Welcome to cybersecurity today. We've all seen a movie where somebody hacks into a local school. I think Ferris Bueller's Day Off is still one of the most perfect films ever made. It's one of the iconic feel good movies. Hard to believe it was made in 1986, Ferris managed to, not get in trouble for skipping school while he hacked in and changed his attendance record. another great film and maybe he's still, I think, iconic as well as
. Matthew Broderick in War Games, hacks into his school before he ends up. Taking the world to the brink of nuclear Armageddon. these movies, make it look easy. I'm not going to propose that hacking anything is good, but they're a prank, an act of rebellion. real life today shares one of those characteristics. It's still far too easy to hack into a school system, but it's no prank. This is serious business. Cyber criminals can close down schools. They can reveal confidential information.
They can do a heck of a lot of damage. we've discovered more and more. Of these groups are actually going after education, hospitals, and not for profits because they're relatively easy targets. I wanted to discuss that today. And across my desk came a note from a guy, Randy Rose, VP of security operations and intelligence at the Center for Internet Security. Uh, welcome Randy. Thank you.
Thanks for having me, Jim. You guys just did a study on this and I want to get into that and talk through some of the things that you've got in that study about K to 12 organizations. But before we do that, can we talk about what the center for internet security is? Absolutely. So the center for internet security, or we call CIS, right? The common vernacular around here, CIS, a little bit easier to say, than the mouthful that is Center for Internet Security.
We are probably best known as a best practices organization. we're known for the CIS controls and the CIS benchmarks. So as Tony Sager, our chief evangelist likes to say, we're a professional advice giving organization. And it's really in that. Risk offsetting risk from a cyber perspective, putting things in place that help reduce, cyber attacks in your environment. We also run the MSISAC, the Multi State Information Sharing and Analysis Center.
the ISAC model brings together communities for threat intelligence sharing and cyber security awareness. We actually provide a number of tools and services to state, local, tribal and territorial governments in the US. through the ISAC and that's where a lot of our, report the K 12 report, a huge chunk of our membership are actually K through 12 schools in the U. S. how did you come to work there? I was A state employee in New York, back in 2009.
that's how I found out about the MS ISAC I was a member of the MS ISAC for many years. I moved from the state of New York into the federal government space. I worked for the U S Navy and an organization called defense information systems agency in Europe. And when I was in Europe, when COVID hit, I actually reached out to some colleagues from the MS ISAC and said, look, I'm over in Europe, we got to get back to the U. S. because this COVID thing is pretty serious.
We were about two weeks ahead of the U. S. in Europe. I started making some phone calls and one of my colleagues said, we have an opening that would be perfect for you. I came over as the Director of Threat Intelligence and the rest is history. I've been part of the team now for five years. I'm keep wanting to say CSI, I'm sure it happens. Yeah. Does CIS deal only with schools or are there other organizations that you support? we support all sorts of organizations.
We're actually a global organization. You know, improve their their cyber security footprint. So that's businesses, international organizations, you know, anybody who needs help or assistance, whether you're commercial or for profit, I'm sorry, commercial or nonprofit NGO government doesn't really matter. So on the best practice side, we work with anybody. Isaac side, I like to describe it, it's what we call the SLTT community, State, Local, Tribal, and Territorial.
It's an acronym that doesn't really exist outside of that community, so most people don't know what that means, but I describe it as taxpayer funded organizations below the federal government level. So if your taxes are fueling that, and that's everything from schools to libraries to public safety to public utilities, public higher education, state, colleges and things like that, and really anything you can imagine, counties, cities, towns, villages. All of that.
One of the things that attracted me to this was not just schools and schools are important, but it was this idea that there are so many government organizations, agencies, not for profits, and they really don't have the support they need. it's almost a crime in some aspects because. They're not big enough to invent cybersecurity each time. if you could coalesce and provide support to a range of them, it's a good thing to do. Yeah, you're absolutely right.
we have this term we call the cyber underserved. We usually refer to that within the local government community, but it's not only the local government. So you mentioned nonprofits and businesses, especially small businesses. And at the end of the day, this really is an ecosystem, whether you're talking about Canada, the U S Europe.
It's an ecosystem of local governments businesses nonprofits NGOs and private citizens coming together to fuel the economy delivering services, using those services all of those are at risk, from a cyber attack perspective, they're all at risk at any given time. And, you know, there's really a lot of connective tissue, I think, and schools in particular are a focal point of the community. They provide services well beyond what we think of as education for students.
it really is an important piece. Often a school can be the focal point of a small community, particularly, and even a larger community would be that neighborhood or whatever. when schools close, sometimes they're towns that are small enough that they're the biggest employer. they divide a lot more to the community. Interesting. I think a lot of these smaller organizations have.
