The Escalating Cyber Threats Against K-12 Schools: Insights and Solutions: Cyber Security Today

Jim Love

Welcome to cybersecurity. Today we've all seen a movie where somebody hacks into a local school. I think Ferris Bueller's Day off is still one of the most perfect films ever made. It's one of the iconic feel good movies, Hard to believe was made in 1986. Ferris managed to not get in trouble for skipping school while he hacked in and changed his attendance record. Another great film, and maybe still I think iconic as well is Matthew Broderick in War Games. Hacks into his school before he ends up taking the world to the brink of nuclear Armageddon. These movies make it look easy. I'm not going to propose that hacking anything is good, but they're a prank, an act of rebellion. Real life today shares one of those characteristics. It's still far too easy to hack into a school system, but it's no prank. This is serious business. Cybercriminals can close down schools, they can reveal confidential information, they can do a heck of a lot of damage. We've discovered more and more of these groups are actually going after education, hospitals and not for profits because they're relatively easy targets. I wanted to discuss that today. And across my desk came a note from a guy, Randy Rose, VP of Security, Operations and Intelligence at the center for Internet Security. Welcome Randy.

Randy Rose

Thank you. Thanks for having me, Jim.

Jim Love

You guys just did a study on this and I want to get into that and talk through some of the things that you've got in that study about K to 12 organizations. But before we do that, can we talk about what the center for Internet Security is?

Randy Rose

Absolutely. So the center for Internet Security or we call cis, the common vernacular around here, cis a little bit easier to say than the mouthful that is center for Internet Security. We are probably best known as a best practices organization. We're known for the CIS controls and the CIS benchmarks. So as Tony Sager, our chief Evangelist likes to say, we're a professional advice giving organization and it's really in that, you know, risk offsetting risk from a cyber perspective, putting things in place that help reduce cyber attacks on your environment. We also run the Ms. Isac, the Multi State Information Sharing and Analysis Center. The ISAC model brings together communities for threat intelligence sharing and cybersecurity awareness. We actually provide a number of tools and services to state, local, tribal and territorial governments in the US through the ISAC. And that's where a lot of our report, the K12 report, a huge chunk of our membership are actually K12 schools in the US.

Jim Love

How did you come to work There.

Randy Rose

I was a state employee in New York back in 2009. That's how I found out about the Ms. ISAC. I was a member of the Ms. ISAC for many years. I moved from the state of New York into the federal government space. I worked for the US Navy and an organization called Defense Information Systems Agency in Europe. And when I was in Europe, when Covid hit, I actually reached out to some colleagues from the MSI SAC and I said, look, I'm over in Europe, we gotta get back to the US because this Covid thing's pretty serious. We were about two weeks ahead of the US in Europe. I started making some phone calls and one of my colleagues said, we have an opening that would be perfect for you. I came over as the Director of Threat Intelligence and the rest is history. I've been part of the team now for five years.

Jim Love

And does cis? Don't keep wanting to say csi. I'm sure it happens all the time.

Randy Rose

Easy mistake.

Jim Love

Yeah. Does CIS deal only with schools or are there other organizations that you support?

Randy Rose

We support all sorts of organizations. We're actually a global organization, you know, improve their, their cybersecurity footprint. So that's businesses, international organizations, you know, anybody who needs help or assistance, whether you're commercial or for profit, I'm sorry, commercial or nonprofit, NGO government doesn't really matter. So on the best practice side, we work with anybody. ISAC side, I like to describe it, it's what we call the sltt, Community State, Local, Tribal and Territorial. It's an acronym that doesn't really exist outside of that community. So most people don't know what that means. But I describe it as taxpayer funded organizations below the federal government level. So if your taxes are fueling that, and that's everything from schools to libraries to public safety to public utilities, public higher education, state colleges and things like that. And really anything you can imagine, county, cities, towns, villages, all of that.

Jim Love

One of the things that attracted me to this was not just schools, and schools are important, but it was this idea that there are so many government organizations, agencies, not for profits, and they really don't have the support they need. It's almost a crime in some aspects because they're not big enough to invent cybersecurity. Each time if you could coalesce and provide support to a range of them, it's a good thing to do.

