Jun 17 2020

Cyberattacks Increasingly Threaten Schools — Here’s What to Know

With the shift to virtual classrooms, districts need to be extra vigilant about cybersecurity.

Cyberattacks continue to plague the education sector, and they’re only intensifying.

Since 2016, there have been 855 cyber incidents publicly disclosed by U.S. schools and districts, according to data from the K–12 Cybersecurity Resource Center. There were 348 in 2019 alone, nearly three times the number in 2018.

With the increased use of technology for teaching, learning and continuing school operations in today’s remote environment, schools have also become more vulnerable to cyberattacks.

Microsoft Security Intelligence found that 61 percent of nearly 7.7 million enterprise malware encounters reported in the past month came from those in the education sector, making it the most affected industry.

Doug Levin, founder and president of EdTech Strategies, which runs the K–12 Cybersecurity Resource Center, shares with Education Week that the coronavirus pandemic presented cybercriminals with new opportunities as schools shifted to remote learning.

“With more teachers and students online, particularly if they’re doing it from less controlled environments outside of the school, the attack surface of the school community is increased,” he says.

Thankfully, cybersecurity remains a top concern among IT leaders. It was the No. 1 priority they indicated in a 2020 educational technology leadership survey conducted by the Consortium for School Networking (CoSN).

Yet planning for a strong cybersecurity program will be tricky with uncertainties around what the next school year will look like. “The shift to remote learning opens the door for different points of attack that most school districts weren’t set up to support,” says Amy McLaughlin, cybersecurity project director for CoSN. “They’re vulnerable in different ways.”

To inform that preparation, here’s what school districts should know about the state of cybersecurity today and where it’s heading.

MORE ON EDTECH: Discover best practices for securing a work-from-home environment.

Why Cyberthreats to Schools Have Escalated

Besides IT staff, administrators, educators and other school employees need to understand how serious cybersecurity risks are. Those risks aren’t going away anytime soon, because cyberattackers view schools and districts as easy targets, McLaughlin says. “People generally know they’re not as well-funded for security,” she says.

For a long time, school districts also believed that they didn’t have anything bad actors would find worthy of taking — which is incorrect. “They don’t necessarily translate the concept of data into value,” McLaughlin says.

Many school districts also lack the resources needed to build a strong cybersecurity program, says Linnette Attai, founder and president of PlayWell, a compliance consulting firm, and project director for CoSN’s privacy initiative and trusted learning environment program.

“In many school systems, you don’t even have a full-time employee who is dedicated to cybersecurity,” Attai says. “Oftentimes, you have someone who is also responsible for the technology or responsible for privacy.”

That resource challenge also comes with a knowledge and experience gap. Some districts don’t have employees who have the expertise to effectively manage cybersecurity and develop engaging and ongoing training for the rest of the school or district.

“Building a cybersecurity program is a significant undertaking, and that’s not easy. It needs to be built from the ground up,” Attai says.

The Top Cybersecurity Threats Schools Face Today

So, what exactly are schools and districts dealing with? The most common threat is social engineering attacks, which includes phishing, Attai explains. Phishing is a tactic scammers use to trick users into giving them confidential information such as passwords and network credentials or installing malicious software through fraudulent downloads or attachments. According to CoSN, it’s how over 90 percent of cyberattacks start.

In April, the FBI released a public service announcement warning against cyber actors taking advantage of the shift to virtual environments and launching pandemic-related phishing campaigns. Their campaigns run the gamut from impersonating government agencies asking for bank account information to issue stimulus checks to fake businesses pretending to sell personal protective equipment.

Those campaigns are something many educators could easily fall for. “People in school districts are generally trusting. They want to be responsive and help people,” McLaughlin says.

Ransomware attacks, which involve bad actors encrypting data files and systems through malicious software and requiring districts to pay a ransom to regain access, are also another huge threat to school districts. McLaughlin explains that these attacks are particularly challenging in a remote environment because a lot of systems aren’t necessarily set up to be automatically patched once they’re off the network.

Mikela Lea, principal field solution architect for CDW•G, says in a webinar that ransomware attacks typically start with a phishing email. But these attacks are not limited to phishing campaigns, Lea says. Cyberattackers also exploit open Remote Desktop Protocol (RDP) ports and Server Message Block (SMB), a protocol used for file sharing and access to remote services, to spread malware like wildfire.

McLaughlin also points out that users accessing blocked websites has become a bigger challenge with everyone working remotely. “A lot of school districts originally set up their web blocking based on an on-premises solution as opposed to a roaming solution that would support students and staff when they are offsite,” she says. “I know districts are moving really quickly to fix that, but the remote paradigm is just very different from what they’ve had in the past.”

READ MORE: Learn why cybersecurity leadership should extend beyond IT.

Lessons Learned After Suffering a Cyberattack

One important lesson is figuring out how to best operate and communicate in a crisis, Attai says. Going through that experience enables school districts to create an incident response procedure if they don’t have one already, or update and test existing guidelines after a cyberattack. “That makes the difference in it turning into a significant incident or having it be controlled and contained and be much less impactful,” she says.

School districts have also learned that building a culture of data protection is important. However, it takes a lot of work to do so. “It requires policy and procedure, time, consistent training and consistent communication,” Attai says. “And in the context of the massive volume of responsibilities that many in a school system have, the IT professional is often pushing the boulder uphill to make this a priority to their organization.”

Further, while IT leaders are working to build awareness about cybersecurity issues, the information is still all very new to the rest of their school districts. For instance, many cyberattacks still happen as a result of behavioral issues, Attai says.

Watch how IT leaders manage cybersecurity during remote learning.

“It’s often not the technology that fails. It’s individuals behaving in ways that put an organization at risk by not using a complex password, or showing reluctance to using multifactor authentication,” she says. “These are the kinds of simple behaviors that we emphasize but often aren’t followed across school systems, where sometimes convenience wins over cybersecurity hygiene.”

That’s why educating users is so important, especially with looming budget cuts that may affect spending on security improvements such as firewall upgrades and higher-level endpoint protection, McLaughlin says. But that training needs to be ongoing and should include everyone in a district. Training can cover basics like creating strong passwords and helping people identify and communicate with IT staff about phishing attacks.

“And I don’t mean just 15 minutes at the start of the school year; I mean ongoing messaging throughout the year that makes safety a part of the school culture and is embedded in how we teach and how we learn,” she says. “The key learning piece is that you can’t treat cybersecurity as a one-and-done. It’s not a checklist that you go through, because the next day, the entire environment has changed.”

sorbetto/Getty Images