Since the onset of the pandemic, cyberattacks on schools and educational institutions have skyrocketed. In fact, K12 Security Information Exchange, a Virginia-based nonprofit that helps schools defend against cybersecurity risk, tracked more than 1,200 cybersecurity incidents since 2016 in US public school districts, consisting of ransomware attacks, grading system breaches, and child stalkers.
Students, teachers, and parents are increasingly reliant on technology to execute virtual learning. Tech plays a role in everything from personal student information to attendance and grading records. This sensitive data is more vulnerable to breaches, demanding that educational institutions get serious about bolstering their cybersecurity strategies.
Most public schools are exactly known for having robust budgets. While many educational institutions lack the funds for a full-scale cybersecurity plan or full-time IT staff, there are things that can be done to ensure that devices managed by schools are kept safe and secure. To protect a school, it's important to understand why and how cybercriminals target schools, and to train students and employees in best practices for ensuring that school-managed devices are used properly and securely.
Why Do Attackers Target Schools?
Compared with the financial stakes of corporations and critical identification information housed within government agencies, it seems odd that a hacker would target public schools. But it turns out that there is more to be stolen than just lunch money.
The fact is that K-12 schools possess loads of data, especially since schools turned to remote learning. In the last three years, schools handed out millions of digital devices and mobile hotspots to students and employees. These devices are used to access an increasingly large portfolio of online programs and apps for instruction. Without proper policies or device management systems in place, students have unfettered access to the Internet and the dangers within it. Not only are hackers finding their own way in, but user-initiated risk is also a concern. With increased entry points, hackers have myriad opportunities to uncover important data that helps facilitate identity theft. Personal information such as children's Social Security numbers is exposed through a cyberattack on a school, creating a very real problem for those too young to protect themselves.
It turns out that cybercriminals know about school funding problems too. Armed with the assumption that a K-12 school doesn't have the budget to implement and maintain a sophisticated cybersecurity system, hackers find themselves with a roster of easy targets. Not even higher education institutions are immune to cyberattacks. In fact, a university or college's high tuition costs are actually a motivator. In these cases, cybercriminals can take a university's website hostage in order to receive payments.
While educational institutions might offer the best in higher learning, the level of security systems put in place can vary. Without basic training, students and teachers are especially unaware of the tactics used by cybercriminals to obtain information.
Additionally, the sustained use of legacy infrastructure combined with the use of unprotected personal devices can also make an institution more susceptible to bugs and data breaches.
Common Ways Schools Are Being Targeted
Douglas Levin, national director at K12 Information Exchange, found in his research that schools are typically targeted in four major ways.
First, through ransomware. This malicious software can publish or block access to data or a computer system until the victim meets the cybercriminal's demands. Second, victims experience denial-of-service (DoS) attacks in which a cybercriminal interrupts services indefinitely and makes a network or device unavailable for use.
Third on the list is a classic DoS attack: zoombombing. This cyberattack in which an uninvited perpetrator hijacks a Zoom meeting occurred frequently during the pandemic, and became a disruption to learning. It's a concrete example of how modern education needs to evolve to achieve modern security, and a simple fix such as requiring a password to enter a Zoom meeting can help combat such disruptions. Finally, schools are often victims of phishing cyberattacks, in which the cybercriminal has the ability to steal user data like logins, personal addresses, and grading information.
How Schools Can Protect Themselves
School IT teams can bolster cybersecurity with these steps:
- Increase cybersecurity awareness through regular cybersecurity training and awareness campaigns. As students, parents, administrators, and teachers all face different cyber threats, it's essential that these training sessions are relevant to everyone in the system who has access to the school's network and devices.
- Practice good security hygiene for devices. This includes updating software to the most current edition, backing up files, deleting redundant files, and uninstalling unwanted applications. Beyond the device, ensure websites are password protected, infrastructure is locked down, and default passwords are updated.
- Do regular checkups on your inventory of assets. Compare and contrast how your current systems stack up against recommended cyber frameworks, keep a watchful eye on your inventory of assets, and invest in extra protections for legacy systems that are unable to be updated.
- Inspect network traffic and Internet use. Don't allow users with school-issued devices to have free rein of the Internet. Restrict access to illegal or potentially malicious sites that don't meet safe Internet standards. Help your institution zero in on cybersecurity pain points to prioritize spending efforts when the budget is limited.
- Prevent unauthorized devices from operating on your networks. This is best done by restricting administrative access and applying endpoint protection to all school-provided devices. Only IT departments should have administrative capabilities.
- Make your cyber policy easily accessible. Ensure that all faculty, students, and parents are aware of the existing cyber policy, and where they can easily access it to reference. Provide security training sessions to help everyone understand the cyber policy details.
It's clear that educational institutions are at a higher risk for cyberattacks due to a lack of training and resources dedicated to cybersecurity. But savvy schools can keep their students and employees safer by understanding how attackers target schools, spreading cybersecurity awareness, and taking additional proactive steps to safeguard devices and systems.