Federal officials and other expert speakers focused on K-12 cybersecurity and healthier digital habits for students this week during a national summit about school safety.
This marked the second time the federal Cybersecurity and Infrastructure Security Agency (CISA) has convened the National Summit on K-12 School Safety and Security, and the event came just months after federal agencies announced a nationwide effort to ramp up public information and support around school cybersecurity.
Schools and school districts hold troves of sensitive information, from employee financial information to students’ mental health records. At the same time, schools, like much of government, struggle with legacy technology as well as limited staffing, training and/or budgets for cybersecurity, said Terry Loftus, CIO and assistant superintendent of the San Diego County Office of Education, during the summit.
Hackers and cyber insurers are both increasingly aware of the mismatch between the high value of school districts’ data and their typically limited resources. Hackers are making frequent attacks, while insurers are raising prices and tightening restrictions.
“For K-12 schools, cyber incidents are so prevalent that, on average, there’s more than one incident per school day,” said CISA Director Jen Easterly during the summit.
The problem is global, too, and 2022 saw malware attacks targeting K-12 organizations worldwide rise 323 percent year over year, and ransomware attacks on K-12 and primary schools rise 827 percent, per cybersecurity company SonicWall.
Public entities are especially likely to face frequent attacks and to see attackers penetrate defenses, Loftus said. In light of this, cyber insurers are raising policy renewal prices, declining to write new cyber policies or requiring policyholders to follow more cyber controls.
“Did you know that the insurance carrier could deny payment on a claim due to having old, outdated or unpatched software?” Loftus said. Cyber insurers increasingly insist on multifactor authentication (MFA), endpoint detection and response (EDR), software life cycle management and cyber training programs, he said.
These measures can all be helpful, both to appeal to insurers and to reduce risks. For the many schools bucking up against limited cyber resources, free offerings can help ease the burden.
The Center for Internet Security (CIS) provides a free cybersecurity self-assessment, and its CIS Critical Security Controls offer a prioritized set of cyber best practices and safeguards. It also offers some free cybersecurity services, such as malicious domain blocking and reporting (MDBR). CISA also has online resources for conducting tabletop exercises and earlier this year published a toolkit and report on K-12 cybersecurity. CISA announced in August it would give 300 new K-12 entities individualized support.
But hackers aren’t the only risks for schools in today’s increasingly online world. Speakers at the summit also addressed the implications of heavy social media use on youth mental health — an issue that recently spurred dozens of states to sue social media giant Meta.
The American Academy of Pediatrics recently launched the Center of Excellence on Social Media and Youth Mental Health to provide information and promote best practices around healthy social media use.
Center co-directors Megan Moreno and Jenny Radesky likened teaching kids to use social media safely to teaching them to swim or drive — activities in which children initially benefit from a lot of guidance and monitoring, until they’ve developed the skills and understanding to handle it. Kids’ relationships with social media will also change over time, across different ages and development stages.
It’s impossible for parents to fully monitor or control their kids’ online activities, Radesky noted, but parents can focus on listening and fostering trust that could encourage their children to come to them about upsetting experiences.
Educators and parents also should keep in mind that children turn to social media for different reasons, not all of which merit the same kind of response.
“To support youth mental health, we need to wonder about what’s going on in that child’s mind,” Radesky said.
The center recently interviewed 11 to 17 year olds who spent hours on their phones during the average school day. Many said they were communicating with friends — a normal pursuit at that age. Some teens, meanwhile, were being drawn to their phones by frequent notifications, while others said they turned to their phones to calm or distract themselves when feeling overwhelmed, Radesky said.
Knowing kids’ motives can help schools that want to reduce the distraction of phones. Teachers might ask students to set their phones to “Do Not Disturb” or turn off unnecessary notifications during class. Radesky also recommended encouraging kids to self-reflect on their habits, including asking students to consider what inspired them to turn to their phones and whether doing so had helped or just distracted or distressed them.