Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


// // //
11:30 AM
Drew Daniels
Drew Daniels
Connect Directly
E-Mail vvv

School's Out for Summer, but Don't Close the Book on Cybersecurity Training

Strengthening their security posture should be at the top of school IT departments' summer to-do list.

As the school year wound down and summer vacations began, educational institutions said goodbye to one of the most challenging years in recent memory. COVID-19 meant shutting down classrooms and shifting to online learning. But the transition wasn't all smooth sailing, and it came with a new set of unique challenges.

Related Content:

5 Key Steps Schools Can Take to Defend Against Cyber Threats

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: Is an Attacker Living Off Your Land?

As students and teachers swapped their pens and paper for virtual blackboards and Zoom calls, laptops flocked off the shelves and became a scarce commodity. Underfunded school districts were further challenged with delayed COVID relief funds to purchase laptops for students and faculty, causing many to rely on their own personal devices at home.

Yet personal computers do not have the same protection as IT-managed devices to keep information safe, making them inherently vulnerable to cyber threats. On top of this, IT departments faced limited resources, time, and budget to invest in cybersecurity measures. Schools lacked the ability to identify malicious behavior, all contributing to an unprecedented surge of cybercrime in the sector.

The New Age of Ransomware
As the headlines showed, ransomware plagued the education sector this year as schools grappled with the disruption of COVID-19. According to the FBI, schools became one of the more prominent targets, with 57% of all reported ransomware attacks in August and September 2020 targeting K–12 institutions.

Ransomware attacks on the Clark County School District and other school systems made it clear that hackers weren't afraid to up the ante; releasing social security numbers, student grades, and other sensitive information when the ransom wasn't paid. Schools such as the Gadsden Independent School District were even targeted with the same strain of ransomware twice within the year, causing a shutdown of 24 school sites.

As long as educational institutions continue operating digitally, we can expect hackers to be at their heels. We also know that online learning is not going away anytime soon, with some school districts like the New York City public school system announcing that instead of snow days this coming winter, students and teachers will conduct classes virtually. Hybrid learning will also be a likely option next year until students of all ages are able to get vaccinated.

With the average total cost of recovery from a ransomware attack having doubled in a year to $1.85 million and the alarming trend of releasing data when ransoms aren't paid, strengthening a school's security posture should be at the top of their to-do list.

Cybersecurity Training: Your First Line of Defense
Cybersecurity awareness is an integral component to combating ransomware, and it doesn't need to break the bank. As 98% of cyberattacks rely on social engineering, investments in training and reinforcements are critical to minimizing attack surfaces.

Below are six steps for schools looking to increase cybersecurity awareness come back-to-school season:

  • Make it a summer requirement: Don't wait to assign training until school reopens. Just as students have summer reading assignments, require entry-level training courses to be completed before school starts. Come the first week of school, everyone will feel more prepared.

  • Make it a team effort: Cybersecurity training should be geared toward the school environment and involve everyone, from the superintendent to students and parents. However, training can't be a "check-the-box" activity. Understand that everyone learns differently, so the more learning styles one can accommodate, the better.

  • Create a cybersecurity checklist: Having a checklist of things to be on the lookout for, along with some examples of how to spot malicious activity, is a great way to start boosting cybersecurity awareness. Post the checklist on the school's online learning management platform such as Blackboard or Google Classroom so that it's visible to everyone.

  • Practice makes perfect: While some may disagree, testing faculty, students, and parents with simulated attacks can help them be on the lookout for risks. This will give schools a better picture of who needs more cybersecurity training, and it will be valuable for those who need more tangible examples to learn. But simulation alone won't work. Recognize participants when they report the phish, even when it is your own test. This will encourage continued reporting.

  • Invest in your people: Practice won't make perfect unless a sustainable reporting and training system is put into place. And this can't happen without some people investments. Identify an individual from the IT team to be responsible for creating and managing this program; that way there will be a designated person in charge of organizing and administering practice tests and responding to reports in a timely manner.

  • Stay informed: A monthly cybersecurity newsletter is a great way to keep the school community engaged. Outline the latest threats and best practices on how to stay cyber resilient, and to encourage participation, post a quiz link with a small prize.

Ransomware is a persistent and critical threat that will remain a problem for years or decades to come. While no system is perfect, school districts need to start preparing now for when, not if, they experience an attack. While there isn't one foolproof solution to this troubling problem, cybersecurity education is a good starting point to building a more resilient organization. The more time invested preventatively, the better the ability to combat threats and lessen the extent or impact of an attack.

Drew brings a passion for helping companies scale global operations, implementing robust security protocols, and more than 20 years of experience. At Druva, Drew focuses his time on efficient operations processes, identifying security risks, and leading the technical ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-03-17
The Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the full name value in versions up to, and including, 21.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that w...
PUBLISHED: 2023-03-17
The WP Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pec_coupon[code]’ parameter in versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenti...
PUBLISHED: 2023-03-17
A vulnerability was found in SourceCodester Student Study Center Desk Management System 1.0. It has been rated as critical. This issue affects the function view_student of the file admin/?page=students/view_student. The manipulation of the argument id with the input 3' AND (SELECT 2100 FROM (SELECT(...
PUBLISHED: 2023-03-17
A vulnerability classified as critical has been found in SourceCodester Student Study Center Desk Management System 1.0. Affected is an unknown function of the file Master.php?f=delete_img of the component POST Parameter Handler. The manipulation of the argument path with the input C%3A%2Ffoo.txt le...
PUBLISHED: 2023-03-17
A vulnerability classified as critical was found in SourceCodester Student Study Center Desk Management System 1.0. Affected by this vulnerability is an unknown functionality of the file admin/?page=reports&date_from=2023-02-17&date_to=2023-03-17 of the component Report Handler. The manipula...