The Top Cybersecurity Threats Schools Face Today
So, what exactly are schools and districts dealing with? The most common threat is social engineering attacks, which includes phishing, Attai explains. Phishing is a tactic scammers use to trick users into giving them confidential information such as passwords and network credentials or installing malicious software through fraudulent downloads or attachments. According to CoSN, it’s how over 90 percent of cyberattacks start.
In April, the FBI released a public service announcement warning against cyber actors taking advantage of the shift to virtual environments and launching pandemic-related phishing campaigns. Their campaigns run the gamut from impersonating government agencies asking for bank account information to issue stimulus checks to fake businesses pretending to sell personal protective equipment.
Those campaigns are something many educators could easily fall for. “People in school districts are generally trusting. They want to be responsive and help people,” McLaughlin says.
Ransomware attacks, which involve bad actors encrypting data files and systems through malicious software and requiring districts to pay a ransom to regain access, are also another huge threat to school districts. McLaughlin explains that these attacks are particularly challenging in a remote environment because a lot of systems aren’t necessarily set up to be automatically patched once they’re off the network.
Mikela Lea, principal field solution architect for CDW•G, says in a webinar that ransomware attacks typically start with a phishing email. But these attacks are not limited to phishing campaigns, Lea says. Cyberattackers also exploit open Remote Desktop Protocol (RDP) ports and Server Message Block (SMB), a protocol used for file sharing and access to remote services, to spread malware like wildfire.
McLaughlin also points out that users accessing blocked websites has become a bigger challenge with everyone working remotely. “A lot of school districts originally set up their web blocking based on an on-premises solution as opposed to a roaming solution that would support students and staff when they are offsite,” she says. “I know districts are moving really quickly to fix that, but the remote paradigm is just very different from what they’ve had in the past.”
Lessons Learned After Suffering a Cyberattack
One important lesson is figuring out how to best operate and communicate in a crisis, Attai says. Going through that experience enables school districts to create an incident response procedure if they don’t have one already, or update and test existing guidelines after a cyberattack. “That makes the difference in it turning into a significant incident or having it be controlled and contained and be much less impactful,” she says.
School districts have also learned that building a culture of data protection is important. However, it takes a lot of work to do so. “It requires policy and procedure, time, consistent training and consistent communication,” Attai says. “And in the context of the massive volume of responsibilities that many in a school system have, the IT professional is often pushing the boulder uphill to make this a priority to their organization.”
Further, while IT leaders are working to build awareness about cybersecurity issues, the information is still all very new to the rest of their school districts. For instance, many cyberattacks still happen as a result of behavioral issues, Attai says.
Watch how IT leaders manage cybersecurity during remote learning.
“It’s often not the technology that fails. It’s individuals behaving in ways that put an organization at risk by not using a complex password, or showing reluctance to using multifactor authentication,” she says. “These are the kinds of simple behaviors that we emphasize but often aren’t followed across school systems, where sometimes convenience wins over cybersecurity hygiene.”
That’s why educating users is so important, especially with looming budget cuts that may affect spending on security improvements such as firewall upgrades and higher-level endpoint protection, McLaughlin says. But that training needs to be ongoing and should include everyone in a district. Training can cover basics like creating strong passwords and helping people identify and communicate with IT staff about phishing attacks.
“And I don’t mean just 15 minutes at the start of the school year; I mean ongoing messaging throughout the year that makes safety a part of the school culture and is embedded in how we teach and how we learn,” she says. “The key learning piece is that you can’t treat cybersecurity as a one-and-done. It’s not a checklist that you go through, because the next day, the entire environment has changed.”