Randy Rose

Yeah, you're absolutely right. We have this term we call the cyber underserved. We usually refer to that within the local government community, but it's not Only the local government. So you mentioned nonprofits and businesses, especially small businesses. And at the end of the day, this really is an ecosystem, whether you're talking about Canada, the US, Europe. It's an ecosystem of local governments, businesses, nonprofits, NGOs and private citizens coming together to fuel the economy, delivering services, using those services. All of those are at risk from a cyber attack perspective. They're all at risk at any given time. And yeah, there's really a lot of connective tissue, I think. And schools in particular are a focal point of the community. They provide services well beyond what we think of as education for students. It really is an important piece.

Jim Love

Often the school can be the focal point of a small community particularly, and even a larger community, be that neighborhood or whatever. When schools close, sometimes they're towns that are small enough that they're the biggest employer. They provide a lot more to the community. Interesting. I think a lot of these smaller organizations have for years thought that they were, they had the security by obscurity that no, who's going to attack a small organization? No one will come after them. I, I don't know the situation in the U.S. i think we're going to find out from you. But here in Canada, we found that these smaller organizations are being targeted because they're easy. Is it the same?

Randy Rose

We're in the U.S. i think there's two big things. So you hit on one of them, which is it's easy. So a lot of the attackers that are out there, at the end of the day, they're looking for a quick win. Most attackers that impact local governments and small organizations have a financial motive. They're just trying to get a buck quickly. So I think low hanging fruit is a huge piece of it. Right. Whatever is the easiest. This is something we've seen over time, particularly in the K12 and school space. But in the local government space and nonprofit space specifically, their budgets are public information. And so an attacker can actually see information about a school budget or a town budget or any public organization, nonprofit organization, and they see a dollar sign. It doesn't matter to them that every dollar in that budget is already assigned to something. Right. It's already allocated. They just see a dollar sign.

Jim Love

So they would think that these organizations have way more money than they actually do.

Randy Rose

Absolutely. Even the small ones. Right. A small district somewhere, from a pure numbers game, has a relatively large budget. Right. From an attack perspective, you're seeing a couple million dollars, but that's an attractive number as an attacker.

Jim Love

A lot of these places, some schools in small communities are the largest employer. There's a number of people working there. They have a significant payroll. Doesn't mean they've got a lot of money to spend. We all know they don't. One of the problems is how can they spend money on cybersecurity? Let's go to your report. You got 5,000 organizations, K12 on this.

Randy Rose

Our total number of organizations that we support today is over 18,000. The largest single sector across all of our members is K12. So that's where that number 5,000 comes from. And we see data around these schools, all 5,000 of them. We don't actually have telemetry for all 5,000 of them, but any of them at any time can send us information. We talk to schools, we're integrated with them. We're having conversations with them all the time. A number of them also have sensors deployed on them from our organization or they're shipping logs to us. Telemetry that they have logs or data that's inherent in their environment. But it's not something that we run through our soc. I should probably explain what a SOC is. A Security Operations Center.

Jim Love

Thank you for explaining the term. I never know at what level I should be explaining them, you know, but even somebody who's been around a long time often hears an acronym that they don't, they don't quite get. That happens to me all the time.

Randy Rose

This community loves. We love our acronyms, right?

Jim Love

Oh, we certainly do. And sometimes we don't even know what they mean. So if you're anybody out there listening, always ask if somebody makes fun of you. They're not worth it. Most people will explain what an acronym is if you ask them to do it. So let's talk about the study and what the big impact that showed a big rise in attacks.

Randy Rose

Well, it's always interesting because not just our telemetry, but our membership grows year over year. So you always have to account for that too. It's not a static number. Sometimes the rise in tax is also in proportion to the fact that we're adding more organizations year over year. Our growth rate of organizations that we support is actually pretty phenomenal. So you always got to take those numbers a little bit with, you know, a grain of salt. But yeah, we, we are absolutely seeing attacks historically year over year, not just. So this report covers from mid 2023 through the end of 2024, which is an 18 month period. And really, if you go back further in time, we have steadily seen attacks against the K12 sector grow year over year. They're targeted by ransomware actors.

