Podcast Summary: Cybersecurity Today – "The Escalating Cyber Threats Against K-12 Schools: Insights and Solutions"

Podcast Information:

• Title: Cybersecurity Today
• Host: Jim Love
• Episode: The Escalating Cyber Threats Against K-12 Schools: Insights and Solutions
• Release Date: March 22, 2025
• Guest: Randy Rose, VP of Security Operations and Intelligence at the Center for Internet Security (CIS)

Introduction

In this insightful episode of Cybersecurity Today, host Jim Love delves into the growing cyber threats targeting K-12 educational institutions. Recognizing schools, hospitals, and nonprofits as increasingly vulnerable targets, Love brings in Randy Rose from the Center for Internet Security (CIS) to shed light on the current cybersecurity landscape affecting these vital community pillars.

Understanding the Center for Internet Security (CIS)

Jim initiates the discussion by introducing Randy Rose, who provides an overview of CIS.

Randy Rose [01:39]: "We are known for the CIS controls and the CIS benchmarks. We're a professional advice-giving organization focused on risk offsetting from a cyber perspective."

Rose explains that CIS supports a diverse range of organizations globally, including businesses, government entities, and nonprofits, with a significant focus on K-12 schools in the U.S. through the Multi-State Information Sharing and Analysis Center (MS-ISAC).

The Vulnerability of K-12 Schools

Rose emphasizes that K-12 schools are prime targets for cybercriminals due to their perceived lack of robust cybersecurity measures.

Randy Rose [03:56]: "Cybercriminals can close down schools, reveal confidential information, and cause extensive damage."

He highlights that schools often operate with limited budgets and resources, making it challenging to invest adequately in cybersecurity defenses. This vulnerability is exacerbated by the fact that many schools rely on a small number of IT personnel who are often overburdened and under-resourced.

Key Findings from the CIS K-12 Cybersecurity Report

The core of the discussion revolves around the findings of the 2025 CIS and MS-ISAC K-12 Cybersecurity Report, which analyzed cyber threats impacting over 5,000 K-12 organizations.

Rising Number of Cyber Attacks

Rose notes a significant increase in cyberattacks against K-12 schools over an 18-month period from mid-2023 to end-2024.

Randy Rose [09:19]: "We are absolutely seeing attacks historically year over year."

One striking statistic revealed that there were 9,300 confirmed cyber threats targeting these schools during the study period, averaging nearly two attacks per organization.

Randy Rose [10:04]: "9,300 confirmed incidents... This is the way we detect and escalate things."

Common Attack Vectors

The report identifies phishing as the primary method attackers use to gain initial access.

Randy Rose [13:27]: "Phishing is the number one vector for threat actors to gain initial access to an environment."

Additionally, there has been a notable rise in malvertising attacks—malicious advertisements embedding malware into school systems.

Randy Rose [14:36]: "Malvertisement is malicious advertisement... it's a great opportunity to cast a very wide net and infect as many devices as possible."

Targeting Timing of Attacks

Rose points out that cyberattacks often spike during critical periods in the academic calendar.

Randy Rose [11:37]: "Spikes of activity at the start of the school year... before midterm exams and right before end-of-year exams."

This strategic timing pressures schools to respond swiftly, potentially making them more susceptible to ransom demands.

Impact of Ransomware on Schools

The discussion underscores the severe consequences of ransomware attacks, extending beyond mere operational disruptions.

Randy Rose [30:20]: "When ransomware takes a school offline, it's far more devastating than just a missed school day."

Schools play multifaceted roles in communities, including providing meals and after-school programs. Disruptions can lead to missed meals for children, hindered academic progress, and strain on families who rely on schools for childcare.

Challenges in Cybersecurity for Schools

Resource Constraints

Rose elaborates on the challenges schools face in allocating sufficient resources to cybersecurity.

Randy Rose [16:39]: "It's a challenge not limited to the school sector. They're limited to the funding they have available and to the people who want to work in local government or schools."

Many schools depend on dual-hatted IT staff or rely on managed service providers, which may not always offer the specialized cybersecurity expertise required to fend off sophisticated threats.

Supply Chain Vulnerabilities

The episode touches on the complexities of supply chain security, particularly referencing the PowerSchool breach.

Jim Love [19:00]: "PowerSchool was hacked, leading to significant data leakage."

Rose explains that securing the supply chain involves holding vendors accountable and ensuring they meet stringent cybersecurity requirements.

Randy Rose [22:05]: "We have to start holding the vendors that are providing capability accountable."

Human Factor and Training

Both host and guest discuss the misplaced responsibility often placed on users, advocating for systemic security measures instead.

Jim Love [24:52]: "You have to protect people and educate them at the same time."

Randy Rose [23:56]: "We have to put the onus off of the individual user."

Rose likens cybersecurity to automotive safety features, emphasizing the need for built-in security rather than relying solely on user vigilance.

The Emerging Threat of Artificial Intelligence

While not a primary focus of the report, the conversation addresses the burgeoning role of AI in cyber threats.

Randy Rose [27:25]: "AI, particularly deepfakes, is increasingly used in social engineering attacks."

The potential for AI-driven phishing emails that convincingly mimic legitimate communications poses a new challenge, necessitating advanced AI-based defenses.

Recommendations for Enhancing School Cybersecurity

Rose outlines several actionable strategies to bolster cybersecurity defenses within K-12 institutions:

1. Implement Baseline Security Measures:

   • Adopt the CIS Controls Implementation Group 1 as a foundational framework.
   • Ensure all schools meet essential security standards to mitigate common vulnerabilities.

2. Foster Community and Partnerships:

   • Engage with local networks, risk pools, and information-sharing communities like MS-ISAC.
   • Collaborative efforts can provide shared resources and collective defense mechanisms.

3. Secure Supply Chains:

   • Demand that vendors adhere to robust cybersecurity practices.
   • Conduct regular assessments to ensure vendors maintain necessary security postures.

4. Integrate Security by Design:

   • Incorporate security measures from the inception of systems and tools.
   • Avoid retrofitting security, which is often less effective and more costly.

Randy Rose [32:35]: "Find your community... we have to create those networks of folks that we can rely on."

Conclusion and Takeaways

Jim Love and Randy Rose conclude the episode with a call to action for educational institutions to prioritize cybersecurity. Recognizing the pivotal role schools play in communities, enhancing their cyber resilience is not just an IT concern but a societal imperative.

Jim Love [34:23]: "It's an area of tremendous vulnerability that we really do have to deal with."

Randy Rose [34:49]: "Anything that we can do as a community to support them and the schools, I think it's absolutely essential that we do that."

Listeners are encouraged to access the full CIS K-12 Cybersecurity Report for comprehensive insights and actionable strategies to safeguard educational environments against escalating cyber threats.

Final Thoughts: This episode of Cybersecurity Today provides a thorough exploration of the alarming rise in cyber threats targeting K-12 schools. Through expert insights from Randy Rose, the discussion highlights the multifaceted challenges schools face and offers practical recommendations to enhance their cybersecurity posture. As cyber threats continue to evolve, the imperative to protect educational institutions becomes ever more critical for the safety and resilience of our communities.