Key Finding 1: Prioritize actionable steps to reduce cybersecurity risks (part 1)

  • 6 minutes

In this unit, you dive deeper into CISA Key Finding 1: With finite resources, K-12 institutions can take a small number of steps to significantly reduce cybersecurity risks. As you learn, work with your cybersecurity team to identify and implement security measures that are most immediate and actionable and have the greatest impact. Then plan how you’ll communicate security expectations with staff, students, and families. You also discover Microsoft solutions and other resources that can support your goals along the way.

Set up multifactor authentication (MFA)

Multifactor authentication is a security measure designed to better protect your school's digital accounts and sensitive information. MFA goes beyond traditional username and password combinations by requiring users to provide additional authentication factors during the sign in process.

Rather than relying on a string of characters that are hard to remember and easy for hackers to guess, MFA systems use multiple factors that follow these CISA guidelines.

  • Something you know: Like a PIN number or password.
  • Something you have: Like an authentication application or a confirmation text on your phone.
  • Something you are: Like a fingerprint or face scan.

Illustration of CISA MFA guidelines discussed in the unit. Source: Cybersecurity & Infrastructure Security Agency

By combining multiple factors, MFA significantly strengthens the security of online data, making it more difficult for unauthorized individuals to gain access. This additional layer of authentication adds an extra level of confidence and reduces the risk of identity theft, data breaches, and unauthorized access to education systems. Microsoft Entra multifactor authentication, included in all Microsoft 365 Education plans, provides districts with customizable options that help keep accounts secure.

Next steps

  1. Learn more about how to make accounts more secure with MFA.

  2. Use this step-by-step guide with your cybersecurity team to secure your district or school’s identity infrastructure. For more information, review this comprehensive guide to help you plan, test, and deploy Azure multifactor authentication in your organization.

  3. Share the CISA “More than a Password” campaign and MFA toolkit, which includes visuals, videos, and social media posts, with your students and staff to support the implementation of MFA.

Identify and prioritize known security flaws

One of the most important steps that a school or district can take when developing a comprehensive cybersecurity plan is understanding their current challenges and vulnerabilities. By prioritizing known exploited vulnerabilities, K-12 organizations significantly reduce their likelihood of compromise.

Microsoft helps you be proactive, assessing and removing exploitable flaws before the wrong people or groups find and attack them. Explore Microsoft tools and resources that automate the process, keeping your school or district secure even when vulnerabilities evolve quickly.

  • Microsoft Secure Score is a measurement of an organization's security posture. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard, organizations monitor and work on the security of their Microsoft 365 identities, apps, and devices.
  • Security Copilot integrates insights and data from security tools and delivers guidance that is tailored to your organization. It helps discover whether your organization is susceptible to known vulnerabilities and exploits.
  • Microsoft Defender Vulnerability Management reduces cyber risk with continuous asset visibility, risk-based prioritization, and built-in remediation tools to address the most critical vulnerabilities.

Next steps

  1. CISA encourages schools and districts to prioritize the remediation of vulnerabilities listed in the Known Exploited Vulnerabilities (KEV) Catalog. Explore the catalog and note any identified vulnerabilities for systems you're currently using.
  2. Using information from the KEV catalog, CISA offers Vulnerability Scanning to continually assess cybersecurity health and reduce the likelihood of compromise. Consider signing up for this free weekly personalized report that focuses on your school or district's "known vulnerabilities, weak configurations—or configuration errors—and suboptimal security practices." It also recommends ways to enhance security through modern web and email standards.