For years thought that they were, they had the security by obscurity that no one who's going to attack a small organization, no one will come after them. I don't know the situation in the U. S. I think we're going to find out from you, but here in Canada, we found that these smaller organizations are being targeted. because they're easy. Is it the same in the U. S.? Well, I think there's two big things. So you hit on one of them, which is it's easy.
The attackers that are out there at the end of the day, they're looking for a quick way. most attackers that impact local governments and small organizations have a financial motive. they're just trying to get a buck quickly. So I think low hanging fruit is a huge piece of it, right? Whatever is the easiest, this is something we've seen over time particularly in the K 12 and school space, but in the local government space and nonprofit space specifically, their budgets. Our public information.
And so an attacker can actually see information about a school budget a town budget or, any public organization, nonprofit organization, and they see a dollar sign. It doesn't matter to them that every dollar in that budget is already assigned to something, right? It's already allocated. They just see a dollar sign. So they would think that these organizations have way more money than they actually do. Even the small ones, right?
a small district somewhere from a pure numbers game has a relatively large budget, right? from an attack perspective, you're seeing a couple of million dollars, but that's an attractive number as an attacker. A lot of these places, some schools and. small communities are the largest employer. There's a number of people working there. They have a significant payroll. Doesn't mean they've got a lot of money to spend. we all know they don't.
one of the problems is how can they spend money on cybersecurity? Let's go to your report you've got 5, 000 organizations, K 12 on this. our total number of organizations that we support today is over 18, 000. the largest single sector, across all of our members is K 12. So that's where that number 5, 000 comes from. we see data around these. schools, all 5, 000 of them. We don't actually have telemetry for all 5, 000 of them, but any of them at any time can send us information.
we talk to schools we're integrated with them. We're having conversations with them all the time. a number of them also have sensors deployed on them from our organization or they're shipping logs to us telemetry that they have logs or data that's inherent in their environment, but it's not something that we run through our SOC. I should probably explain what a SOC is a security operations center. Thank you for explaining the term.
I never know at what level I should be explaining them, you know, but even somebody who's been around a long time, often here's an acronym that they don't, they don't quite get that happens to me all the time, we love our acronyms, right? Oh, We certainly do. And sometimes we don't even know what they mean. So if you're anybody out there listening, always ask if somebody makes funny. They're not worth it. Um, most people will explain what an acronym is. if you ask them to do it.
So let's talk about the study and what the big impact there showed a big rise in attacks, well, it's always interesting because not just our telemetry, but our membership grows year over year. So you always have to account for that too. It's not a static number. sometimes the rise in attacks is, also in proportion to the fact that we're adding more organizations year over year. our growth rate of organizations that we support is actually Pretty phenomenal.
So you always got to take those numbers a little bit with, you know, grain of salt. But yeah, we are absolutely seeing attacks historically year over year, not just this report covers from mid 2023 through the end of 2024, which is an 18 month period. And really, if you go back further in time, we have steadily seen attacks against the K 12 sector grow year over year They're targeted by ransomware actors. one of the other numbers that jumped out to me was 9, 300 confirmed cyber threats.
You got a population of 5, 000, you get an 18 month period, 9, 300 attacks. That's pretty much one for everybody and some change. So I should probably point out how we, identify. So we. the terminology there, right? So that that terminology is 9300 confirmed incidents. That doesn't necessarily mean a complete intrusion, but it's the way we detect and escalate things.
We Or constantly looking for cyber security events on a network, a lot of those events end up being false positives or they end up being mitigated by some detection tool somewhere down the line, anything that we look at that we say, okay, this is definitely not a false positive and it doesn't appear to have been blocked. this is evidence of a piece of malware on the network.
this appears to be a member who clicked on a phishing link who's actually interacting with the malicious website that's collecting information. Any of those kinds of things are considered incidents. It doesn't necessarily mean an intrusion has happened, but an incident Can always lead to an intrusion, right? So that's the concern. The 9300 are incidents that occurred. Those are things that we detected and escalated.
now it's our opportunity to work with those schools, the directors and the staff of the schools to make sure that we're mitigating those before there. Is an actual intrusion, I'm going to assume that the same thing applies from the commercial sense to the school sense. these cyber criminals will always come at you on a Sunday night or on a holiday. We see some interesting patterns in the K 12 space, we actually see patterns where there's spikes of activity at the start of the school year.
which is typically the end of July August or early September for most districts in the US. We also see spikes right before. midterm exams, and right before end of the year exams. We don't know exactly why that is, but putting our critical thinking hats on, why would those times, right at the start of the school year, right at the midterm, period, and right at the end of the term period, be interesting times for attackers to go after them?
