Key points:
- Evolving technology offers learning opportunities, but also K12 cybersecurity threats
- See article: Reading, writing, and cybersecurity: Practicing good cyber hygiene
- See article: 4 back-to-school cybersecurity tips
- For more news on K12 cybersecurity, visit eSN’s IT Leadership page
The school bell is about to ring in another academic year, and as children pull out their lunchboxes and teachers decorate their rooms, schools continue to face an onslaught of K12 ransomware while also grappling with perpetually insufficient budgets, legacy IT, and under-staffing concerns.
The increased level of connectivity in today’s schools means richer opportunities for learning and community, but it also puts at further risk the financial data, personally identifiable information (PII) and other sensitive information that educational institutions hold.
K-12 schools received a cyber maturity score of 3.55 out of 7 from the Nationwide Cybersecurity Review (NCSR) risk-based assessment, despite the fact that many school districts are trying to strengthen their cybersecurity posture. And according to 29 percent of K–12 participants in that report, a cyber incident occurred in their district in the previous year. Malware and ransomware were two of the most prevalent occurrences. According to the report, ransomware attacks pose the greatest K12 cybersecurity risk to K–12 schools and districts in terms of overall cost and downtime.
The good news is that the federal government is taking this seriously. In early August, the Biden Administration announced a new plan focused on strengthening school district cybersecurity plans. While the elements of this plan are rolled out, school IT teams and leaders can also start to take action in another area: cyber hygiene for students. It’s never too early to start teaching children basic cyber literacy.
New rules for K12 cybersecurity
The Biden Administration’s new proposal comes on the heels of a report from the Cybersecurity & Infrastructure Security Agency (CISA), Protecting Our Future: Partnering to Safeguard K-12 Organizations from Cybersecurity, which offers guidelines for schools to help bolster defenses.
Guidelines include investing in the most impactful security measures and building toward a mature cybersecurity plan, recognizing and actively overcoming resource constraints, and focusing on collaboration and information sharing. CISA will continue to engage with federal partners, including the U.S. Department of Education, and work closely with state and local officials, school leaders, emergency management officials, nonprofits, community leaders, and the private sector to identify areas for progress and provide meaningful support that measurably reduces risk.
Other elements of the administration’s new plan include a proposed pilot program that will provide up to $200 million over three years to strengthen security in schools and libraries with the help of federal agencies, and establishing a new council to coordinate between federal, state and local leaders to help bolster cyber defenses in schools. It also calls for new resources for reporting and enlists the help of private companies to provide free and low-cost resources for school districts, including training.
It’s great to have support at this level, but it will take some time for these plans to roll out to schools. In the meantime, district leaders and IT teams can start implementing good cyber security for school districts hygiene practices right away.
Fostering good cyber hygiene for teachers and students
People don’t have to be tech geniuses to practice good cyber hygiene. Teachers and even the youngest students can be taught some basic cyber hygiene practices. For instance, a very common-sense practice is to not share passwords or any kind of PII with strangers online. Teachers and students must learn what suspicious links look like and learn not to click them, or to open unexpected attachments or download anything on their computers without approval. When students are online in the classroom, teachers can ensure that they use only approved websites and applications and get approval for certain activities.
When it’s age-appropriate, children can learn how important strong passwords are and how to create them. Best practices include:
- Create longer passwords that are personally meaningful but that don’t contain any PII. An example would be a line from an obscure song with numbers and symbols mixed in to create a password that’s at least 10 characters long. These are much harder, if not impossible, for attackers to guess.
- Use a unique password for each account.
- For all your online accounts, create one-of-a-kind, long and difficult passwords using a password manager.
Obviously, younger children, like those in kindergarten through third grade, aren’t going to be creating or using strong passwords. Educators at that level will need to be creative in how they help students at that age protect their work, but certainly by middle and high school, this will be a key part of learning.
Pre-teens and teenagers can learn to understand how to securely navigate social media. For example, it’s wise to not use social media accounts to log in to certain kinds of platforms, because those platforms then have instant access to whatever PII is available in those accounts. If there’s no other way to connect to that platform, students can create dummy accounts to use only for this purpose.
