (TCO) in the education industry.
Want to learn more?
Check out these additional resources our team has put together: