How to Fortify Your School Networks After a Cyberattack

When cybercriminals targeted Atlanta Public Schools in 2017, they didn’t simply access the district’s data. The criminals stole paychecks from staff members by changing bank account information and rerouting payments into their own accounts.

“About 27 people were compromised,” says Olufemi Aina, the district’s interim CIO. “Our employees had bills to pay such as mortgages, car notes, etc. The first thing we did was to make them whole by initiating direct deposit payments out to impacted employees.”

Those payments cost the district about $56,000, but the total investigative and remediation cost was closer to $300,000. That figure doesn’t account for the additional staff and technology solutions that Atlanta Public Schools implemented in the wake of the incident.

Click the banner to learn more about implementing zero trust to improve security.

When school districts are targeted by cyberattackers, the recovery process is frequently lengthy, costly and stressful. And the rise of ransomware and phishing has created opportunities for hackers to exploit weaknesses in schools’ cybersecurity strategies. According to Emsisoft’s 2023 ransomware report, at least 108 school districts with a total of nearly 1,900 schools were impacted by ransomware in 2023, more than double the number from the previous year.

“Schools continue to be a target, and attacks grow more sophisticated as time goes on,” says Amy McLaughlin, project director for CoSN’s Cybersecurity and Network and Systems Design Initiatives and executive director of technical and solutions architecture at Oregon State University. “We see as many or more successful attacks as in previous years, but we also see more schools that are successfully able to recover.”

How Atlanta Public Schools Recovered from a Cybersecurity Attack

Atlanta Public Schools brought in external forensic consultants to investigate the 2017 incident, and the outside professionals came to the same conclusion as the district’s own cyber team: The cybercriminals had stolen employee credentials through a phishing attack. The bad actors had taken extra steps to prevent being detected by creating email rules that prevented the affected employees from being notified when changes were made to their direct deposit accounts.

In the wake of the incident, the district secured a retainer with a cybersecurity firm, purchased cyber insurance, installed additional cybersecurity software and hired specialized staff. While the district already had a network operations center, the incident spurred the creation of a security operations center.

“We restructured our security team,” Aina says. “Today, we’re able to monitor not just the network side of events but also the security side, such as how many devices are not at the right patch levels and what type of unusual traffic we’re seeing.”

RELATED: Learn how automated patch management propels K–12 cybersecurity.

Initially, Atlanta Public Schools invested in a stand-alone automated threat protection tool. However, that solution became redundant when the district upgraded its Microsoft license to the A5 level, which includes Microsoft Defender for Office 365. The district also purchased a behavior analytics platform from Exabeam that includes a security information and event management tool. The district also engages with the federal Cybersecurity and Infrastructure Security Agency to perform regular scans of its network.

Aina says the attack ultimately led to the district accelerating the adoption of many of the recommendations that resulted from an in-depth cybersecurity assessment.

“The attack allowed us to get in front of senior leadership, build support across the organization and access emergency funding we didn’t have before,” he says. “That allowed us to acquire the necessary tools to accelerate our cybersecurity program.”

Why Albuquerque Schools Focused on Student Safety

When cybercriminals shut down access to the student information system at Albuquerque Public Schools in 2022, the district was forced to close its schools. They did so because educators could not ensure student safety without a process to take attendance.

Officials immediately shut down the affected network and initiated an emergency procurement for cyber forensic services, racing to get the district’s 70,000 students back to school as soon as possible.

“I received communication in the morning from some of our teachers that they were not able to log in, and I knew there had been a compromise,” says Richard Bowman, district CTO. “The top priority in the school district was to be able to log in to the platform to get access to our attendance system. My team immediately jumped on it. We did a forensic investigation on the affected computers, our log files, hard images and memory dumps. We reviewed everything.”

Thanks to the speedy response, the district was able to open school again after a long weekend. Bowman says that two backup systems were in place at the time, but one of them failed, as it had not been regularly tested. Still, the district was able to restore its student information system from snapshots of its VMware environment, which was segregated from the rest of the network and required unique login credentials.

In the wake of the incident, Albuquerque Public Schools deployed Sophos Managed Detection and Response across its environment. “We put a lot of effort into making sure it was installed on all of the computers that needed it,” Bowman says.

Bowman says the district is now also more proactive about testing its backups, staying on top of patching, training its employees to spot phishing attempts, and taking advantage of cybersecurity resources from the state and federal government.

“It’s about vulnerability management,” Bowman says. “If you have systems that have not been patched and there are exploits out there, you’re just asking for trouble.”

DIG DEEPER: Schools with small IT staffs and budgets call in backup.

Why Proactively Investing in Cybersecurity Pays Off

Leaders at Judson Independent School District in Texas have been extraordinarily transparent about a ransomware attack against the district that occurred in June 2021, just over a month after Lacey Gosch, assistant superintendent of technology, assumed her role.

“It moved very rapidly through our system,” Gosch recalls. “It took down pretty much every device across the entire network. It was automatically deleting all of our files, and we could see it happening in real time.”

The district was able to recover nearly all of its data from tape backups, but the attack turned out to be a “double extortion” incident, in which the cybercriminals threatened to publicly release the district’s data unless it paid a ransom. The information included decades of sensitive student and employee records, and the district ended up paying more than $500,000 to prevent the release.

“Our aim was to protect the data of our students, of our staff and all those that have been connected to the district,” Gosch says. “To my knowledge, the data was never released, and we really have not had any issues or concerns.”

It took more than a year for officials to notify everyone whose data was accessed, and Gosch estimates that the district’s total recovery costs were as high as $7 to $8 million.

In the wake of the incident, Judson ISD has made a number of improvements:

• Investing in an immutable backup system from Barracuda
• Deploying an endpoint detection and response solution (it now uses SentinelOne)
• Mandating multifactor authentication
• Beefing up anti-phishing training for employees

The district also banned the use of any external hard drives or thumb drives. Gosch says the attack made its way onto the network through an infected employee device, and she notes that the district’s current EDR tool would have detected it “almost immediately.”

Incidents like the one Judson ISD faced, Gosch says, highlight just how heavily K–12 districts have come to depend on technology. “It does bring to light the importance of making that investment in cybersecurity,” she says. “People don’t like to spend money on things that they can’t see, and cybersecurity is one of those things that runs in the background.”

“It is far better to invest on the front end,” Gosch adds. “An ounce of prevention will save you millions on the other side.”