Jim Love

One of the other numbers that jumped out to me was 9,300 confirmed cyber threats. You got a population of 5,000, you got an 18 month period, 9,300 attacks. That's pretty much one for everybody and some change.

Randy Rose

So, and I should probably point out how we identify, so we. The terminology there, right? So that that terminology is 9,300 confirmed incidents. That doesn't necessarily mean a complete intrusion, but it's the way we detect and escalate things. We are constantly looking for cybersecurity events on a network. A lot of those events end up being false positives or they end up being mitigated by some detection tool somewhere down the line. And anything that we look at that we say, okay, this is definitely not a false positive and it doesn't appear to have been blocked. This is evidence of a piece of malware on the network. This appears to be a member who clicked on a phishing link, who's actually interacting with the malicious website that's collecting information. Any of those kinds of things are considered incidents. It doesn't necessarily mean an intrusion has happened, but an incident can always lead to an intrusion. Right? So that's the concern. So the 9,300 are incidents that occurred. Those are things that we detected and escalated. Now it's our opportunity to work with those schools, the IT directors and the IT staff of those schools to make sure that we're mitigating those before there is an actual intrusion.

Jim Love

I'm going to assume that the same thing applies from the commercial sense to the school sense. These cybercriminals will always come at you on a Sunday night or on a holiday.

Randy Rose

We see some interesting patterns in the K12 space. We actually see patterns where there's spikes of activity at the start of the school year, which is typically end of July, August or early September for most districts in the U.S. we also see spikes right before midterm exams and right before end of the year exams. We don't know exactly why that is, but putting our critical thinking hats on, why would those times, why would right at the start of the school year, right at the midterm period, and right at the end of the term period be interesting times for attackers to go after them? Because those are times where there's increased pressure on the school district to respond from the attacker perspective, respond positively to them. Right. Meaning there's pressure on them to pay the ransom and to pay it quickly.

Jim Love

So the interesting thing is, even for a relatively low value attack into the organization. But where you reasonably think they don't have a lot of money, they're still doing their homework.

Randy Rose

Oh yeah, absolutely. So you're talking about like not having a lot of money from the criminal.

Jim Love

Side to pay the ransom. I think they might be fooled by the budgets too. They're investing some time in this if they're studying to find out when you're doing your exams, all those sorts of things. This isn't just, well, let's hack a school, they're going after this.

Randy Rose

Let's hack a school and, and find the right time where the pressure is the highest on the school district to pay. It's the same reason why we see ransomware actors going after a, a town or a city. They'll go after the utility, right? If they can turn the water off, that puts an additional amount of pressure on the city to pay the ransom. It's a lot different than taking down the tax collection database. There's not as much pressure on them to get that back up and running. But if you start impacting the water systems, there's a lot of pressure to resolve that quickly.

Jim Love

What else did you learn from this study? What were the big things that jumped out to you?

Randy Rose

I think some of the biggest things that we see is it confirms a lot of things that we've known for a long time in terms of what the most common attack types are. So we actually saw major spikes in human centered or human focused attacks. But what was actually really interesting, so we saw a massive amount of phishing domains blocked. So we know phishing is the number one vector for threat actors to gain initial access to an environment. Large increase in malvertising attacks, which was a bit of a surprise to me. And so what malvertising is, those are essentially malicious advertisements, right? Malvertisement is malicious advertisement. So what that is is malware or some other, you know, form of malicious code introduced to an environment through an advertisement placed on a website. So you think about from the school perspective, what kinds of websites is a school most likely to go to? Probably a lot that mirror the rest of society, but news sites, sports, maybe some education or edutech type organizations. If you can buy ad space in those environments and embed some malicious code, it's a great opportunity to, to cast a very wide net and infect as many devices as, as possible.

