The K-12 education sector is improving its cybersecurity capabilities over time, but it lags behind other sectors in cybersecurity program maturity, says a study published Monday.
K-12 organizations have limited internal resources to confront sophisticated threats, with nearly a fifth of K-12 schools spending less than 1% of their information technology budget on cybersecurity, according to the study by the Greenbush, New York-based Center for Internet Security, a nonprofit organization which focuses on cyber security of critical infrastructure in the United States, and the Multistate Information Sharing & Analysis Center.
The center is funded by the Department of Homeland Security̵7;s Cybersecurity and Infrastructure Security Agency and a CIS division.
The report says the sector’s biggest security concerns are the lack of sufficient funding, the increasing sophistication of threats, the lack of documented processes and a cybersecurity strategy, and the insufficient availability of cybersecurity personnel.
The study says areas where primary schools generally perform well are in identity management and access control; awareness and education; and in their business environment, in terms of how their mission, goals, stakeholders and activities are understood and prioritized.
The study says areas where K-12 schools generally perform poorly, based on the Gaithersburg, Maryland-based National Institute of Standards and Technology’s cybersecurity framework, are in protective technology, supply chain risk management and data security.
Recommended actions include encrypting data on removable media, establishing and maintaining a data recovery process, and conducting threat modeling, the report says.