Because those are times where there's increased pressure on the school district to respond. From the attacker perspective, respond positively to them, right? Meaning there's pressure on them to pay the ransom and to pay it quickly. So the interesting thing is even for a relatively low value, attack of the organization, but where you. Reasonably think they don't have a lot of money. They're still doing their homework. Oh yeah, absolutely.
So you're talking about like not having a lot of money from the criminal side to pay the ransom. think they might be fooled by the budgets too. they're investing some time in this, if they're studying this to find out when you're doing your exams, all those sorts of things, this isn't just, well, let's hack a school. they're going after this. Let's hack a school and find the right time where the pressure is the highest on the school district to pay.
It's the same reason why we see ransomware actors going after a town or city. They'll go after the utility, right? if they can turn the water off, that puts an additional amount of pressure on the city to pay the ransom. It's a lot different than taking down the tax collection database, There's not as much pressure on them to get that back up and running. But if you start impacting the water systems, there's a lot of pressure to resolve that quickly. what else did you learn from this study?
What were the big things that jumped out to you? I think some of the biggest things that we see is it confirms a lot of things that we've known for a long time in terms of what the most common attack types are. So we actually saw major spikes and human centered or human focused attacks, but what was actually really interesting. So we saw, you know, massive amount of, of phishing domains blocked.
So we know phishing is the number one vector for threat actors to gain initial access to an environment, large increase in malvertising attacks, which was a bit of a surprise to me. And so what malvertising is, those are essentially malicious advertisements, right? Malvertisement is malicious advertisement. So what that is, is malware or some other form of malicious code introduced to an environment through an advertisement placed on a website.
So you think about from the school perspective, what kinds of websites is a school most likely to go to? Probably a lot that, mirror the rest of society, but news sites, sports, maybe some education or edgy tech type organizations. if you can buy ad space in those environments and embed some malicious code it's a great opportunity to cast a very wide net and infect as many devices as possible.
And are the schools Linked with school boards where does the overall management and protection come from in your area? It's a really good question. it's kind of all over the place in the U. S. the way that. Schools operate, differ from state to state and region to region. Most public schools do have a school board of some sort. The function of those school boards can differ, In some cases, the school board primarily is responsible for financial management.
In some cases, they're responsible for much more. Some schools have dedicated I. T. staff. And some really well resourced schools may actually have I. T. staff. That includes cyber security staff on the whole, though, in the U. S. Most schools. If they have an IT person, they're dual hatted to perform those cybersecurity functions. We've actually seen schools that, it's going to sound like a joke, but it's not.
We've seen schools where the school nurse is also the IT person because the server happens to be located in the nurse's office. Or somebody who has a business management function in the main office is also the IT director because they're the most skilled with computers. oftentimes they'll work with an outside provider, a managed service provider, to implement technology.
But I mean, it runs the gamut in terms of how these organizations function, what resources are allocated to them, and not just financial resources, but people resources and experience and technology. Some of the technology is really outdated. Some of it's very modern. I find that amazing because in Canada, it's a school board responsibility to take care of the administration of schools and to provide the I. T. support and things like that.
At least I think in most cases, you might have a teacher in some places that knows how to work the projectors or some of the computer equipment. But for the most part, it's done with school board and they're still under resourced. some of the school boards here are quite large, but they don't have the budget to handle cyber security. even from a proactive point of view, when it comes down to recovering from a cyber incident are going to be really, really in trouble.
Yeah, I mean, it's a challenge not limited to the school sector. that's the case in local government in general. they're limited to the funding they have available. And to the people who want to work in local government or schools, Probably not going to get rich doing that, right?
They could, if you have a particular skill set and IT or cybersecurity, and you have the choice of going and working for, an organization like Google or Sony and, making 250, 000 a year to stay home or making 50, 000 a year and having to be in the office across town, you really have to find the people who are dedicated and want to be public servants. they're unfortunately hard to come by. And I think in the IT and cyberspace in many cases.