Jim Love

And are the schools linked with school boards? Where, where does the overall management protection come from in, in your area?

Randy Rose

It's a really good question. It's kind of all over the place in the US the way that schools operate differ from state to state and region to region. Most public schools do have a school board of some sort. The function of those school boards can differ. In some cases the school board primarily is responsible for financial management. In some cases they're responsible for much more. Some schools have dedicated IT staff and some really well resourced schools may actually have IT staff that includes cybersecurity staff. On the whole though, in the U.S. most schools, if they have an IT person, they're dual hatted to perform those cybersecurity functions. We've actually seen schools that it's going to sound like a joke, but it's not. We've seen schools where the school nurse is also the IT person because the server happens to be located in the nurse's office. Or somebody who has a business management function in the main office is also the IT director because they're the most skilled with computers. Oftentimes they'll work with an outside provider, a managed service providers to implement technology. But I mean IT runs the gamut in terms of how these organizations function, what resources are allocated to them and not just financial resources, but people, resources and experience and technology. Some of the technology is really outdated, some of it's very modern.

Jim Love

I find that amazing because in Canada it's a school board responsibility to, to take care of the administration of schools and to provide the IT support and things like that. At least I think in most cases you might have a teacher in some places that knows how to work the projectors or some of the computer equipment. But for the most part it's done with school board and they're still under resourced. Some of the school boards here are quite large, but they don't have the budget to handle cybersecurity. Even from a proactive point of view, when it comes down to recovering from a cyber incident are going to be really, really in trouble.

Randy Rose

Yeah, I mean it's a challenge not limited to the school sector. That's the case in local government in general. They're limited to the funding they have available and to the people who want to work in local government or schools probably not going to get rich doing that. Right? They could. If you have a particular skill set and IT or cybersecurity and you have the choice of going and working for an organization like Google or Sony and making $250,000 a year to stay home or making $50,000 a year and having to be in the office across town. You really have to find the people who are dedicated and want to be Public servants. They're unfortunately hard to come by, I think in the IT and cyberspace in many cases.

Jim Love

Yeah. And even in, in Canada, I, I, I honestly believe teachers are better paid on average in Canada, at least relative to, to most of the U.S. but still, I always laughed at these people were saying, you know, the teachers make big money. Yeah, my parents managed, managed to keep us fed, but that was about it.

Randy Rose

Teachers are criminally underpaid, in my opinion. And it's not just the teachers, it's the administrators and the staff for what they provide.

Jim Love

But the net result is that you can't attract the type of staff who would. And there's nothing wrong with it. There's a shortage of people in cybersecurity. The compensation reflects that shortage. And it's really hard to find people who. What else came out of the report that you looked at and said, wow, I really learned something from.

Randy Rose

Well, you know, a lot of it is stuff. I see it every day. I live in this world every day. So looking at the data and we slice and dice data all the different ways. And it's always interesting when you go by sector and say, oh, this is interesting. Like this particular malware, this downloader, or this rat, which would be a remote access Trojan. It's much higher percentage in this vertical than in this other vertical. Those kinds of things are always really interesting. We saw about 60% of the total malware impacting schools was something called Sock Ghoulish, which is a JavaScript downloader. It's actually kind of interesting because we did see a spike across all sectors, but not to that extent in the other sectors. K12 was by far the largest where Sock G was particularly focused.

Jim Love

What does it do? It's a JavaScript, but what does it do?

Randy Rose

It could do a number of things. It's basically a downloader, so it can be used to download other forms of malware. It's often been connected with a couple different rats. So one of them, the big one, is Asyncrat. And we've actually seen some evidence where sockguosh has been tied to different ransomware campaigns.

Jim Love

And so for the most part, not a surprise. But most of the malware that you're seeing is coming in through a mistake or phishing. Human intervention usually, or lack of intervention sometimes. I guess that's so that you see. What about Supply chain? We had PowerSchool up here. I'm sure it went through the US as well. For the audience that might not know we've covered it as a story, but PowerSchool was basically a system that is used by schools. It helps, I think, with marking with a lot of things, but they were hacked. A lot of our biggest school boards here in Canada found a lot of data leakage. They may not have a lot of money to pay, but the value or at least the threat of leaking the personal information they have from children and staff as well. This was a big deal for us in terms of the exposure that it led to.

