Over the past few years, schools have had to cope with a more sustained cyber threat than ever before.
According to MS-ISAC statistics, the percentage of reported ransomware occurrences targeting K–12 schools rose dramatically at the start of the 2021 academic year. In fact, 57% of the ransomware instances reported in August and September affected K–12 schools.
These harrowing statistics rang alarm bells for schools and policymakers, who are feeling the pressure from more targeted efforts from hackers. In fact, a recent statement from a coalition of school networking bodies stated:
“The recent cyber-attack on the LA Unified School District, along with hundreds of similar attacks on schools, libraries, and other educational institutions over the past few years, highlights the urgent need for federal officials to take immediate action to protect our nation’s educational entities from cyber-attacks.”
Unfortunately, most school districts don’t have the budget to hire and retain full-time IT security staff. This means that there are a lot of very hard-working, dedicated IT generalists in education. They are expected to be able to do everything off their own backs, with very little support. Through no fault of their own, they often don’t have much cybersecurity training, nor time available, to recognize or respond to security threats.
Many schools’ broadband and networking are funded with the help of E-rate, a program providing funding towards eligible services for schools—but its security aid is limited. This means many schools are using outdated security technologies that don’t go far enough to protect sensitive, personally identifiable, and financial information.
Let’s dive into how schools can be well-equipped to deal with upcoming cyber security threats without breaking the bank.
Know the main threats
Before discussing how to secure data, schools need to be aware of what the most significant threats are.
Vendor security errors are one of the most prominent. Take the Illuminate Education data breach incident, which impacted approximately 820,000 pupils and alumni in New York by exposing their personal information, and roughly 4 million students nationwide. Additionally, the school communication app, Seesaw, was recently breached, and links to an inappropriate meme image were emailed to parents and teachers. These are two high-profile incidents that highlight how outsourced security is vulnerable too.
Ransomware is another considerable threat impacting schools in 2022, and it seems like it will continue to be among the biggest threats in 2023. Several high-profile ransomware attacks have occurred in recent weeks, including Los Angeles Unified School District (LAUSD) and Savannah College of Art and Design. This prompted a joint school cybersecurity warning from the FBI, Cybersecurity and Infrastructure Security Agency (CISA), and Multi-State Information Sharing and Analysis Center (MS-ISAC).
Lastly, it goes without saying that internal data leaks represent the highest number of data exposure incidents by a distance. However, it is more difficult to record them because they often come from internal accounts (“trusted users”), so they are rarely detected.
Work out the first-step solutions and who is involved in planning
The stakeholders involved in planning for better cybersecurity depend on the school district’s size, complexity, organizational structure, and culture. However, we recommend involving the technology department head and at least one representative from the education technology and district administrative leadership department.
It’s also a great idea to have someone from finance or business management involved in the planning process. They can help with the cost/benefit analysis of different approaches and usually better understand the importance of securing financial data.
Additionally, depending on the type and severity of the attack, law enforcement, and insurance representatives may need to get involved in incident response. Therefore, it’s a good idea to involve them in at least some aspects of the planning process. For example, cyber insurance policies will have documented incident response requirements. You’ll need to know what those requirements are, and potentially involve your representative to ensure you’re properly incorporating those requirements into your response plan.
Further, many education tech leaders I’ve talked with have shared the value of developing close relationships with local law enforcement before an incident occurs. Knowing what type of incidents to report, and who to report them to, can save precious time and energy when it’s built into an incident response plan.
After forming this team, they should outline steps they need to take to improve security and response and prioritize them. The “low-hanging fruit” should be to immediately set up strong passwords and multi-factor authentication for administrative staff. From there, they can create a list of approved vendors and start the process of vetting potential new vendors. These vendors that store personally identifiable information should also have data-sharing agreements.
Another vital initial step is ensuring that traffic within your network and cloud domains is being monitored. This will allow you to detect abnormal behavior and remove access when accounts are compromised.
Learn from previous incidents to improve cybersecurity
If you’re an optimist, you can view the many cybersecurity incidents impacting schools with one silver lining—that we have many incidents to learn from to improve cybersecurity controls and processes going forward. Here are a few of the top “lessons learned” to take away from recent attacks.
IT teams must adopt a zero-trust cybersecurity strategy to improve their data security. Zero-trust security isn’t a tool or technology, it is a way of thinking that adequately enables them to plan for protection and incident response in today’s extended, perimeter-free computing environment. Students, teachers, and staff aren’t just logging into school resources on the building network. They’re logging in from home, the library, and almost anywhere. They may be using a school-provided device with school-provided end-point security enabled. And they may be using their own devices. With all of these factors happening outside of a controlled environment, district technology teams need to “trust no one” when accessing files and information.
Unfortunately, schools are still heavily reliant on network-based content filters and firewalls, despite most of their data and technology infrastructure being in the cloud, which is outside of the network. The network firewall, web content filter, and native email phishing filters just don’t cut it anymore.
A zero-trust cybersecurity approach means schools must monitor their on-premise networks and cloud domains for suspicious activity. They can do this in-house, by outsourcing, using monitoring technologies, or using some combination of the three. But they must be doing it if they want to protect their information systems from attack and be able to respond quickly when a breach occurs.
Another important lesson learned is that districts need to implement a ‘containerized’ IT structure, whereby admin-level access is only granted to the few users who need it. I have heard so many stories of superintendents demanding admin-level access, who consequently put their schools at risk by making decisions without the technical team’s knowledge. Or they fall victim to a phishing email, and suddenly, a criminal has admin-level access to the district’s environment and can access information, make changes, and more using the superintendent’s account without raising any red flags.
When it comes to implementing stricter security controls, it can be a balancing act communicating this to the broader school community. The tech team needs to be seen as a force for good and protection, rather than one of judgment and belittlement. That way, staff, teachers, and students are more likely to embrace security initiatives and be generally more privacy-aware.
Finally, administrative leadership must take cybersecurity seriously and approach it as a critical strategic initiative to enable student education and protect public funds. We all know how disruptive and costly cyberattacks can be on education—one click on a standard phishing email can bring down entire networks, infiltrating systems with harmful ransomware. In 2023, let’s make a concerted effort to intercept the flow of attacks on our schools by diligently planning.
