Consider these points:
- There were a record 160 publicly disclosed security incidents in K-12 during the summer months of 2019, exceeding the total number of incidents reported in all of 2018 by 30%.
- 47% of K-12 organizations are making cybersecurity their primary investment, yet 74% do not use encryption.
- 93% of K-12 organizations rely on native client/patch management tools that have a 56% failure rate, with 9% of client/patch management failures never recovered.
These and many other fascinating insights are from Absolute’s new research report, “Cybersecurity and Education: The State of the Digital District in 2020,” focused on the state of security, staff and student safety, and endpoint-device health in K-12 organizations. The study’s findings reflect the crisis the education sector is facing as they grapple with high levels of risk exposure — driven in large part by complex IT environments and a digitally savvy student population — that have made them a prime target for cybercriminals and ransomware attackers. The methodology is based on data from 3.2 million devices containing Absolute’s endpoint visibility and control platform, active in 1,200 K-12 organizations in North America (U.S. and Canada). Please see full report for complete details on the methodology.
Here’ the backdrop:
- K-12 cybersecurity incidents are skyrocketing, with over 700 reported since 2016 and 160 occurring during the summer of 2019 alone. Educational IT leaders face the challenge of securing increasingly complex IT environments while providing access to a digitally savvy student population capable of bypassing security controls. Schools are now the second-largest pool of ransomware victims, just behind local governments and followed by health-care organizations. As of today, 49 school districts have been hit by ransomware attacks so far this year.
“Today’s educational IT leaders have been tasked with a remarkable feat: adopting and deploying modern learning platforms, while also ensuring student safety and privacy, and demonstrating ROI on security and technology investments,” said Christy Wyatt, CEO of Absolute.
Research from Absolute found:
K-12 IT leaders are now responsible for collectively managing more than 250 unique OS versions, and 93% are managing up to five versions of common applications. The following key insights from the study reflect how severe K-12’s cybersecurity crisis is today:
- Digital technologies’ rapid proliferation across school districts has turned into a growth catalyst for K-12’s cybersecurity crisis. 94% of school districts have high-speed internet, and 82% provide students with school-funded devices through one-to-one and similar initiatives. Absolute found that funding for educational technology has increased by 62% in the last three years. The Digital Equity Act goes into effect this year, committing additional federal dollars to bring even more technology to the classroom. K-12 IT leaders face the daunting challenge of having to secure on average 11 device types, 258 unique operating systems versions and over 6,400 unique Chrome OS extensions and more, reflecting the broad scale of today’s K-12 cybersecurity crisis. Google Chromebooks dominate the K-12 device landscape. The following graphic illustrates how rapidly digital technologies are proliferating in K-12 organizations:
- 42% of K-12 organizations have staff and students regularly bypass security endpoint controls using web proxies and rogue VPN apps, inadvertently creating gateways for malicious outsiders to breach their schools’ networks. Absolute found that there are on average 10.6 devices with web proxy/rogue VPN apps per school and 319 unique web proxy/rogue VPN apps in use today, including “Hide My Ass” and “IP Vanish.” Many of the rogue VPN apps originate in China, and all of them are designed to evade web filtering and other content controls. With an average of 10.6 devices per school harboring web proxies and rogue VPN apps, schools are also at risk of non-compliance with the Children’s Internet Protection Act (CIPA).
- While 68% of education IT leaders say that cybersecurity is their top priority, 53% rely on client/patch management tools that are proving ineffective in securing their proliferating IT infrastructures. K-12 IT leaders are relying on client/patch management tools to secure the rapidly proliferating number of devices, operating systems, Chrome extensions, educational apps, and unique application versions. Client/patch management agents fail 56% of the time, however, and 9% never recover. There are, on average, nine daily encryption agents’ failures, 44% of which never recover. The cybersecurity strategy of relying on native client/patch management isn’t working, leading to funds being wasted on K-12 security controls that don’t scale:
Wyatt continued: “This is not something that can be achieved by simply spending more money … especially when that money comes from public funds. The questions [schools] each need to be asking are if they have the right foundational security measures in place, and whether the controls they have already invested in are working properly. Without key foundational elements of a strong and resilient security approach in place — things like visibility and control, it becomes nearly impossible to protect your students, your data, and your investments.”
- Providing greater device visibility and endpoint security controls while enabling applications and devices to be more resilient is a solid first step to solving the K-12 cybersecurity crisis. Thwarting the many breach and ransomware attacks K-12 organizations receive every day needs to start by considering every device as part of the network perimeter. Securing K-12 IT networks to the device level delivers asset management and security visibility that native client/patch management tools lack. Having visibility to the device level also gives K-12 IT administrators and educators insights into how they can tailor learning programs for broader adoption. The greater the visibility, the greater the control. K-12 IT administrators can ensure internet-safety policies are being adhered to while setting controls to be alerted to suspicious activity or non-compliant devices, including rogue VPNs or stolen devices. Absolute’s Persistence platform provides a persistent connection to each endpoint in a K-12’s one-to-one program, repairing or replacing critical apps that have been disabled or removed.