The Cybersecurity Threats that Keep K-12 CIOs Up at Night

Security monitoring image

This article was originally published on EdTechMagazine.

Schools are not safe from cybersecurity threats. Consider this:

  • There have been 712 publicly disclosed cybersecurity-related incidents involving U.S. public schools since 2016, according to the K–12 Cyber Incident Map.
  • In 2018 alone, 122 incidents affected 119 public K–12 education agencies, a rate of about one new publicly reported incident every three days of the calendar year, according to The K–12 Cybersecurity Resource Center, which researches education, technology and public policy issues.

“Based on anecdotal information, I would not be surprised if more incidents than the 712 reported actually occurred,” says Douglas Levin, president and founder of EdTech Strategies. “What’s most concerning is that schools don’t just get caught up in online scams by happenstance because criminals are trying to hit everyone, but that they are being specifically targeted.”

Ransomware, phishing and distributed denial of service attacks tend to be the main assaults perpetrated by outside hackers. But students also may contribute to the problem.

“These curious kids can cause disruption to networks and systems, access private data without authorization and generally cause havoc for the district tech staff,” says Ryan Cloutier, principal security architect at the government public services cooperative Sourcewell Technology.

The impact of such attacks can be dramatic. A ransomware strike can take school systems down for weeks, and data can be lost if a school refuses to pay the ransom and doesn’t have good backup systems in place.

The consequences of successful phishing attacks can be even more devastating. Levin paints this scenario: A hacker plans an attack knowing that a school construction project is underway, targeting either the school district office or the contractor. This leads to the disclosure of confidential information and opens the door for the hacker to change the contractor’s bank account routing number so that a payment for an invoice is diverted to an account created by the criminal.

“They could be scammed out of over a million dollars,” says Levin. “If those criminals transfer that money overseas, there’s little recourse available to the school district.” Things could get even worse if teachers’ or students’ private information is stolen. The K–12 Cybersecurity Resource Center’s 2018 "The State of K–12 Cybersecurity Year in Review" report says that student data was included in more than 60 percent of K–12 data breaches in 2018, and that 46 percent of all K–12 digital data breaches included data about current and former school staff, such as payroll or other personnel records.

Stolen W2 data means that criminals can file false tax returns in the names of the students, faculty or staff whose information they stole.

When it comes to the kids, “the younger a student is, the more their information is worth on the dark web,” says Greg Stockstill, director of technology services at the Region 16 Education Service Center, one of 20 public agencies that support schools in the Texas Panhandle and also the cybersecurity state lead for 12 state ESCs. “It could be 12 years of someone using that identity before anyone knows that it was stolen.”

District technology leaders recently have become more aware their schools may become victims. But generally speaking, it’s difficult for IT decision-makers to be as engaged on this front as they’d like to be. For one thing, budgets are often limited, and the thinking tends to be that IT costs a district money without yielding big ROI, says Stockstill. It’s hard to make a business case that better security leads to better test scores, for instance. Security tools can be very expensive as well, Cloutier points out, and complicated to use. “Making the ability to identify, detect, respond to and recover from cybersecurity events in a timely fashion is very difficult for the average school,” he says.

Volume and variety add to the struggle. “K–12 IT leaders have gone from managing a couple of operating systems, a handful of apps and a few hundred devices to managing hundreds of versions of operating systems, apps, extensions and thousands of devices,” says Josh Mayfield, director of security strategy at endpoint security technology vendor Absolute. That increases the footprint and adds to the complexity of software and systems that must be secured. “It’s not surprising that schools simply don’t have the bandwidth to be as prepared as they should be for an inevitable cybersecurity incident,” he says. Additionally, while school districts may have IT staffers who are experts in networking, server management and other general tech functions, those individuals don’t necessarily have the skill sets to shore up information security.

That said, it’s important that district IT leaders take whatever steps they can to be prepared. Stockstill says that ESC16 was able to spread the cost of hiring a cybersecurity specialist across 45 of the school districts it serves, for instance. Two-factor or multifactor authentication are effective defenses against phishing and unauthorized access, Levin says, though rollouts can be slow. Of course, there’s the option to buy cybersecurity insurance, but it’s important to understand just what the policy’s requirements are, says Cloutier. “You may be required to notify and work with the experts the insurance provider chooses,” he says. The IT basics of visibility, control and resilience need to be operating effectively, Mayfield says, so that it’s easier to ensure security control. “You can ensure your internet safety policies are being adhered to and set controls to be alerted of suspicious activity or noncompliant devices,” he says. “For example, you can detect and uninstall unauthorized apps like rogue VPNs. You can also use geofencing to put limits on the geographical area of the devices and use theft reporting to cut down on device drift and loss.” It won’t cost much to build awareness of cybersecurity threats and provide training to staff and students on how to help prevent incidents.

That’s a clear must.

“Everyone needs to be aware of their roles in safe online practices,” Levin says. Security Responding to Cybersecurity Events When an event does take place, the No. 1 thing to focus on is containment of the incident to prevent further spread to other computers or systems, says Cloutier. “Do your best to isolate or offline the affected systems. You may also need to activate your disaster recovery plan.” Levin advises that schools don’t try to sweep an incident under the rug. He’s seen one California school district drop the announcement of a massive breach, which had occurred in the fall, the Friday evening before a winter break. This only led to parents being up in arms about being kept in the dark, and the national news media descended on the scene. An event like that shows it’s critical to have a plan covering how to respond to an attack before one occurs, and the entire administration — from the top down — has to be involved in creating it. Levin mentions a Michigan school district that was prepared for a potential event. When an event did occur, it got ahead of angry parents and bad press by announcing the incident quickly.

A video message from the superintendent explained the issue and what it planned to do to make sure it didn’t happen again, and a hotline was set up to provide resources and information about the actions that the affected could use to mitigate the damage. That disclosure approach may seem counterintuitive to a risk-averse school district, “but information dribbling out over time lets people imagine much worse things,” he says. IT leaders should support each other by sharing information about events that occur at their schools with other school district IT leaders. “We’ve seen very clearly that when an attack is successful against one school district, it gets repeated against other school districts,” Levin says. There are other resources school districts can take advantage of.

The Multi-State Information Sharing and Analysis Center was set up to help state and local governments, including school districts, coordinate cybersecurity information sharing. The Consortium for School Networking provides school system technology leaders with tools and information about how to reduce cybersecurity risks.

While school IT leaders may not be able to put cybersecurity threats completely out of their minds, with modern solutions and security tools, they can at least be prepared to deal with an inevitable attack.