Many Kansas school districts do not employ basic security controls for information technology in an era when schools are at an increased risk of a cyberattack, a new legislative audit shows.
An audit of about half the school districts found many with security shortcomings, including a lack of staff training for security awareness and not requiring confidential data to be encrypted when sending it outside their network.
The problem was more pronounced in smaller districts with 500 or fewer students where many haven’t installed antivirus technology on all of their computers or do not conduct security scans at least monthly.
The security measures are critical for protecting information about student grades, disciplinary actions, medical and mental health records, and financial information.
Among other things, the legislative audit of 147 school districts found:
- 58% of school districts do not require security awareness training for their staff at any time. Standards suggest staff should attend security awareness training when hired and then annually, the audit said.
- 59% do not require confidential data to be encrypted when sending it outside the district’s network. All confidential data should be encrypted anytime it is sent outside the district’s network, the audit said.
- 65% do not scan their computer systems for security vulnerabilities as often as standards suggest. This includes 35% of districts that reported never scanning their computer network. Standards suggest organizations scan their networks at least monthly, the audit said.
- 69% don’t have an incident response plan. Without a plan, auditors said, the risks are greater that an organization won’t recognize and respond to a security incident quickly and effectively. Further, 63% of districts don’t assess their IT security risks yearly.
- 28% of districts don’t have antivirus software on their networked computers or servers.
The audit found these security gaps between small and larger districts with more than 3,000 students:
- 67% of small districts reported having antivirus installed on their computers compared to 80% of large districts.
- 33% of small districts reported scanning computers at least monthly in comparison to 55% of large districts.
- 45% of small districts reported requiring some or all staff to use multifactor authentication to access their system compared to 65% of large districts.
The audit also showed that school districts reported that staffing issues and a lack of knowledge about what security controls to implement were barriers to improving security.
Auditors asked school districts to rate the significance of various barriers to implementing adequate IT security controls.
They reported that about half of the districts cited their inability to hire sufficient IT staff or pay them competitively were significant barriers.
More than half the districts reported as “minor barriers” their ability to provide adequate infrastructure resources and to provide staff training.
State and federal laws restrict who has access to student data, but they don’t require districts to implement security controls for IT, the audit reported.
And while state laws require state agencies to adopt certain IT security controls, those laws do not apply to school districts, the audit said.
Auditors recommended the Legislature consider directing the Kansas State Department of Education to establish a set of minimum IT security standards for school districts whether it’s in the form of either guidance or requirements.
State education officials said the IT team at the education department has only been staffed to meet the data collection and management needs of the agency.
Expanding its responsibilities to oversee IT security at 286 school districts and 90 private school systems would be impossible with the agency’s current staffing levels.
“The level of support necessary for school districts to implement IT security standards would be a significant undertaking and is not possible with the current level of IT staffing at KSDE,” Education Commissioner Randy Watson said in response to the audit.
Republican state Rep. John Barker quizzed state education officials about what they have done to require school districts to address their gaps in technology security.
“The vulnerability is there. It’s probably been evident to you for a long period of time,” Barker said.
“Do you need the Legislature to enact something? Could you have not done this on your own and brought it to our attention rather than wait for our post-audit staff to do an audit on it?” he said.
“I like initiative. I would rather the Department of Education come and say, ‘We have a vulnerability here and we need to address that,'” he said.
John Hess, director of fiscal services and operations for the education department, said the agency is conflicted about how to approach the issue.
Hess said it would be one thing for the agency to provide local school districts with its security standards, but it would be another to travel the state and visit every school district to provide security expertise.
“We do not have the financial resources currently to be able to hire the staff qualified to do that type of work and also travel to school districts and work with school districts on an individual basis,” Hess said.
Republican state Rep. Kristey Williams, chair of the Legislative Post-Audit Committee, criticized the department for using money as an excuse.
“This recommendation doesn’t require you to send IT staff out to school districts,” Williams said.
“It simply says to at least provide security standard guidelines,” she said. “That could have easily been implemented by providing what you aleady have.”