And even in Canada, I honestly believe teachers are better paid on average in Canada, at least relative to most of the U. S. Still,alway was laughed at. These people were saying, you know, the teachers make big money. my parents managed to keep us fed, but that was about it. teachers are, criminally underpaid in my opinion. and it's not just the teachers. it's the administrators and the staff, for what they provide.
but the net result is that you can't attract the type of staff who would, and you know, there's nothing wrong with it. There's a shortage of people in cybersecurity the compensation reflects that shortage and it's really hard to find people. What else? came out of the report that you looked at and said, wow, I really learned something from. Well, you know, a lot of it is stuff. I see every day. I live in this world every day.
So looking at the data and we slice and dice data all the different ways. And, it's always interesting when you go by sector and say, oh, this is interesting. Like this particular malware, this downloader or this, rat, which would be a remote access Trojan, it's much higher percentage in this vertical than in this other vertical. Those kinds of things are always really interesting.
we saw, about 60 percent of The total malware impacting schools was something called Sokulish, which is a JavaScript downloader. it's actually kind of interesting because we did see a spike across all sectors, but not to that extent in the other sectors. K12 was by far the largest, where Sokulish was. particularly focused. And what does it do? it's a JavaScript, but what does it do? It could do a number of things.
it's basically, a downloader, so it can be used to download other forms of malware. It's often been connected with, couple different rats. So one of them, the big one is Arat. And we've actually seen some evidence where Sock Lish has been tied to different ransomware campaigns.
And so for the most part, not a surprise, but most of the malware that you're seeing is coming in through a mistake or, phishing Human intervention usually, or lack of intervention sometimes, I guess that's so that you're seeing. What about supply chain ? We had power school up here. I'm sure it went through the U S as well. for the audience that might not know, we've covered it as a story, but the power school was basically a system that is used by schools.
It helps, I think with marking, with a lot of things, but they were hacked. a lot of our biggest school boards here in Canada found a lot of data leakage. they may not have a lot of money to pay, but the value, or at least the threat of leaking the personal information they have from children, Well, this was a big deal for us in terms of the exposure that it led to. certainly the schools in us were impacted by power school.
I think I've read something like a hundred thousand organizations globally that were impacted, by that breach. it was a significant impact felt, across the entire world. It wasn't just. limited to the U. S. and Canada But, yeah, I think the point you're making, about the data being one of the highest value assets. a lot of people don't think about is that data has really wide ranging impacts. So think about what's in. School data, right?
It's not just personally identifiable information like PII. There might be health information in there. There might be data about economic status. there's contact information for parents and emergency contact information. Maybe there's information about the parents jobs in some cases work hours if the kid is in an after school program or not if the kid is on a lunch welfare kind of program. So they might get reduced lunch or free lunches.
So if that kind of data is for sale and that ends up going, in the criminal underground to people who have a nefarious purpose outside of cyber, now you start getting into human trafficking and feel that really going after child trafficking, that is a rich data set. That's a way to identify the most vulnerable people in a given community. That's absolutely terrifying to me.
And we know that there are a lot of attacks on children, allowing that information to get out there where people could actually start to get in touch with children, To all of the things that, like I said, as a parent, I didn't want to think about it. want to cut the cord to the computer some days. But, you know, there are people who will misuse that information in terrible ways. the value of the data that the schools have is, Beyond precious to some people, right? Exactly.
So if it is, and we know this, what should we be doing about this? what could we be doing to better help schools protect the data or for schools to protect this data? it's a tough question, right? Supply chain piece is actually really difficult to solve because that's outside of the schools, This is where we have to start holding the vendors that are providing capability accountable.
There are some things that you can do as a user, You can ensure that they're meeting specific security requirements, but you have to know what to ask. So becoming educated on what are the things that I should expect my vendors. To maintain what GRC governance, risk and compliance policies and procedures should they have in place? What kinds of cyber security protections that they have in place? What is their incident response policy?
Are they using multi factor authentication on their side, which it appears that might have been what was bypassed in the power school case, there's a number of things we have to be able to do. Effectively educate the educators and the folks who provide education to our communities on what they need to look for. That's a huge part of it. But I think the other part of it that you kind of touched on earlier when we were talking about the.
initial infection factor, you said, well, sometimes it's a user who, did something or maybe forgot to do something. And that's why, we ended up in the situation that we're in. So I think there's this idea in cyber security that we have backwards where we put all of the onus for security onto the user. And then we kind of name and shame them in many cases when they screw up But take it out of cyber security for a minute, put it into any other context. Imagine you're buying a car.
you buy a car, you get in the car and then realize there's no seatbelt you go back into the dealership and say, Hey, where's the seatbelt? Isn't that a safety feature? And they go, Oh no, that's your responsibility to go buy from AutoZone and put it in. Right. You start driving down, you realize there's no brake pedal. You're like, what the heck? There's no break. And they're like, Oh yeah, don't forget the brakes too. but that's what we do in the cybersecurity context.
We put all the security on the user. Which is insane. We would never do that in any other context. and, you know, as my friend, David Shipley, , they do a lot of cybersecurity training in, Mostly dealing with phising. And one of the things he's always saying is you can't shame people or they'll just take this underground. You know, they'll hide errors rather than come back. And I think that's probably the same in this area if we start saying, it's The user's responsibility.
I even hate asking the question in those terms. I know that if you're a cyber security professional, you know that most hacks start by a human either failing to do something or not doing something or, sometimes being fooled. But there's a human factor to all of them. That doesn't mean that training all of the time is going to be the only solution we still have to protect people and educate them at the same time. is there no movement afoot to do that?
on a more global scale for schools, or is that something your organization tries to take on? Well, there are some conversations happening within the U. S. and beyond, with, the concept of things like secure by design, building security in, regardless of the purpose of the tool. I think, you know, you've been in this field for a long time. Um, I've been in the field for a long time. When I came into cyber security, we didn't call it cyber security.
It was called information security when I entered the field, you had information technology and information security, and they were two separate fields. And the idea of I. T. Was our job is to make systems available for people.
And the idea of information security was, well, our job is to restrict, unauthorized access to data I still think this, 20 plus years later, we still haven't quite figured out that cyber security is part of information technology and that you can't guarantee availability for systems if those systems are vulnerable to attack right out of the gate, right? You have to build security and bake security in from the ground up. it cannot be something that we tack on after the fact.
It's a community, right? Isn't it really a global community? We have to put pressure on the developers of the technology to bake security in just like, back to the car analogy, there was a period of time when cars didn't have seatbelts and when seatbelt laws came into effect, people freaked out about it. They didn't want to have a seatbelt, but I think we're at that point in the world where. If you saw a car without a seatbelt, it would be so bizarre, that's what you'd be focused on.
Everybody would be like, where is the seatbelt in this car? We need to get to that same perspective, in the software development world, where we go, where are the safety features in this? And they go, well, you have to add those. No, then I'm not buying it. I'm going with this other product that has the safety features built in. And you bring up the question of security by design or in Ontario where I live, we had privacy by design and it was this idea that you need to build.
this in, you can't paste it on and it just never works. if you try to bolt security on after you've built something, it's never going to be as effective as it is if you build it in. And I think building it into your cultures is a similar type of thing. But again, if you're dealing with old individual schools without. Anybody having an overall overarching sort of support for it, that's another big resource strain as well. And it's something you can't expect a school to do. No, that's very true.
One of the things I wanted to ask you about, did anything come up in your study about artificial intelligence and what that is doing in terms of providing another attack vector, or at least a risk element that is brand new. So not in this particular study, we didn't focus on AI at all, for this one, but we do focus in that area quite a lot. we have a number of teams on the.
operation side that provide support to the MS ISAC That's providing direct operational support to the state, local, tribal and territorial community. One of those teams is the cyber threat intelligence team, and one of their chief focus areas for the last two plus years has been on AI and in particular deep fakes and the use of deep fakes to inform social engineering attacks. That has been a huge part of their research.
We've put out a number of white papers and blogs on that topic We were really focused on the impact of Gen AI in the election space in 2024. there's plenty of, data available, on the CIS website, cisecurity. org. People are interested in what our studies have shown in that AI space. The reason I brought this up is because especially in terms of schools, it's that same thing. I tell people this, you know, my, my dad was fooled by the old trick. And this is a long time ago.
Somebody phoned up, just garbled there, you know, over the phone. my dad fessed up to me that he'd actually. Sent money to this person. he was sort of sheepish about it. He, my dad was a highly educated man, a very intelligent man. he looked at me and said, Jim, it's two in the morning. It's your brother. I wasn't thinking right. I was thinking, with deep fakes being the next risk for children, that would be a big area that, that I think that yeah.
Again, we're going to need to put some time and energy into, to help people cope with that as, as AI gets better and better at being able to fake things like even a kidnapping or anything like that. Yeah, I think one of the scariest things is you can tell generative AI to take on a role or a personality. if you have enough data to feed it, you can make it sound exactly like the person in terms of the kinds of things that they would say, right?
