Why Federal Efforts to Protect Schools from Cybersecurity Threats Fall Short
2. Schools Lack Cybersecurity Personnel
K-12 schools’ poor cybersecurity performance can be attributed, in part, to lack of staff. About two-thirds of school districts lack a full-time cybersecurity position. Those with cybersecurity staff often don’t have the budget for a chief information security officer to oversee and manage the district’s strategy. Often, the IT director takes on this role, but they have a broader responsibility for IT operations without a specific emphasis on security.
3. Schools Lack Cybersecurity Skills
The lack of cybersecurity skills among existing staff hinders the development of strong cybersecurity programs.
Only 10% of educators say that they have a deep understanding of cybersecurity. The majority of students say that they have minimal or no knowledge about cybersecurity. Cybersecurity awareness tends to be even lower in higher-poverty districts, where students have less access to cybersecurity education.
The Cybersecurity and Infrastructure Security Agency plans to provide cybersecurity training to an additional 300 K-12 schools, school districts and other organizations involved in K-12 education in the forthcoming school year. With 130,930 K-12 public schools and 13,187 public school districts in the U.S., CISA’s plan serves only a tiny fraction of them.
4. Inadequate Funding
The FCC has proposed a pilot program that would allocate $200 million over three years to boost cyberdefenses. With an annual budget of $66.6 million, this falls short of covering the entirety of cybersecurity costs, given that it will cost an estimated $5 billion to adequately secure the nation’s K-12 schools.
The costs encompass hardware and software procurement, consulting, testing, and hiring data protection experts to combat cyberattacks. Frequent training is also needed to respond to evolving threats. As technology advances, cybercriminals adapt their methods to exploit vulnerabilities in digital systems. Teachers must be ready to address such risks.
Costs Are Sizable
How much should schools and districts be spending on cybersecurity? Other sectors can serve as a model to guide K-12 schools.
One way to determine cybersecurity funding is by the number of employees. In the financial services industry, for example, these costs range from $1,300 to $3,000 per full-time employee. There are over 4 million teachers in the United States. Setting cybersecurity spending at $1,300 per teacher – the low end of what financial firms spend – would require K-12 schools to spend a total of $5 billion.
An alternate approach is to determine cybersecurity funding relative to IT spending. On average, U.S. enterprises are estimated to spend 10% of their IT budgets on cybersecurity. Since K-12 schools were estimated to spend more than $50 billion on IT in the 2020-21 fiscal year, allocating 10% to cybersecurity would also require them to spend $5 billion.
Another approach is to allocate cybersecurity spending as a proportion of the total budget. In 2019, cybersecurity spending represented 0.3% of the federal budget. Federal, state and local governments collectively allocate $810 billion for K-12 education. If schools set cybersecurity spending at 0.3%, following the example of federal agencies, that would require an annual budget of $2.4 billion.
By contrast, a fifth of schools dedicate less than 1% of their IT budgets – not their entire budgets – to cybersecurity. In 12% of school districts, there is no allocation for cybersecurity at all.
Nir Kshetri is Professor of Management, University of North Carolina – Greensboro. This article is published courtesy of The Conversation.