Randy Rose

Certainly the schools in the US were impacted by power schools. I think I read something like 100,000 organizations globally that were impacted by that breach. It was a significant impact felt across the entire world. It wasn't just limited to the US and Canada. But yeah, I think the point you're making about the data being one of the highest value assets a lot of people don't think about is that data has really wide ranging impacts. So think about what's in school data, right? It's not just personally identifiable information like pii. There might be health information in there, there might be data about economic status, there's contact information for parents and emergency contact information. Maybe there's information about the parents jobs, in some cases work hours if the kid is in an after school program or not, if the kid is on a lunch welfare kind of program. So they might get reduced lunch or free lunches. So if that kind of data is for sale and that ends up going in the criminal underground to people who have a nefarious purpose outside of cyber, now you start getting into human trafficking and you know, people that are really going after child trafficking. That is a rich data set. That's a way to identify the most vulnerable people in a given community. That's absolutely terrifying to me.

Jim Love

And we know that there are a lot of attacks on children. Allowing that information to get out there where people could actually start to get touch with children, do all of the things that, like I said as a parent, I didn't want to think about it. I want to cut the cord to the computer some days. But there are people who will misuse that information in terrible ways. The value of the data that the schools have is beyond precious to some people.

Randy Rose

Right, exactly.

Jim Love

So if it is and we know this, what should we be doing about this? What could we be doing to better help schools protect the data or for schools to protect this data?

Randy Rose

It's a tough question, right? Supply chain piece is actually really difficult to solve because that's outside of the schools. This is where we have to start holding the vendors that are providing capability accountable. There are some things that you can do as a user, you can ensure that they're meeting specific security requirements, but you have to know what to ask. So becoming educated on what are the things that I should expect my vendors to maintain? What GRC governance, risk and compliance policies and procedures should they have in place? What kinds of cybersecurity protections do they have in place? What is their incident response policy? Are they using multi factor authentication on their side? Which it appears that that might have been what was bypassed in the PowerSchool case. There's a number of things we have to be able to effectively educate the educators and the folks who provide education to our communities on what they need to look for. That's a huge part of it. But I think the other part of it that you kind of touched on earlier when we were talking about the initial infection factor, you said, well, sometimes it's a user who did something or maybe forgot to do something, and that's why we ended up in the situation that we're in. So I think there's this idea in cybersecurity that we have backwards where we put all of the onus for security onto the user and then we kind of name and shame them in many cases when they screw up. But take it out of cybersecurity for a minute and put it into any other context. Imagine you're buying a car. You buy a car, you get in the car and you realize there's no seatbelt. You go back into the dealership and you say, hey, where's the seatbelt? Isn't that a safety feature? And they go, oh, no, that's your responsibility to go buy from autozone and put it in. Right? You start driving down, you realize there's no brake pedal. Like, what the heck? There's no brake. And you're like, oh yeah, don't forget the brakes too. But that's what we do in the cybersecurity context. We put all the security on the user, which is insane. We would never do that in any other context.

Jim Love

And you know, as my friend David Shipley, they do a lot of cybersecurity training and mostly dealing with phishing. And one of the things he's always saying is, you can't shame people or they'll just take this underground. You know, they'll hide errors rather than come back. And I think that's probably the same in this area. If we start saying let's the user's responsibility. I even hate asking the question in those terms. I know that if you're a cybersecurity professional. You know that most hacks start by a human either failing to do something or not doing something, or sometimes being fooled. But there's a human factor to all of them. That doesn't mean that training all of the time is going to be the only solution. We still have to protect people and educate them at the same time. Is there no movement afoot to do that on a more global scale for schools, or is that something your organization tries to take on?