Students also need to be cautious about instant messaging services due to social engineering risks. The rule about never giving out PII applies here, especially financial information. And QR codes, though convenient, can send students to a site with malicious files waiting to be downloaded.
And for teachers and staff, from the White House to the private sector, organizations are already offering cybersecurity training for K–12 school districts. Such programs provide academics and employees with the most recent information, advice, and suggestions to help them make better decisions when faced with cyberattacks and other dangers to the school. These free training programs are already being used by many districts.
Knowledge is power–and stronger K12 cybersecurity for school districts
As long as there are school IT teams working with few human and financial resources, there will be cyber adversaries trying to take advantage and break into school networks. This requires a two-pronged approach: technology and training. Because students have network access, they need to learn how to use it safely and responsibly–IT does not bear the sole responsibility for cybersecurity.
Individual cyber hygiene plays a huge role in helping to defend the network. Training for students, teachers, and staff will help IT teams keep the bad actors out and will ultimately help create a cyber-savvier generation.
What are some K12 cybersecurity tips?
Due to budget and resource constraints, many schools and other academic organizations are only able to implement very basic K12 cybersecurity tools and processes, and this leaves them extremely vulnerable to cyberattacks.
We’ve seen this play out over the past 12 months with high-profile attacks on school districts in Los Angeles, Minneapolis and Tucson, Ariz., among many others. And, because cybercriminals can compromise school networks for big gains with very little effort, we expect k12 cybersecurity attacks will only increase.
As the new school year quickly approaches, IT and security teams face a seemingly overwhelming task: protect school networks with limited budget and personnel. The good news is that there is some cybersecurity training and basic blocking and tackling that can significantly help schools build a strong cybersecurity for schools basic training, including:
- Mandating strong passwords for cybersecurity
It’s easy to choose a simple password or to repeat passwords across accounts for memory’s sake, but the consequences of doing so can be severe. In fact, according to the FIDO (Fast Identity Online) Alliance, passwords are the root cause of more than 80 percent of data breaches. Educating students and staff about the importance of strong, hard-to-guess passwords cannot be overstated. Research shows that a 12-character password could take 27,000 years to crack and cost hackers $6.4 trillion to do so. Mandating strong passwords is a simple, cost-effective way to strengthen a school’s cybersecurity posture.
For schools that are able to take credentials management one step further, multi-factor authentication is a great option. MFA is a method of authenticating into an account that requires users to present at least two pieces of evidence to prove their identity — something they know (e.g., a password) as well as something they have (e.g., an authentication code via text or email) or something they are (e.g., facial recognition or a fingerprint scan).
- Implementing a K12 cybersecurity data backup solution.
While this will certainly be an upfront investment, it will pay dividends over the long-term. Having backups of your school’s and students’ data can be extremely beneficial for compliance and business purposes, and it can also be extremely valuable in a K12 ransomware attack – where cybercriminals access data, encrypt it and then demand schools pay a ransom to decrypt it. Many schools that don’t have a data backup solution in place pay the ransom in the hopes they’ll get their data back, but this is money out of their pocket they can’t afford to lose, and worse yet, paying the ransom does not guarantee access to the data. However, if you’re the victim of a ransomware attack and have a data backup solution in place, you can evade the ransom demand by simply falling back to the backup version.
- Taking a security-in-depth approach.
Where possible, schools should take a multi-layered approach to security, including using firewalls, anti-virus solutions, anti-malware software, and encryption. Cybercriminals don’t want to work hard to infiltrate a target, so security-in-depth is an impactful deterrent that can help fend off today’s sophisticated hackers.
Prioritizing cybersecurity training awareness
Students and staff are the first line of defense in network security, and they can’t do their part if they aren’t aware of the threats facing them or the actions to take if they suspect they are a victim of an attack. IT and K12 cybersecurity teams need to make them part of cybersecurity efforts by offering ongoing cybersecurity awareness and training. The best way to get them to pay attention and remember what they learn is to offer short, engaging training sessions on a regular basis, rather than long, drawn-out presentations once a year.
