TOPEKA — A legislative audit revealing many school districts are not practicing basic security measures for information technology systems raised eyebrows Tuesday from a panel of legislators.
According to the K-12 Cybersecurity Resource Center, security incidents at schools have increased by 18% since last year. The limited-scope audit focused on how schools were approaching IT security, which contains sensitive data including grades, medical records and financial information.
Members of the Legislative Post Audit Committee expressed disappointment upon hearing that most respondents to a survey of all Kansas school districts do not have adequate IT security measures.
“I can’t believe in this day and age that we’re this far behind. It’s gonna take two or three years just to get up to par,” said Sen. Rob Olson, an Olathe Republican. “I think the Legislature should pick this up and set some minimum standards, but it’s really up to the state school board to pick this one up.”
The survey — which had a 51% response rate — revealed 58% of responding school districts do not require security awareness training for staff at any time, 65% do not scan their systems for vulnerabilities as often as recommended and 69% do not have an incident response plan.
State auditors said many schools simply failed to implement basic security controls to protect their networks against unauthorized users. They recommended the Legislature consider a measure to direct the Kansas State Department of Education to set minimum IT security standards for schools through guidance or requirements.
About half of survey respondents said the biggest barrier to achieving better IT security was an inability to hire enough staff or pay them competitively. Olson said he hoped legislative committees, such as the House K-12 Education Budget Committee chaired by Rep. Kristey Williams, would take up the matter.
Williams, an Augusta Republican who is chairwoman of the post audit panel, said they would review the issue but appeared keen to take a route that did not require spending state funds. She said districts should have money to address this issue with increased school funding from legal settlements and federal COVID-19 relief funds.
“Ultimately I do feel that we have fully funded our school districts and they need to take this on,” Williams said, adding that offering guidance would not require school districts to spend money unless they choose to invest in improved security.
Rep. Jim Gartner, a Topeka Democrat, said it was a bit unrealistic to expect a department or any school districts to measure up without a statutory requirement.
“It would seem to me if it’s not required, they’re not going to really do it unless we require them to do it,” Gartner said. “So that’s something the legislature needs to address.”
In a written response to the audit, Kansas State Education Commissioner Randy Watson said if KSDE sets minimum standards, districts would likely rely on the agency for technical assistance. At the moment, the agency is only staffed to meet its own needs.
“The level of support necessary for school districts to implement IT security standards would be a significant undertaking and is not possible with the current level of IT staffing at KSDE,” Watson said. “If the Kansas Legislature chooses to implement the LPA recommendation, there will need to be additional IT staff, and the Department would like to see that noted within the LPA recommendation.”