Randy Rose

Well, there are some conversations happening within the US and beyond with the concept of things like secure by design, building security in regardless of the purpose of the tool. I think you've been in this field for a long time. I've been in the field for a long time. When I came into cybersecurity, we didn't call it cybersecurity, it was called information security. When I entered the field and you had information technology and information security and they were two separate fields and the idea of it was, well, our job is to make systems available for people. And the idea of information security was, well, our job is to restrict unauthorized access to data. I still think this 20 plus years later, we still haven't quite figured out that cybersecurity is part of information technology and that you can't guarantee availability for systems if those systems are vulnerable to attack right out of the gate. Right. You have to build security and bake security in from the ground up. It cannot be something that we tack on after the fact. It's a community. Right? As an. As really a global community, we have to put pressure on the developers of the technology to bake security in. Just like back to the car analogy, there was a period of time when cars didn't have seatbelts and when seatbelt laws came into effect, people freaked out about it. They didn't want to have a seatbelt. But I think we're at that point in the world where if you saw a car without a seatbelt, it would be so bizarre that that's what you'd be focused on. Everybody would be like, where is the seatbelt in this car? We need to get to that same perspective in the software development world where we go, where are the safety features in this? And they go, well, you have to add those. No, then I'm not buying it. I'm going with this other product that has the safety features built in and.

Jim Love

You bring up the question of security by design or in Ontario, where I live, we had privacy by. It was this idea that you need to build this in. You can't Paste it on and it just never works. If you try to bolt security on after you build something it's never going to be as effective as it is if you build it in. And I think building it into your culture is a similar type of thing. But again if you're dealing with old individual schools without anybody having an overall overarching sort of support for it, that's another big resource drain as well and something you can't expect a school to do.

Randy Rose

No, that's very true.

Jim Love

One of the things I wanted to ask you about, did anything come up in your study about artificial intelligence and what that is doing in terms of providing another attack vector or at least a risk element that is brand new.

Randy Rose

So not in this particular study. We didn't focus on AI at all for this one but we do focus in that area quite a lot. We have a number of teams on the operations side that provide support to the Ms. ISAC that's providing direct operational support to the state, local, tribal and territorial community. One of those teams is the Cyber Threat Intelligence team and one of their chief focus areas for the last two plus years has been on AI and in particular deepfakes and the use of deepfakes to inform the social engineering attacks. That has been a huge part of their research. We've put out a number of white papers and blogs on that topic. We were really focused on the impact of Gen AI in the election space in 2024. There's plenty of data available on the CIS website, cisecurity.org if people are interested in what our studies have shown in that AI space.

Jim Love

The reason I brought this up is because especially in terms of schools, it's that same thing. I tell people this, you know, my, my dad was fooled by the old trick and this is a long time ago somebody phoned up, just garbled their, the, you know, over the phone and my dad professed stuff to me that he'd actually sent money to this person. He was sort of sheepish about it. My dad was a highly educated man, a very intelligent man. He looked at me and said jim, it's two in the morning, it's your brother. What? I'm. I wasn't thinking right. I was thinking with deep fakes being the next risk for children that would be a big area that, that I think that again we're going to need to put some time and energy into, to help people cope with that as, as AI gets better and better at being able to fake things like even a kidnapping or anything like that.

Randy Rose

Yeah, I Think one of the scariest things is you can tell generative AI to take on a role or a personality. If you have enough data to feed it, you can make it sound exactly like the person in terms of the kinds of things that they would say. Right. So we're actually seeing AI used in business email compromise attacks. If you feed it enough email data from a person, it can write an email that sounds exactly like that person, add the deep fake layer in. And now I would be incredibly impressed if any normal person could detect that. I really think the only way we would be able to defend against that is with other AI tools.

Jim Love

Yeah, it's certainly made phishing incredibly powerful. You don't know anymore. You're getting emails that are fairly well tailored to you and scarily so sometimes. But also the idea of interactive deep fakes is not far fetched anymore in terms of being able to use them as a threat. Just to circle back around to this, I want to come back. What are the main takeaway points that my audience should take from the survey? And we will put a link to it so people can read it as well. Do we catch all the takeaway points that you think we should be telling these people about?