All this said, we’re living in a world where it’s no longer a matter of if a school gets attacked, but when. In this reality, it’s so important that schools have an incident response plan in place, so they know how to react following a successful incident and can do so quickly. Communicating to affected families should be a big part of this plan. Timeliness and transparency are key following an attack. Victims need to know the nature of the attack, what data was compromised, what the school is doing to remediate the problem, and the steps they should take to protect their personal information. From an internal perspective, schools need to take the incident as a learning opportunity – identifying what went wrong, so they can put the right people, processes and technologies in place to prevent a similar K12 ransomware attack from happening again.
The bottom line is schools can suffer severe consequences from a cyberattack, including disrupted instruction, impaired operations, financial losses to address the incident, and the exposure of stakeholders’ personal information. By focusing on achievable cybersecurity basics, schools can fight back by building a solid security and resilience foundation that can help them defend against cybercriminals to keep their teachers, administrators, students and families safe.
Why are schools being cyber attacked?
Strengthening K12 cybersecurity measures and optimizing attack preparation, along with good security hygiene, can help education organizations avoid ransomware attacks
Education reported the highest rate of K12 ransomware attacks in 2022, and over the past year, 79 percent of higher-ed organizations surveyed reported being hit by ransomware, while 80 percent of K-12 organizations surveyed were targeted—an increase from 64 percent and 56 percent in 2021, respectively.
These statistics come from The State of Ransomware in Education 2023, a report from cybersecurity provider Sophos.
Additionally, the education sector reported one of the highest rates of ransom payments, with more than half (56 percent) of higher-ed organizations paying and nearly half (47 percent) of K-12 educational organizations paying the ransom. However, paying the ransom significantly increased recovery costs for both higher-ed and K-12 educational organizations. Recovery costs (excluding any ransoms paid) for higher-ed organizations that paid the ransom were $1.31 million when paying the ransom versus $980,000 when using backups. For K-12 educational organizations, the average recovery costs were $2.18 million when paying the ransom versus $1.37 million when not paying.
Paying the ransom also lengthened recovery times for victims. For higher-ed organizations, 79 percent of those that used backups recovered within a month, while only 63 percent of those that paid the ransom recovered within the same timeframe. For K-12 educational organizations, 63 percent of those that used backups recovered within a month versus just 59 percent of those that paid the ransom.
“While most schools are not cash-rich, they are very highly visible targets with immediate widespread impact in their communities. The pressure to keep the doors open and respond to calls from parents to ‘do something’ likely leads to pressure to solve the problem as quickly as possible without regard for cost. Unfortunately, the data doesn’t support that paying ransoms resolves these attacks more quickly, but it is likely a factor in victim selection for the criminals,” said Chester Wisniewski, field CTO, Sophos.
For the education sector, the root causes of K12 ransomware attacks were similar to those across all sectors, but there was a significantly greater number of K12 ransomware attacks involving compromised credentials for both higher-ed and K-12 educational organizations (37 percent and 36 percent respectively versus 29 percent for the cross-sector average).
Additional key findings from the report include:
- Exploits and compromised credentials accounted for more than three-fourths (77 percent) of ransomware attacks against higher-ed organizations; these root causes accounted for more than two-thirds (65 percent) of attacks against K-12 educational organizations
- The rate of encryption stayed about the same for higher-ed organizations (74 percent in 2021 versus 73 percent in 2022), but increased from 72 percent to 81 percent across K-12 educational organizations during the past year
- Higher-ed organizations reported a lower rate of using backups than the cross-sector average (63 percent versus 70 percent). This is the third lowest rate of backup use across all sectors. K-12 educational organizations, on the other hand, had a slightly higher rate of using backups than the global average (73 percent)
“Abuse of stolen credentials is common across sectors for ransomware criminals, but the lack of adoption of multifactor authentication (MFA) technology in the education sector makes them even more at risk of this method of compromise. Like the U.S. federal government’s initiative to mandate all agencies use MFA, it is time for schools of all sizes to employ MFA for faculty, staff and students. It sets a good example and is a simple way to avoid many of these attacks from getting in the door,” said Wisniewski.
