As the school year wound down and summer vacations began, educational institutions said goodbye to one of the most challenging years in recent memory. COVID-19 meant shutting down classrooms and shifting to online learning. But the transition wasn't all smooth sailing, and it came with a new set of unique challenges.
As students and teachers swapped their pens and paper for virtual blackboards and Zoom calls, laptops flocked off the shelves and became a scarce commodity. Underfunded school districts were further challenged with delayed COVID relief funds to purchase laptops for students and faculty, causing many to rely on their own personal devices at home.
Yet personal computers do not have the same protection as IT-managed devices to keep information safe, making them inherently vulnerable to cyber threats. On top of this, IT departments faced limited resources, time, and budget to invest in cybersecurity measures. Schools lacked the ability to identify malicious behavior, all contributing to an unprecedented surge of cybercrime in the sector.
The New Age of Ransomware
As the headlines showed, ransomware plagued the education sector this year as schools grappled with the disruption of COVID-19. According to the FBI, schools became one of the more prominent targets, with 57% of all reported ransomware attacks in August and September 2020 targeting K–12 institutions.
Ransomware attacks on the Clark County School District and other school systems made it clear that hackers weren't afraid to up the ante; releasing social security numbers, student grades, and other sensitive information when the ransom wasn't paid. Schools such as the Gadsden Independent School District were even targeted with the same strain of ransomware twice within the year, causing a shutdown of 24 school sites.
As long as educational institutions continue operating digitally, we can expect hackers to be at their heels. We also know that online learning is not going away anytime soon, with some school districts like the New York City public school system announcing that instead of snow days this coming winter, students and teachers will conduct classes virtually. Hybrid learning will also be a likely option next year until students of all ages are able to get vaccinated.
With the average total cost of recovery from a ransomware attack having doubled in a year to $1.85 million and the alarming trend of releasing data when ransoms aren't paid, strengthening a school's security posture should be at the top of their to-do list.
Cybersecurity Training: Your First Line of Defense
Cybersecurity awareness is an integral component to combating ransomware, and it doesn't need to break the bank. As 98% of cyberattacks rely on social engineering, investments in training and reinforcements are critical to minimizing attack surfaces.
Below are six steps for schools looking to increase cybersecurity awareness come back-to-school season:
- Make it a summer requirement: Don't wait to assign training until school reopens. Just as students have summer reading assignments, require entry-level training courses to be completed before school starts. Come the first week of school, everyone will feel more prepared.
- Make it a team effort: Cybersecurity training should be geared toward the school environment and involve everyone, from the superintendent to students and parents. However, training can't be a "check-the-box" activity. Understand that everyone learns differently, so the more learning styles one can accommodate, the better.
- Create a cybersecurity checklist: Having a checklist of things to be on the lookout for, along with some examples of how to spot malicious activity, is a great way to start boosting cybersecurity awareness. Post the checklist on the school's online learning management platform such as Blackboard or Google Classroom so that it's visible to everyone.
- Practice makes perfect: While some may disagree, testing faculty, students, and parents with simulated attacks can help them be on the lookout for risks. This will give schools a better picture of who needs more cybersecurity training, and it will be valuable for those who need more tangible examples to learn. But simulation alone won't work. Recognize participants when they report the phish, even when it is your own test. This will encourage continued reporting.
- Invest in your people: Practice won't make perfect unless a sustainable reporting and training system is put into place. And this can't happen without some people investments. Identify an individual from the IT team to be responsible for creating and managing this program; that way there will be a designated person in charge of organizing and administering practice tests and responding to reports in a timely manner.
- Stay informed: A monthly cybersecurity newsletter is a great way to keep the school community engaged. Outline the latest threats and best practices on how to stay cyber resilient, and to encourage participation, post a quiz link with a small prize.
Ransomware is a persistent and critical threat that will remain a problem for years or decades to come. While no system is perfect, school districts need to start preparing now for when, not if, they experience an attack. While there isn't one foolproof solution to this troubling problem, cybersecurity education is a good starting point to building a more resilient organization. The more time invested preventatively, the better the ability to combat threats and lessen the extent or impact of an attack.