Randy Rose

I think we hit most of them. I think, you know, we talked a bit about the, you know, humans being the primary target and I think we talked about the other side of that coin, which is if we continue to focus on humans as a weak link, then they're going to fulfill that prophecy. Right. We have. We have to find a better way to talk about, you know, how humans can better protect themselves and really take the onus off of the individual user. We talked about the timing of the attacks, end of year exams, midterm exams. One thing we didn't really talk about is what happens when a ransomware attack hits a school. We talked about the school as being a community focal point, but we didn't really talk about what happens when ransomware takes a school offline. It's far more devastating than just a missed school day. Right. Some kids only eat at school, so there's potential for missed, you know, meals, there's missed classes, there's people who can't get access to their data to fill out their college applications. Parents are missing work because they have to be home with their kids.

Jim Love

Can a school function without the, the tools that they have? Even post Covid, there's remote learning going on, marking all those sorts of things that we once used to have on pen and paper that are now automated. There's no Way to go back. I joke about this all the time. I'm old enough to remember when people would say the system is down, we have to go manual I think. And now people would just laugh like what do you mean? But I presume a school is the same that you, you can't operate without, without getting particularly even security systems. All of these things need to be working to operate the school and sending the kids home. Some parents just depend on the school as daycare they needed so they can do the job is a big implication.

Randy Rose

There's also extracurricular activities. Sometimes the kid is at the school from 7:30 in the morning. They get their breakfast and their lunch there. Then they have an after school program. They might be at the school till 6 o'clock at night and you know that's not available. I mean it's a huge impact to the families and really the entire community.

Jim Love

So what would you like to see happen in education? What would you like to see done differently if you had the power to do it?

Randy Rose

That's a really great question. I think the first thing I would do if I had my magic wand I would get everybody up to a certain baseline of security. There's always a balance in terms of system availability and system security. Right. The security professional would love the 100% secure system that's not plugged into anything and it's in a Faraday cage with pressure sensor plates in the floor and all that kind of stuff but you can't use that. So we have to find a balance to get everybody up to at least a minimum watermark that no school that's considered low hanging fruit. I think we could do that. It's not easy, it certainly takes resources to do that. But if we could, if we could find an easy way, I think we do actually have a framework for it. The CIS Controls Implementation Group 1 is where I would recommend every school start. But that's a great opportunity I think. Get everybody to implement essential security controls. And then the other thing I would say is find your community. I mean it doesn't have to be the Ms. ISAC community. It could be a local network, it could be a risk pool that you're connected in whatever your community is. We should never be alone when fighting through some of the challenges that we have. And I think the only way we're really going to get there together is through partnerships. So we have to create those networks of folks that we can rely on.

Jim Love

My favorite Canadian philosopher Red Green always said we're all in this together. Randy, thank you so much for this. This has been great. It's interesting to be able to take some time to look at this through the lens and even if you're not in the school sector, to be able to sit back and say, wait a minute, how can we make this better? It is an area of tremendous vulnerability. It's getting more and more affected and something that we really do have to deal with.

Randy Rose

I really appreciate you having me on here. As somebody who's worked in education a little bit. I'm an adjunct professor. I'd never been in the K12 space specifically, but I have the pleasure of working with a lot K12 IT staff, and I just know they are absolutely dedicated to what they do and anything that we can do as a community, as a global community, or as a local community to support them and the schools, I think it's absolutely essential that we do that.

Jim Love

Amen. My guest today is Randy Rose, VP of Security Operations and Intelligence for the center for Internet Security. The report we've been discussing is the 2025 CIS and Ms. ISAC K to 12 Cybersecurity Report, where education meets community resilience. We'll put a link to it on our site or at least on the show notes so that you can find it. Thank you for spending your weekend with us. You could have been doing something else, but you took time. Listen to the program, so thank you very much. I'm your host, Jim Love. I'll be back on Monday morning with the cybersecurity news.