So we're actually seeing a I used in business email compromise attacks. If you feed it enough email data from a person, it can write an email that sounds exactly like that person. add the deep fake layer in and now I would be incredibly impressed if any normal person could detect that. I really think the only way we would be able to defend against that is with other AI tools. Yeah. It's certainly made phishing, incredibly powerful. you don't know anymore. You're getting.
emails that are fairly well tailored to you, and scarily so sometimes, but also the idea of interactive deep fakes is not far fetched anymore in terms of being able to use them as a threat. Just to circle back around to this, I want to come back. What are the main takeaway points that my audience should take from the survey? And we will put a link to it so people can read it as well. did we catch all the takeaway points that you think we should be telling these people about.
I think we hit most of them. I think we talked a bit about the humans being the primary target. And I think we talked about the other side of that coin, which is if we continue to focus on humans as a weak link, then they're going to fulfill that prophecy, right? We have to find a better way to talk about how humans can better protect themselves and really take the onus off of the individual user. we talked about the timing of the attacks, end of year exams, midterm exams.
one thing we didn't really talk about is what happens when a ransomware attack hits a school. We talked about the schools being A community focal point. But we didn't really talk about what happens when ransomware takes a school offline. It's far more devastating than just a missed school day, right? Some kids only eat at school, So there's potential for missed meals. There's missed classes. There's people who can't get access to their data to fill out their college applications.
Parents are missing work because they have to be home with their kids. can a school function without the tools that they have? even post covid there's remote learning going on. marking, all those sorts of things that we once used to have on pen and paper that are now automated There's no way to go back. I joke about this all the time. I'm old enough to remember when people would say the system is down. We have to go manual. and now people would just laugh, like, what do you mean?
and I presume a school is the same that you can't operate without. Without getting, particularly even security systems, all of these things need to be working, to operate the school. and sending the kids home some. Parents just depend on The school as daycare. They need it so they can have a job, there's a big implication. There's also extracurricular activities. sometimes, the kid is at the school from 7 30 in the morning. They get their breakfast and their lunch there.
Then they have an after school program. they might be at the school till six o'clock at night. And yeah, You know, that's not available. I mean, that's a huge impact to the families and really the entire community. So what would you like to see happen in education? What would you like to see done differently? if you had the power to do it, well, that's a really great question. I think the first thing I would do.
If I had my magic wand, I would get everybody up to a certain baseline of security, There's always a balance in terms of system availability and system security, right? The security professional would love the 100 percent secure system. That's not plugged into anything. And it's, in a Faraday cage with pressure sensor plates on the floor and all that kind of stuff, but you can't use that.
So we have to find balance to get everybody up to at least the minimum watermark that no school is considered low hanging fruit. I think we could do that. It's not easy. It's certainly takes resources to do that. Do that. But if we could, if we could find an easy way, I think we do actually have, a framework for it. The CIS controls implementation group one is where I would recommend every school start. But that's, a great opportunity.
I think get everybody to implement essential security controls. And then the other thing I would say is find your community. It doesn't have to be the M. S. I. SAC community. it could be a local network. It could be a risk pool that you're connected in. whatever your community is, We should never be alone when fighting through some of the challenges that we have. And I think the only way we're really going to get there together is through partnerships.
So we have to create those networks of folks that we can rely on. My, favorite Canadian philosopher, Red Green always said, we're all in this together. Randy, thank you so much for this. this has been great. It's interesting to be able to take some time to look at this through the lens and even if you're not in the school sector, to be able to sit back and say, wait a minute, how can we make this better? It is an area of tremendous vulnerability.
it's getting more and more affected And something that we really do have to deal with. I really appreciate you having me on here. as somebody who's worked in education a little bit, I'm an adjunct professor. I'd never been in the K 12 space specifically, but I have the pleasure of working with a lot of, K 12 IT staff and I just know they are absolutely dedicated to what they do and anything that we can do.
As a community, as a global community or as a local community to support them and the schools, I think it's absolutely essential that we do that. Amen. My guest today is Randy Rose, VP of security operations and intelligence for the center for internet security. The report we've been discussing is the 2025 CIS. MS ISAC K to 12 cyber security report where education meets community resilience. We'll put a link to it on our site or at least on the show notes so that you can find it.
thank you for spending your weekend with us. You could have been doing something else, but you took time to listen to the program. So thank you very much. I'm your host, Jim Love. I'll be back on Monday morning with. The cyber security news.