Sophos recommends the following best practices to help defend against ransomware and other cyberattacks:
- Strengthen defensive shields with:
- Security tools that defend against the most common attack vectors, including endpoint protection with strong anti-exploit capabilities to prevent exploitation of vulnerabilities, and Zero Trust Network Access (ZTNA) to thwart the abuse of compromised credentials
- Adaptive technologies that respond automatically to attacks, disrupting adversaries and buying defenders time to respond
- 24/7 threat detection, investigation and response, whether delivered in-house or by a specialist Managed Detection and Response (MDR) provider
- Optimize attack preparation, including making regular backups, practicing recovering data from backups and maintaining an up-to-date incident response plan
- Maintain good security hygiene, including timely patching and regularly reviewing security tool configurations
Do schools need K12 cybersecurity?
As COVID-19 swept the nation beginning in 2019, no one knew just how life-altering the pivot to remote work and education would be. Today, we see more and more students and employees alike who are relying on technology to engage with their work and peers than ever before. As with holidays and other unanticipated events, this pivot drew in some of the biggest minds in security who worked to eliminate K12 cybersecurity challenges stemming from this change – but it also drew in hackers.
Shoring up cybersecurity for schools practices is quite the feat. User authorization is extremely challenging, as IT professionals must navigate through different levels of access for each user community. This creates even higher risks because networks must be open to employees, students, and others – an issue most businesses don’t need to manage.
Another major cybersecurity for schools challenge we see frequently with education is outdated technology. Like healthcare, we see devices that need to connect to the network — but the old software poses risks, such as a lack of updated security protocols. This creates vulnerabilities that are ideal for threat actors, many of which are looking for an easy fix they can exploit. Media devices that can be connected to computers–thumb drives, external hard drives, CDs, DVDs–also pose a challenge to MSPs/MSSPs providing cybersecurity to their clients.
As frequently as we see these attacks in the news, not much is changing in terms of recovery time or preparation. As the number of breaches rise, the Government Accountability Office (GAO) found that recovery from these attacks ranges from two to nine months. As educational professionals and MSPs battle singular hackers, sophisticated foreign governments, and crime syndicates to protect employee and student data, it begs the question: What can really be done with this information?
Upon gaining access to critical data, cybercriminals can leverage this sensitive information for an array of attacks, such as:
- Phishing scams: Using a fraudulent solicitation over email or website.
- Ransomware attacks: Malicious software that blocks access to computer or data systems with a fee to restore access.
- Distributed Denial of Service (DDoS): Overwhelms websites, servers, and computers with massive and ongoing attacks to prevent authorized users from accessing networks and system.
- Zoom bombing: Perpetrators disrupt video conferences with pornographic or hate/threating language.
The financial breakdown of cybersecurity for school districts
The complexities that come with protecting schools and their stakeholders from threats are vast, and implementing cyber policies comes with additional challenges.
Readiness and Emergency Management for Schools (REMS) advises schools and school districts that things like filtering and blocking applications – such as firewalls, encryption, and anti-virus/anti-malware systems – are an important part of that equation.
However, one of the biggest barriers to this is money. It’s no secret that schools don’t have the means to incorporate major cybersecurity changes into their budget, especially not on a recurring basis. K-12 respondents to the Nationwide Cybersecurity Review (NCSR) reported a lack of money as their top challenge, with nearly one-fifth of schools investing less than one percent of their overall IT budget on K12 cybersecurity.
That said, the cost of a cyber breach is also hefty. Between recovery time and navigating stolen data, schools may end up spending the same amount in their journey to recovering from an attack as they would to prevent them. As the average cost of a data breach in the U.S. hit $9.4 million in 2022, according to IBM, administrators need to leverage security solutions to minimize their exposure. This means that MSPs need to advise and offer more robust and sustainable cyber defenses to protect these institutions.
