- A Utah legislative audit highlights cybersecurity gaps in K-12 and higher education systems.
- Local education agencies need to adopt cybersecurity best practices amid rising cyber threats.
- Audit suggests legislature study minimum cybersecurity standards and solutions for staffing challenges.
SALT LAKE CITY — Cybersecurity has been a topic of conversation among Utah lawmakers for some time now, especially following a data breach that impacted all current and former Granite School District students — about 450,000 — in December 2024.
A legislative audit released Thursday took a deeper look into Utah's cybersecurity practices for both public and higher education, finding room for improvement in both areas.
K-12 public education
When looking at the K-12 realm, the audit found that local education agencies can be more aggressive in meeting baseline cybersecurity best practices, especially amid increasing attacks on public education.
"Successful Utah attacks have cost districts financially and in staff time and impacted hundreds of thousands of students and employees. Cyber attacks have also significantly impacted school districts in other states," according to the audit.
Cybersecurity threats, the audit says, can include ransomware, data breaches, and corporate email fraud that can lead to significant financial losses, loss of trust and a disruption of education.
Due to the evolving landscape of cybersecurity threats, addressing them can prove difficult. But U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency has developed cybersecurity best practices for public education entities, both big and small, that include:
- Multifactor authentication: Controls in this area help ensure that users are required to provide multiple forms of verification before accessing systems, reducing the risk of unauthorized access.
- Patch management: These controls focus on keeping software and systems up to date by promptly applying security patches to fix unknown vulnerabilities.
- Backups: These controls emphasize creating and securely storing regular system and data backups to ensure recovery in case of data loss or ransomware attacks.
- Exposure to the internet: These controls focus on ensuring that IT assets accessible via the internet do not expose frequently exploited services.
- Incident response plan: This category includes developing, maintaining and testing an incident response plan to handle cybersecurity events effectively.
- Training: These controls promote user awareness by requiring regular cybersecurity training to help staff recognize threats like phishing and social engineering.
The audit used these practices to guide testing on a sample of local education agencies, alongside statewide survey data gathered at the direction of the Utah Education and Telehealth Network.
"Both the testing conducted by the state of Utah's Division of Technology Services and (Utah Education and Telehealth Network's) survey data point out gaps in the use of baseline cybersecurity controls. It also appears that large school districts have more robust cybersecurity protection than small school districts," the audit says.
The biggest barriers districts face in implementing cybersecurity controls include insufficient staffing (55%), insufficient statewide cooperative contracts (33%) and insufficient training for IT or cybersecurity staff (29%), among others.
The audit recommends that the Legislature consider studying minimum cybersecurity standards for local education agencies.
"These minimum standards could follow the principles behind high-priority practices outlined by the Cybersecurity and Infrastructure Security Agency, that are attainable by local education agencies, regardless of size, and proven to reduce risk," said the audit.
It also recommends that the Legislature consider studying solutions to challenges Utah's local education agencies face, like insufficient prioritization of cybersecurity, staffing, training and recruiting and retaining skilled personnel while considering the differences between large and small districts in implementing cybersecurity controls.
Higher education
Like K-12 education, the audit says Utah's higher education institutions can do more to improve both cybersecurity controls and governance.
"Utah's colleges and universities face a broad spectrum of cyber threats, including ransomware, business email fraud, and data breaches. However, these risks are elevated by more complex IT systems and additional sensitive data," according to the audit.
The University of Utah in 2020 was the victim of a ransomware attack, which the school ultimately resolved by paying the hackers nearly half a million dollars, though most of that was reimbursed by the U.'s insurance provider.
The Cybersecurity and Infrastructure Security Agency's cybersecurity best practices for public education entities are also being implemented by Utah System of Higher Education institutions, but the audit found that there are areas for improvement.
"We are encouraged by the recurring cybersecurity assessments (Utah System of Higher Education) institutions have been doing on each other for over a decade. Cybersecurity personnel from (Utah System of Higher Education) institutions test the defenses of other institutions regularly. This shows good leadership and collaboration," says the audit.
Still, the audit recommends that the Utah Board of Higher Education clarify roles, including accountability for compliance, for the Utah System of Higher Education and its member institutions in the cybersecurity policy.
"The policy should define the purpose of the policy and how information security plans and programs are to be used. The purpose of these changes is to ensure decisions are made according to sound information and institutions are held accountable for cybersecurity," said the audit.
