“These curious kids can cause disruption to networks and systems, access private data without authorization and generally cause havoc for the district tech staff,” says Ryan Cloutier, principal security architect at the government public services cooperative Sourcewell Technology.
The impact of such attacks can be dramatic. A ransomware strike can take school systems down for weeks, and data can be lost if a school refuses to pay the ransom and doesn’t have good backup systems in place.
The consequences of successful phishing attacks can be even more devastating. Levin paints this scenario: A hacker plans an attack knowing that a school construction project is underway, targeting either the school district office or the contractor.
This leads to the disclosure of confidential information and opens the door for the hacker to change the contractor’s bank account routing number so that a payment for an invoice is diverted to an account created by the criminal.
“They could be scammed out of over a million dollars,” says Levin. “If those criminals transfer that money overseas, there’s little recourse available to the school district.”
Things could get even worse if teachers’ or students’ private information is stolen. The K–12 Cybersecurity Resource Center’s 2018 "The State of K–12 Cybersecurity Year in Review" report says that student data was included in more than 60 percent of K–12 data breaches in 2018, and that 46 percent of all K–12 digital data breaches included data about current and former school staff, such as payroll or other personnel records.
Stolen W2 data means that criminals can file false tax returns in the names of the students, faculty or staff whose information they stole.
When it comes to the kids, “the younger a student is, the more their information is worth on the dark web,” says Greg Stockstill, director of technology services at the Region 16 Education Service Center, one of 20 public agencies that support schools in the Texas Panhandle and also the cybersecurity state lead for 12 state ESCs. “It could be 12 years of someone using that identity before anyone knows that it was stolen.”
Challenges to Fighting Cybersecurity Threats
District technology leaders recently have become more aware their schools may become victims. But generally speaking, it’s difficult for IT decision-makers to be as engaged on this front as they’d like to be.
For one thing, budgets are often limited, and the thinking tends to be that IT costs a district money without yielding big ROI, says Stockstill. It’s hard to make a business case that better security leads to better test scores, for instance.
Security tools can be very expensive as well, Cloutier points out, and complicated to use. “Making the ability to identify, detect, respond to and recover from cybersecurity events in a timely fashion is very difficult for the average school,” he says.
Volume and variety add to the struggle. “K–12 IT leaders have gone from managing a couple of operating systems, a handful of apps and a few hundred devices to managing hundreds of versions of operating systems, apps, extensions and thousands of devices,” says Josh Mayfield, director of security strategy at endpoint security technology vendor Absolute.
That increases the footprint and adds to the complexity of software and systems that must be secured.
“It’s not surprising that schools simply don’t have the bandwidth to be as prepared as they should be for an inevitable cybersecurity incident,” he says.
Additionally, while school districts may have IT staffers who are experts in networking, server management and other general tech functions, those individuals don’t necessarily have the skill sets to shore up information security.
That said, it’s important that district IT leaders take whatever steps they can to be prepared. Stockstill says that ESC16 was able to spread the cost of hiring a cybersecurity specialist across 45 of the school districts it serves, for instance.
Two-factor or multifactor authentication are effective defenses against phishing and unauthorized access, Levin says, though rollouts can be slow. Of course, there’s the option to buy cybersecurity insurance, but it’s important to understand just what the policy’s requirements are, says Cloutier.
“You may be required to notify and work with the experts the insurance provider chooses,” he says.
The IT basics of visibility, control and resilience need to be operating effectively, Mayfield says, so that it’s easier to ensure security control.
“You can ensure your internet safety policies are being adhered to and set controls to be alerted of suspicious activity or noncompliant devices,” he says. “For example, you can detect and uninstall unauthorized apps like rogue VPNs. You can also use geofencing to put limits on the geographical area of the devices and use theft reporting to cut down on device drift and loss.”
It won’t cost much to build awareness of cybersecurity threats and provide training to staff and students on how to help prevent incidents. That’s a clear must. “Everyone needs to be aware of their roles in safe online practices,” Levin says.