Lesson planning: How to minimize cybersecurity for schools
Planning is a big part of a successful cybersecurity program. With infrastructure being a major concern for IT teams and administrators – especially with an array of devices and operating systems. Universities have huge networks that make it easier for hackers to exploit. Last year, a ransomware group targeted Florida International University with its 48,000 students and swiped personal information that exposed accounting documents, social security numbers, and other sensitive data.
It’s also crucial to understand what is at stake. Schools don’t only have access to academic records. Things like medical records or other sensitive personal information could quickly be accessed and used by threat actors in a matter of minutes. In fact, a class action lawsuit has been filed over an alleged UC San Diego data breach in 2021 in which hackers gained access to 500,000 employee email accounts revealing lab results, diagnoses, and medical records. The lawsuit also names the Regents of the University of California, demonstrating the scope of liability for poor cybersecurity standards.
All of these risks help to clarify just what’s at stake if cybersecurity isn’t made a priority in the education industry. This is a prime time for MSPs to help leaders in the education space to implement a strong K12 cybersecurity strategy. Opportunities to limit the data employees can access is a good start. Encouraging strong cyber hygiene and offering phishing training would also help from a user perspective. Most of all, however, is modernizing network security with backup systems and integrated protection.
What is the biggest cybersecurity for school districts and how do you fix it?
In early September, the Cybersecurity and Infrastructure Security Agency (CISA) announced a voluntary pledge for K12 education technology software manufacturers to commit to designing products with a greater focus on security. In the announcement, CISA mentioned that six leaders in the education software industry had already committed to the pledge: PowerSchool, ClassLink, Clever, GG4L, Instructure, and D2L.
“We need to address K12 cybersecurity issues at its foundation by ensuring schools and administrators have access to technology and software that is safe and secure right out of the box,” said CISA director Jen Easterly. “I want to thank ClassLink, Clever, D2L, GG4L, Instructure, and PowerSchool, who have already signed this pledge and for their leadership in this area. We need all K-12 software manufacturers to help us improve cybersecurity for the education sector by committing to prioritize security as a critical element of product development.”
CISA’s principles for K12 cybersecurity
This action brings a spotlight to the ongoing issue of K12 cybersecurity. CISA’s goal is to persuade more K12 software and hardware manufacturers to commit to its pledge. Signing the pledge demonstrates that the manufacturer is committing to three principles:
- Taking ownership of customer security outcomes: Includes offering Single Sign On (SSO) and security audit logs and no extra charge.
- Embracing radical transparency and accountability: Includes publishing a secure by design roadmap, a vulnerability disclosure policy and security-relevant statistics and trends.
- Leading from the top by making secure technology a key priority for company leadership: Includes naming a C-level leader at the company who is charged with overseeing security.
What does secure by design mean?
In typical software design and manufacturing, the focus is on the product’s reason for being. For example, the developers of reading improvement software are focused on building a product that delivers measurable improvements to student reading speed and comprehension. The security of the software and its user data are an afterthought. Any security considerations are made late in the development process or bolted on afterward.
In contrast, a secure by design approach means that developers bake security into the design of the product from the beginning. This has proven to be a much more effective approach to protecting software than trying to patch security holes after the fact. Secure by design was popularized by the European Union’s General Data Protection Regulation (GDPR), which went into effect in May 2018. Today, this is a more common approach to software design, but it is relatively new to K12 education.
Today’s ongoing K12 cybersecurity threats
While the K12 education industry strives for improved protection in its schools, fresh examples of security holes continue to appear on a regular basis. Most recently, Prince George’s County Public Schools was the victim of a ransomware attack on August 14 that impacted about 4,500 user accounts, mostly staff, according to the district. Cybersecurity breaches such as this can have a detrimental impact on K12 schools, threatening both reputation and financial well-being.
Unfortunately, successful ransomware attacks can hinge on exploiting a single vulnerability hidden among the dozens of software applications running in most school districts. By following CISA’s guidance and committing to a secure by design approach to software development, developers can further reduce potential vulnerabilities and keep staff and student data more secure.
