EDTECH: K12 SIX documented 50 publicly disclosed ransomware attacks on U.S. schools in 2020. How do these attacks take place?
TARUN: Around 50 percent of all ransomware attacks start with social engineering, and the primary way that works is through email phishing. You click on a malicious link, and the next thing you know, your data has been encrypted and the cybercriminal is demanding a ransom.
What we’re seeing now is the bad actors getting better at convincing victims to pay up. One tactic they’re exploiting is exfiltrating the data before they encrypt it. Then they can say, “If you don’t give us this ransom, we’re going to expose your data to the world.” They’re also threatening to corrupt the data, and they’re even going after data backup solutions and trying to corrupt those as well.
EDTECH: During one two-month stretch last year, more than half of all reported ransomware attacks were against K–12 schools. What makes districts so susceptible to ransomware?
TARUN: One reason is their security solutions often aren’t where they need to be, but they’re also more vulnerable because of distance learning. With everyone spending so much time online and connecting to their school networks from home, cybercriminals are exploiting any avenue they can.
EDTECH: What kind of information about schools and students can be accessed when these attacks are successful?
TARUN: School districts hold an abundance of personal data. Student records, phone numbers and addresses, social security numbers — this is all valuable information. And especially when you consider the fact that most kids don’t have credit established, it can be very lucrative for a cybercriminal to sell or use that data for their own gain. It might be years before anyone realizes a child’s identity has been compromised.
EDTECH: Let’s talk about prevention. What can districts do to prevent ransomware attacks?
TARUN: Your first and best line of defense is your users, so start with security awareness training. Everyone should know how to identify phishing emails and know not to click on dangerous links. Beyond that, make sure you have tested, password-protected backups that are stored offline, and do regular updating and patching of your critical systems. You should also have web application firewalls in front of your learning management system and anything else that’s externally facing.
Network firewalls are important as well, and you should leverage things like network segmentation to separate internet-facing applications from back office applications. And to help prevent email phishing, you should have anti-malware and anti-spam capabilities.
Finally, be sure you have a cybersecurity incident response plan — a guide that outlines the steps to manage incidents such as a ransomware attack. This plan should identify members of an incident response team and describe their roles and responsibilities. You may want to include people from HR, legal and other departments beyond your IT and security teams.
EDTECH: How can Fortinet’s solutions help schools if leaders are concerned they might be the next target of an attack?
TARUN: We don’t do data backups and recoveries, but we do offer cybersecurity training and a number of tools focused on protection. Our free training is offered through the Fortinet Network Security Expert Training Institute, which has one of the largest and broadest cybersecurity training programs in the industry. We have phishing prevention with our email gateway security technology, FortiMail; and we have FortiSandbox, which basically takes malicious files and detonates them before the user accidently launches them in the environment. Other solutions include our web application firewall, FortiWAF; FortiEDR, for endpoint detection and response to guard against malware; and FortiToken, which prevents credential theft with multifactor authentication.
To tie all those products together, we have a cybersecurity platform called Fortinet Security Fabric. The nice thing about that is it’s backed by FortiGuard Labs, our threat intelligence solution. It helps schools be proactive about attacks, not just react after something bad has already happened.
Brought to you by: