Key points:

• Cyberattacks can impact schools and students long after an initial breach
• Rising ransomware attacks on education demand defense readiness
• K-12 cybersecurity threats to your school can be lowered–here’s how
• For more news on cybersecurity, visit eSN’s IT Leadership page

Identity theft and data breaches are on the rise and K-12 schools are one of the biggest targets. In fact, from 2016 through 2022, there have been more than 1,600 publicly reported cybersecurity-related incidents at K-12 public schools, affecting millions of current and former students. And now in 2024, it’s reaching a crisis point. Exposure of private information can have long-term impacts for not only schools, but for the students they serve. 

It’s why the nation is now taking a closer look at data vulnerabilities in K-12 schools. In late 2023, the Federal Communications Commission proposed a $200 million program to gather data on schools’ cybersecurity and firewalls, to examine how we can best protect students, teachers and schools. It’s largely in response to the recent influx of ransomware gangs targeting K-12 schools. As cyberattacks against schools continue to increase in severity, schools must take it upon themselves to implement extra protections against online threats. 

When students’ personal information is compromised, it can lead to emotional and financial harm for years to come. Schools manage a slew of personal data, from health and psychiatric records to academic test scores to even social security numbers. For school districts, financial losses from cyberattacks can be in the millions, according to the U.S. Government Accountability Office. These costs may include replacing computer hardware or enhancing cybersecurity protections, not to mention the burden and risk of identity theft. Yet, the majority of school districts do not have a single staff member solely dedicated to cybersecurity. 

While new cybersecurity measures and modernization projects are taking place at the national level, more tangible action must be taken to combat these rising risks for schools in California. What else can be done to address these rampant cybersecurity attacks at the school level?  

With a new year upon us, here are proactive steps you can take today to protect yourself or your school community against systemic cybersecurity threats in 2024: 

Multifactor authentication. The process of Multifactor Authentication (MFA) helps prove you are who you say you are by prompting the user to enter a second factor to verify your identity when signing in to a device. Because usernames and passwords can be easy to discover, implementing MFA makes it more challenging for a threat to gain access to student, staff, or your school’s information. 
 
Train staff. Attacks are often socially engineered. That means staff must know how to identify and respond to these threats. Protecting against phone-based, email-based, and SMS-based scams through regularly scheduled training for staff helps ensure they have the language and tools needed, such as phishing campaigns. Required training will help your school community not only identify cyberthreats but share actionable guidance on what to do if any information at your school is compromised. And according to experts, it would behoove districts to participate in programs that would protect against online attackers who are specifically targeting schools. 

Protect student, teacher and staff identities. Restricting administrative access to only those who need it can help keep devices and personal information protected, since users with administrative privileges can often bypass critical security settings and access sensitive information. This can be done by validating which staff members are required and authorized to carry out those tasks as part of their duties. End-to-end encryption (e2ee) can also help ensure no one but the sender and the recipient can read sensitive communications. 

Practice continuous improvement. Regularly patching and updating systems is one of the most important cybersecurity procedures to protect against known vulnerabilities as well as provide new features. Lastly, enact policies to regularly back up your data or material in different places or mediums (e.g. separate servers). Archiving or deleting sensitive information, in alignment with your record retention policies, can help keep information secure. 

The scale and number of attacks escalated the last few years as more schools relied on technology for instructional delivery and operations. In an increased digital age, cyberattacks will only become more hazardous for students and their school communities. Looking ahead to 2024, it has never been more important for school leaders to prioritize cyber insurance, education and security.  
 

Key points:

• Administrators say cybersecurity should be collaborative
• Rising ransomware attacks on education demand defense readiness
• Reducing K-12 cybersecurity threats to your school
• For more news on cybersecurity, visit eSN’s IT Leadership page

One in 3 school districts ranked lack of dedicated cybersecurity personnel as their top challenge in safeguarding schools, according to Cybersecure 2024, an annual survey from Clever that polls school administrators and offers an in-depth look at the state of cybersecurity across the U.S. K-12 landscape.

The survey of over 800 administrators, conducted in fall of 2023, illuminates the challenges and opportunities for schools in strengthening cybersecurity.

The results are in line with similar findings from CoSN that many district leaders lack sufficient cybersecurity resources and face budget constraints. In fact, 50 percent of districts also reported wanting to spend more on cybersecurity than they currently do, underscoring the growing need for investments and preparation. This need is evidenced by one district’s experience with a major ransomware attack:

“Our collaborative stance on cybersecurity was strengthened by experiencing a major ransomware attack, said Christy Fisher, chief technology officer with Norman Public Schools. “It emphasized the need for cybersecurity insurance and the critical role of cross-departmental cooperation in negotiating and understanding the financial aspects of cyber risk.”

Moreover, while 96 percent of administrators reported cybersecurity as something that should be a collaborative effort, only 17 percent reported their strategies truly reflect this team-based approach. As evidenced by these findings, cybersecurity must involve all staff – from IT staff to individual employees –  in awareness, training and prevention efforts to create a culture of shared data/system protection responsibility.

Other key findings from the report, which features perspectives from more than 800 administrators, include:

• Growing cybersecurity threats: Phishing and ransomware are identified as the biggest threats, with 80 percent of administrators concerned about phishing attacks.
• New cybersecurity tools: 89 percent of districts want to adopt new tech tools to enhance protection, with a focus on identity and access management systems, data encryption, and zero-trust security models.
• Increasing vendor scrutiny: Half of U.S. districts have updated vendor security criteria in the past 2 years; 55 percent are planning more changes in the year ahead.

The report also provides practical recommendations for districts, including emphasizing user-friendly cybersecurity tools, establishing clear criteria for evaluating and selecting edtech vendors and partners, and mobilizing mindshare around cybersecurity by training all staff roles.

In response to the report findings, Trish Sparks, CEO of Clever, underscored the people-first aspect of cybersecurity: “It’s not just about technology — it’s about people too. To keep schools safe, everyone involved—tech providers, admins, and teachers—needs to know cybersecurity best practices. Tools like MFA must be easy to use, making it more likely for everyone to use them and keep schools secure.”

This press release originally appeared online.

Key points:

• Ransomware disrupts learning—but vetted cybersecurity practices can help
• See article: Fixing the K-12 cybersecurity problem
• See article: How to keep hackers off your school attendance list
• For more news on ransomware, visit eSN’s Cybersecurity page

Ransomware attacks continue to wreak havoc on the education sector, hitting 80 percent of lower education providers and 79 percent of higher education providers this year. That’s a significant increase from 56 percent and 64 percent in 2022, respectively.

As “target rich, cyber poor” institutions, schools store massive amounts of sensitive data, from intellectual property to the personal information of students and faculty. Outdated software, limited IT resources and other security weaknesses further heighten their risk exposure. In a ransomware attack, adversaries exploit these vulnerabilities to infiltrate the victim’s network and encrypt their data, effectively holding it hostage. After encryption, bad actors demand ransom payment in exchange for the decryption key required to retrieve their files.

But the ramifications of ransomware extend beyond the risk of data exposure and recovery costs; attacks can also result in downtime that disrupts learning for students. The impact of ransomware has grown so severe that the Biden Administration has even committed to providing ongoing assistance and resources to support schools in strengthening their cyber defenses.

So, while ransomware in the education sector isn’t a new phenomenon, the stakes remain high. And with both higher and lower education institutions reporting the highest rates of attacks among all industries surveyed in a recent study, the need for increased defense readiness in the education sector has never been more evident.

3 ransomware trends disrupting classrooms in 2023

Cybercriminals have refined the ransomware-as-a-service (RaaS) model in recent years, enabling adversaries to specialize in different stages of attack. Amid the current ransomware surge, IT and security leaders in education must remain aware of the evolving threat landscape so they can effectively safeguard their networks and systems.

Here are some trends from The State of Ransomware in Education 2023 report that demand attention now:

1. Adversaries are leveraging compromised credentials and exploited vulnerabilities. More than three-quarters (77 percent) of attacks against higher education institutions and 65 percent against early education institutions this year originated from compromised credentials and exploited security flaws in software.

Although the root causes of attacks are similar across other industries, educators experienced a significantly higher number of attacks that originated from compromised credentials. The sector’s lack of adoption of multi-factor authentication (MFA) technology — a critical tool in preventing these types of attacks — likely plays a role in this trend.

2. Educational institutions lag behind other sectors when it comes to data backups. The use of data backups is critical in recovering encrypted data and reducing downtime in the event of an attack. Still, only 63 percent of higher educational organizations use backups, falling below the cross-sector average of 70 percent. Lower educational institutions perform slightly better in this area, with 73 percent of organizations backing up their data.

However, the use of backups to recover encrypted data decreased in the last year — a concerning trend given the high rate of ransomware attacks against the sector.

3. Educators are paying ransoms. But should they? Education had one of the highest rates of ransom payouts of all industries, with 56 percent of higher education institutions and 47 percent of lower education institutions paying the ransom in attacks in 2023. Educators’ willingness to pay ransom often stems from factors like the critical nature of their operations and the potential impact of data exposure on staff and students.

But paying the ransom is a risky and often costly move because there’s no way to guarantee adversaries will provide the decryption key. Even if they do, victims may still need to spend significant time and resources recovering data. In fact, paying the ransom actually increased recovery costs and lengthened recovery times for victims this year.

Empowering educators: How to defend against ransomware attacks

Factors like resource constraints can make it difficult to maintain comprehensive and up-to-date cybersecurity measures. But with an understanding of optimal incident response protocols and adversaries’ tools, techniques, and procedures (TTPs), you can prioritize practices and investments that bolster your institution’s defenses against ransomware.

• Explore CISA guidelines and toolkits for recommendations and best practices when it comes to information sharing, maintaining defenses with limited resources and more.

• Maintain proper cybersecurity hygiene through routine patching and regular reviews of security tool configurations. Don’t be afraid to lean on a third-party expert for help assessing the effectiveness of your defenses.

• Defend against common attack vectors with tools like MFA and zero trust network access to prevent the exploitation of compromised credentials.

• Employ managed detection and response (MDR) services to enhance your security with round-the-clock threat monitoring.

• Leverage adaptive technologies that automatically respond to attacks to buy you response time.

• Prepare for the worst by regularly backing up your data and maintaining an incident response plan that reflects the current threat landscape.

• Raise awareness among staff about the dangers of ransomware and best practices they can follow to mitigate risk.

Cyberattacks are inevitable, and ransomware is a common form of attack in the education sector. But you’re not helpless — you have the ability to exercise control over your institution’s digital preparedness.

By adhering to best cybersecurity practices, implementing tools that defend against emerging threats, and outsourcing services when necessary, you can equip your institution to respond to potential threats in an effective and timely manner.

Key points:

• Evolving technology offers learning opportunities, but also K12 cybersecurity threats
• See article: Reading, writing, and cybersecurity: Practicing good cyber hygiene
• See article: 4 back-to-school cybersecurity tips
• For more news on K12 cybersecurity, visit eSN’s IT Leadership page

The school bell is about to ring in another academic year, and as children pull out their lunchboxes and teachers decorate their rooms, schools continue to face an onslaught of K12 ransomware while also grappling with perpetually insufficient budgets, legacy IT, and under-staffing concerns.

The increased level of connectivity in today’s schools means richer opportunities for learning and community, but it also puts at further risk the financial data, personally identifiable information (PII) and other sensitive information that educational institutions hold.

K-12 schools received a cyber maturity score of 3.55 out of 7 from the Nationwide Cybersecurity Review (NCSR) risk-based assessment, despite the fact that many school districts are trying to strengthen their cybersecurity posture. And according to 29 percent of K–12 participants in that report, a cyber incident occurred in their district in the previous year. Malware and ransomware were two of the most prevalent occurrences. According to the report, ransomware attacks pose the greatest K12 cybersecurity risk to K–12 schools and districts in terms of overall cost and downtime.

The good news is that the federal government is taking this seriously. In early August, the Biden Administration announced a new plan focused on strengthening school district cybersecurity plans. While the elements of this plan are rolled out, school IT teams and leaders can also start to take action in another area: cyber hygiene for students. It’s never too early to start teaching children basic cyber literacy.

New rules for K12 cybersecurity

The Biden Administration’s new proposal comes on the heels of a report from the Cybersecurity & Infrastructure Security Agency (CISA), Protecting Our Future: Partnering to Safeguard K-12 Organizations from Cybersecurity, which offers guidelines for schools to help bolster defenses. 

Guidelines include investing in the most impactful security measures and building toward a mature cybersecurity plan, recognizing and actively overcoming resource constraints, and focusing on collaboration and information sharing. CISA will continue to engage with federal partners, including the U.S. Department of Education, and work closely with state and local officials, school leaders, emergency management officials, nonprofits, community leaders, and the private sector to identify areas for progress and provide meaningful support that measurably reduces risk.

Other elements of the administration’s new plan include a proposed pilot program that will provide up to $200 million over three years to strengthen security in schools and libraries with the help of federal agencies, and establishing a new council to coordinate between federal, state and local leaders to help bolster cyber defenses in schools. It also calls for new resources for reporting and enlists the help of private companies to provide free and low-cost resources for school districts, including training.

It’s great to have support at this level, but it will take some time for these plans to roll out to schools. In the meantime, district leaders and IT teams can start implementing good cyber security for school districts hygiene practices right away.

Fostering good cyber hygiene for teachers and students

People don’t have to be tech geniuses to practice good cyber hygiene. Teachers and even the youngest students can be taught some basic cyber hygiene practices. For instance, a very common-sense practice is to not share passwords or any kind of PII with strangers online. Teachers and students must learn what suspicious links look like and learn not to click them, or to open unexpected attachments or download anything on their computers without approval. When students are online in the classroom, teachers can ensure that they use only approved websites and applications and get approval for certain activities.

When it’s age-appropriate, children can learn how important strong passwords are and how to create them. Best practices include:

• Create longer passwords that are personally meaningful but that don’t contain any PII. An example would be a line from an obscure song with numbers and symbols mixed in to create a password that’s at least 10 characters long. These are much harder, if not impossible, for attackers to guess.
• Use a unique password for each account.
• For all your online accounts, create one-of-a-kind, long and difficult passwords using a password manager.
•  

Obviously, younger children, like those in kindergarten through third grade, aren’t going to be creating or using strong passwords. Educators at that level will need to be creative in how they help students at that age protect their work, but certainly by middle and high school, this will be a key part of learning.

Pre-teens and teenagers can learn to understand how to securely navigate social media.  For example, it’s wise to not use social media accounts to log in to certain kinds of platforms, because those platforms then have instant access to whatever PII is available in those accounts. If there’s no other way to connect to that platform, students can create dummy accounts to use only for this purpose.

Students also need to be cautious about instant messaging services due to social engineering risks. The rule about never giving out PII applies here, especially financial information. And QR codes, though convenient, can send students to a site with malicious files waiting to be downloaded.

And for teachers and staff, from the White House to the private sector, organizations are already offering cybersecurity training for K–12 school districts. Such programs provide academics and employees with the most recent information, advice, and suggestions to help them make better decisions when faced with cyberattacks and other dangers to the school. These free training programs are already being used by many districts.

Knowledge is power–and stronger K12 cybersecurity for school districts

As long as there are school IT teams working with few human and financial resources, there will be cyber adversaries trying to take advantage and break into school networks. This requires a two-pronged approach: technology and training. Because students have network access, they need to learn how to use it safely and responsibly–IT does not bear the sole responsibility for cybersecurity.

Individual cyber hygiene plays a huge role in helping to defend the network. Training for students, teachers, and staff will help IT teams keep the bad actors out and will ultimately help create a cyber-savvier generation.

What are some K12 cybersecurity tips?

Due to budget and resource constraints, many schools and other academic organizations are only able to implement very basic K12 cybersecurity tools and processes, and this leaves them extremely vulnerable to cyberattacks.

We’ve seen this play out over the past 12 months with high-profile attacks on school districts in Los Angeles, Minneapolis and Tucson, Ariz., among many others. And, because cybercriminals can compromise school networks for big gains with very little effort, we expect k12 cybersecurity attacks will only increase.

As the new school year quickly approaches, IT and security teams face a seemingly overwhelming task: protect school networks with limited budget and personnel. The good news is that there is some cybersecurity training and basic blocking and tackling that can significantly help schools build a strong cybersecurity for schools  basic training, including:

1. Mandating strong passwords for cybersecurity 

It’s easy to choose a simple password or to repeat passwords across accounts for memory’s sake, but the consequences of doing so can be severe. In fact, according to the FIDO (Fast Identity Online) Alliance, passwords are the root cause of more than 80 percent of data breaches. Educating students and staff about the importance of strong, hard-to-guess passwords cannot be overstated. Research shows that a 12-character password could take 27,000 years to crack and cost hackers $6.4 trillion to do so. Mandating strong passwords is a simple, cost-effective way to strengthen a school’s cybersecurity posture.

For schools that are able to take credentials management one step further, multi-factor authentication is a great option. MFA is a method of authenticating into an account that requires users to present at least two pieces of evidence to prove their identity — something they know (e.g., a password) as well as something they have (e.g., an authentication code via text or email) or something they are (e.g., facial recognition or a fingerprint scan).

• Implementing a K12 cybersecurity data backup solution. 

While this will certainly be an upfront investment, it will pay dividends over the long-term. Having backups of your school’s and students’ data can be extremely beneficial for compliance and business purposes, and it can also be extremely valuable in a K12 ransomware attack – where cybercriminals access data, encrypt it and then demand schools pay a ransom to decrypt it. Many schools that don’t have a data backup solution in place pay the ransom in the hopes they’ll get their data back, but this is money out of their pocket they can’t afford to lose, and worse yet, paying the ransom does not guarantee access to the data. However, if you’re the victim of a ransomware attack and have a data backup solution in place, you can evade the ransom demand by simply falling back to the backup version.

• Taking a security-in-depth approach. 

Where possible, schools should take a multi-layered approach to security, including using firewalls, anti-virus solutions, anti-malware software, and encryption. Cybercriminals don’t want to work hard to infiltrate a target, so security-in-depth is an impactful deterrent that can help fend off today’s sophisticated hackers.

Prioritizing cybersecurity training awareness

Students and staff are the first line of defense in network security, and they can’t do their part if they aren’t aware of the threats facing them or the actions to take if they suspect they are a victim of an attack. IT and K12 cybersecurity teams need to make them part of cybersecurity efforts by offering ongoing cybersecurity awareness and training. The best way to get them to pay attention and remember what they learn is to offer short, engaging training sessions on a regular basis, rather than long, drawn-out presentations once a year.

All this said, we’re living in a world where it’s no longer a matter of if a school gets attacked, but when. In this reality, it’s so important that schools have an incident response plan in place, so they know how to react following a successful incident and can do so quickly. Communicating to affected families should be a big part of this plan. Timeliness and transparency are key following an attack. Victims need to know the nature of the attack, what data was compromised, what the school is doing to remediate the problem, and the steps they should take to protect their personal information. From an internal perspective, schools need to take the incident as a learning opportunity – identifying what went wrong, so they can put the right people, processes and technologies in place to prevent a similar K12 ransomware attack from happening again.

The bottom line is schools can suffer severe consequences from a cyberattack, including disrupted instruction, impaired operations, financial losses to address the incident, and the exposure of stakeholders’ personal information. By focusing on achievable cybersecurity basics, schools can fight back by building a solid security and resilience foundation that can help them defend against cybercriminals to keep their teachers, administrators, students and families safe.

Why are schools being cyber attacked?

Strengthening K12 cybersecurity measures and optimizing attack preparation, along with good security hygiene, can help education organizations avoid ransomware attacks

Education reported the highest rate of K12 ransomware attacks in 2022, and over the past year, 79 percent of higher-ed organizations surveyed reported being hit by ransomware, while 80 percent of K-12 organizations surveyed were targeted—an increase from 64 percent and 56 percent in 2021, respectively.

These statistics come from The State of Ransomware in Education 2023, a report from cybersecurity provider Sophos.

Additionally, the education sector reported one of the highest rates of ransom payments, with more than half (56 percent) of higher-ed organizations paying and nearly half (47 percent) of K-12 educational organizations paying the ransom. However, paying the ransom significantly increased recovery costs for both higher-ed and K-12 educational organizations. Recovery costs (excluding any ransoms paid) for higher-ed organizations that paid the ransom were $1.31 million when paying the ransom versus $980,000 when using backups. For K-12 educational organizations, the average recovery costs were $2.18 million when paying the ransom versus $1.37 million when not paying.

Paying the ransom also lengthened recovery times for victims. For higher-ed organizations, 79 percent of those that used backups recovered within a month, while only 63 percent of those that paid the ransom recovered within the same timeframe. For K-12 educational organizations, 63 percent of those that used backups recovered within a month versus just 59 percent of those that paid the ransom.

“While most schools are not cash-rich, they are very highly visible targets with immediate widespread impact in their communities. The pressure to keep the doors open and respond to calls from parents to ‘do something’ likely leads to pressure to solve the problem as quickly as possible without regard for cost. Unfortunately, the data doesn’t support that paying ransoms resolves these attacks more quickly, but it is likely a factor in victim selection for the criminals,” said Chester Wisniewski, field CTO, Sophos.

For the education sector, the root causes of K12 ransomware attacks were similar to those across all sectors, but there was a significantly greater number of K12 ransomware attacks involving compromised credentials for both higher-ed and K-12 educational organizations (37 percent and 36 percent respectively versus 29 percent for the cross-sector average). 

Additional key findings from the report include:

• Exploits and compromised credentials accounted for more than three-fourths (77 percent) of ransomware attacks against higher-ed organizations; these root causes accounted for more than two-thirds (65 percent) of attacks against K-12 educational organizations
• The rate of encryption stayed about the same for higher-ed organizations (74 percent in 2021 versus 73 percent in 2022), but increased from 72 percent to 81 percent across K-12 educational organizations during the past year
• Higher-ed organizations reported a lower rate of using backups than the cross-sector average (63 percent versus 70 percent). This is the third lowest rate of backup use across all sectors. K-12 educational organizations, on the other hand, had a slightly higher rate of using backups than the global average (73 percent)
•  

“Abuse of stolen credentials is common across sectors for ransomware criminals, but the lack of adoption of multifactor authentication (MFA) technology in the education sector makes them even more at risk of this method of compromise. Like the U.S. federal government’s initiative to mandate all agencies use MFA, it is time for schools of all sizes to employ MFA for faculty, staff and students. It sets a good example and is a simple way to avoid many of these attacks from getting in the door,” said Wisniewski.

Sophos recommends the following best practices to help defend against ransomware and other cyberattacks:

• Strengthen defensive shields with:
  • Security tools that defend against the most common attack vectors, including endpoint protection with strong anti-exploit capabilities to prevent exploitation of vulnerabilities, and Zero Trust Network Access (ZTNA) to thwart the abuse of compromised credentials
  • Adaptive technologies that respond automatically to attacks, disrupting adversaries and buying defenders time to respond
  • 24/7 threat detection, investigation and response, whether delivered in-house or by a specialist Managed Detection and Response (MDR) provider
• Optimize attack preparation, including making regular backups, practicing recovering data from backups and maintaining an up-to-date incident response plan
• Maintain good security hygiene, including timely patching and regularly reviewing security tool configurations

Do schools need K12 cybersecurity?

As COVID-19 swept the nation beginning in 2019, no one knew just how life-altering the pivot to remote work and education would be. Today, we see more and more students and employees alike who are relying on technology to engage with their work and peers than ever before. As with holidays and other unanticipated events, this pivot drew in some of the biggest minds in security who worked to eliminate K12 cybersecurity challenges stemming from this change – but it also drew in hackers.

Shoring up cybersecurity for schools practices is quite the feat. User authorization is extremely challenging, as IT professionals must navigate through different levels of access for each user community. This creates even higher risks because networks must be open to employees, students, and others – an issue most businesses don’t need to manage.

Another major cybersecurity for schools challenge we see frequently with education is outdated technology. Like healthcare, we see devices that need to connect to the network — but the old software poses risks, such as a lack of updated security protocols. This creates vulnerabilities that are ideal for threat actors, many of which are looking for an easy fix they can exploit. Media devices that can be connected to computers–thumb drives, external hard drives, CDs, DVDs–also pose a challenge to MSPs/MSSPs providing cybersecurity to their clients.

As frequently as we see these attacks in the news, not much is changing in terms of recovery time or preparation. As the number of breaches rise, the Government Accountability Office (GAO) found that recovery from these attacks ranges from two to nine months. As educational professionals and MSPs battle singular hackers, sophisticated foreign governments, and crime syndicates to protect employee and student data, it begs the question: What can really be done with this information?

Upon gaining access to critical data, cybercriminals can leverage this sensitive information for an array of attacks, such as: 

• Phishing scams: Using a fraudulent solicitation over email or website.  
• Ransomware attacks: Malicious software that blocks access to computer or data systems with a fee to restore access.   
• Distributed Denial of Service (DDoS): Overwhelms websites, servers, and computers with massive and ongoing attacks to prevent authorized users from accessing networks and system.   
• Zoom bombing: Perpetrators disrupt video conferences with pornographic or hate/threating language.  

The financial breakdown of cybersecurity for school districts

The complexities that come with protecting schools and their stakeholders from threats are vast, and implementing cyber policies comes with additional challenges.

Readiness and Emergency Management for Schools (REMS) advises schools and school districts that things like filtering and blocking applications – such as firewalls, encryption, and anti-virus/anti-malware systems – are an important part of that equation. 

However, one of the biggest barriers to this is money. It’s no secret that schools don’t have the means to incorporate major cybersecurity changes into their budget, especially not on a recurring basis. K-12 respondents to the Nationwide Cybersecurity Review (NCSR) reported a lack of money as their top challenge, with nearly one-fifth of schools investing less than one percent of their overall IT budget on K12 cybersecurity. 

That said, the cost of a cyber breach is also hefty. Between recovery time and navigating stolen data, schools may end up spending the same amount in their journey to recovering from an attack as they would to prevent them. As the average cost of a data breach in the U.S. hit $9.4 million in 2022, according to IBM, administrators need to leverage security solutions to minimize their exposure. This means that MSPs need to advise and offer more robust and sustainable cyber defenses to protect these institutions. 

Lesson planning: How to minimize cybersecurity for schools

Planning is a big part of a successful cybersecurity program. With infrastructure being a major concern for IT teams and administrators – especially with an array of devices and operating systems. Universities have huge networks that make it easier for hackers to exploit. Last year, a ransomware group targeted Florida International University with its 48,000 students and swiped personal information that exposed accounting documents, social security numbers, and other sensitive data.

It’s also crucial to understand what is at stake. Schools don’t only have access to academic records. Things like medical records or other sensitive personal information could quickly be accessed and used by threat actors in a matter of minutes. In fact, a class action lawsuit has been filed over an alleged UC San Diego data breach in 2021 in which hackers gained access to 500,000 employee email accounts revealing lab results, diagnoses, and medical records. The lawsuit also names the Regents of the University of California, demonstrating the scope of liability for poor cybersecurity standards. 

All of these risks help to clarify just what’s at stake if cybersecurity isn’t made a priority in the education industry. This is a prime time for MSPs to help leaders in the education space to implement a strong K12 cybersecurity strategy. Opportunities to limit the data employees can access is a good start. Encouraging strong cyber hygiene and offering phishing training would also help from a user perspective. Most of all, however, is modernizing network security with backup systems and integrated protection. 

What is the biggest cybersecurity for school districts and how do you fix it?

In early September, the Cybersecurity and Infrastructure Security Agency (CISA) announced a voluntary pledge for K12 education technology software manufacturers to commit to designing products with a greater focus on security. In the announcement, CISA mentioned that six leaders in the education software industry had already committed to the pledge: PowerSchool, ClassLink, Clever, GG4L, Instructure, and D2L.

“We need to address K12 cybersecurity issues at its foundation by ensuring schools and administrators have access to technology and software that is safe and secure right out of the box,” said CISA director Jen Easterly. “I want to thank ClassLink, Clever, D2L, GG4L, Instructure, and PowerSchool, who have already signed this pledge and for their leadership in this area. We need all K-12 software manufacturers to help us improve cybersecurity for the education sector by committing to prioritize security as a critical element of product development.”

CISA’s principles for K12 cybersecurity

This action brings a spotlight to the ongoing issue of K12 cybersecurity. CISA’s goal is to persuade more K12 software and hardware manufacturers to commit to its pledge. Signing the pledge demonstrates that the manufacturer is committing to three principles:

1. Taking ownership of customer security outcomes: Includes offering Single Sign On (SSO) and security audit logs and no extra charge.

• Embracing radical transparency and accountability: Includes publishing a secure by design roadmap, a vulnerability disclosure policy and security-relevant statistics and trends.

• Leading from the top by making secure technology a key priority for company leadership: Includes naming a C-level leader at the company who is charged with overseeing security.

What does secure by design mean?

In typical software design and manufacturing, the focus is on the product’s reason for being. For example, the developers of reading improvement software are focused on building a product that delivers measurable improvements to student reading speed and comprehension. The security of the software and its user data are an afterthought. Any security considerations are made late in the development process or bolted on afterward.

In contrast, a secure by design approach means that developers bake security into the design of the product from the beginning. This has proven to be a much more effective approach to protecting software than trying to patch security holes after the fact. Secure by design was popularized by the European Union’s General Data Protection Regulation (GDPR), which went into effect in May 2018. Today, this is a more common approach to software design, but it is relatively new to K12 education.

Today’s ongoing K12 cybersecurity threats

While the K12 education industry strives for improved protection in its schools, fresh examples of security holes continue to appear on a regular basis. Most recently, Prince George’s County Public Schools was the victim of a ransomware attack on August 14 that impacted about 4,500 user accounts, mostly staff, according to the district. Cybersecurity breaches such as this can have a detrimental impact on K12 schools, threatening both reputation and financial well-being.

Unfortunately, successful ransomware attacks can hinge on exploiting a single vulnerability hidden among the dozens of software applications running in most school districts. By following CISA’s guidance and committing to a secure by design approach to software development, developers can further reduce potential vulnerabilities and keep staff and student data more secure.

Key points:

• The nation continues to face a severe cyber workforce shortage
• Defending against future ransomware attacks requires cybersecurity investments
• See related article: Fixing the K-12 cybersecurity problem
• For more news on IT security, see eSN’s IT Leadership page
• Learn How to Lower Cybersecurity Threats to Your School

According to a recent report from the Cybersecurity Infrastructure Security Agency (CISA), aggressive hacking tactics by threat actors are increasing in frequency and complexity against K-12 classrooms and higher education institutions.

With public and private schools providing a broad attack surface area for exploitation, they often find themselves repeatedly targeted by malicious hackers looking for financial gain or to steal the sensitive information of students and teachers. These cyberattacks create potentially dangerous effects on the education sector via lost instructional time and the cost to recover from the incident.

It’s no surprise that ransomware has hit the education sector hard. Schools often struggle to find room in the IT budget for a robust cybersecurity plan–and they are further constrained due to the difficulty in retaining IT talent to boost their overall security posture. As a result, hackers can often easily slip in through open vulnerabilities and wreak costly havoc on districts. Countering such devastating attacks with efficiency is going to be key in the 2023-2024 school year. 

Establish holistic approaches to security

Fortifying defenses against future ransomware attacks requires institutions to prioritize cybersecurity investments, while improving talent retention strategies and automating their patching capabilities. The nation continues to face a severe cyber workforce shortage, and at the same time, most students in the classroom are not being taught proper cyber hygiene or how to best defend themselves from exploitation in the digital world. It’s clear that cybersecurity is not simply an issue for staff or teachers. 

With malware, phishing campaigns and distributed denial-of-service attacks on the rise, school systems are requiring more eyes and ears than what a lone IT team can provide. Traditionally, IT teams in school districts or on college campuses focus their efforts on external-facing systems and often fail to properly secure internal networks that are just as at risk.  Higher education institutions are particularly susceptible to internal attacks. In fact, university breaches are more likely to come from a student who is either inadvertently or even purposely causing a disruption. This adds yet another layer of risk to mitigate. 

Promoting a culture of security awareness can transform the way districts handle these cyberthreats. Students and educators alike can learn how to quickly spot and report threats, how to maintain strong password management, as well as how to better protect themselves in an online digital environment. This holistic approach to risk and compliance is the foundation for an ecosystem that better defends itself against daily cyber threats.

Critical vulnerabilities within unprepared systems often stem from two main factors: a lack of effective threat detection and the improper storage of documents on school-provided cloud drives. Without proper threat detection in place, it is extremely difficult for vulnerabilities in system software to be recognized and ultimately mitigated. For example, last September, a ransomware attack on the Los Angeles Unified School District (LAUSD) drew national attention after it was confirmed that Social Security numbers and the private, sensitive information of staff and students was exposed. Not only was this attack a breach of information that damaged the confidence and reputation of the school, but it was also a massive disruption to the district and their network system availability. While it may have been unclear if the root cause was in fact an unpatched system or not, it is clear that unpatched systems, or delayed patches, can lead to such incidents. 

Delayed patches means that vulnerabilities can go undetected or get completely ignored for weeks or even months at a time. Unfortunately, some institutions may think it is perfectly fine to designate certain times of the year for their patch management. But trying to squeeze in 6 months’ worth of patching before the start of a new semester can financially and academically disrupt a K-12 district or university via lengthy downtimes.

Traditional patch management is out

This passive approach to patching means the education sector must wait for patches to be automatically delivered and then manually installed, which can add to the delays in addressing known vulnerabilities. It’s not a secret that patch management can be a frustrating and time-consuming process that requires scheduled maintenance and is heavy on the manual labor needs for already overworked security teams. But by moving universities, community colleges, and K-12 districts into a more automated approach to patch management, the process becomes significantly streamlined. 

Live patching is a relatively new approach that works by modifying and intercepting code at runtime that does not interrupt normal system operations. With automatic security patching in place, it not only frees up administrators, it also significantly reduces necessary downtime.

Some of the biggest benefits to switching to automated patching in place of traditional methods are:

• Reduced downtime and disruption: Applying live patches minimizes the risk of unexpected system failures, crashes, or downtime resulting from unpatched vulnerabilities. This ensures smooth operations, uninterrupted services, and safer student data.
• Timely vulnerability mitigation: Proactive patching ensures that vulnerabilities are addressed as soon as patches become available. This significantly reduces the window of opportunity for attackers, minimizing the risk of successful exploitation.
• Reduces risky reboots: Live patching eliminates the need for scheduled maintenance windows in which a system can be rebooted or services. Rolling reboots and restarts themselves can be risky and disrupt daily classroom operations if forced to shut down temporarily. 

The digital transformation process for the education sector is crucial in light of increased targeted attacks. By securing classroom environments through a strong vulnerability management platform and empowering IT administrators, educators, and students to focus their efforts on proactive defense strategies and awareness, schools can enhance their ability to defend themselves and lower the risk of exploitation. 

Key points:

• K-12 cybersecurity is of paramount importance in digital classrooms
• A secure by design approach can help reduce cybersecurity risks
• See related article: Reading, writing, and cybersecurity: Practicing good cyber hygiene
• Get the latest news on K-12 cybersecurity by visiting eSN’s IT Leadership page
• Learn How to Lower Cybersecurity Threats to Your School

In early September, the Cybersecurity and Infrastructure Security Agency (CISA) announced a voluntary pledge for K-12 education technology software manufacturers to commit to designing products with a greater focus on security. In the announcement, CISA mentioned that six leaders in the education software industry had already committed to the pledge: PowerSchool, ClassLink, Clever, GG4L, Instructure, and D2L.

“We need to address K-12 cybersecurity issues at its foundation by ensuring schools and administrators have access to technology and software that is safe and secure right out of the box,” said CISA director Jen Easterly. “I want to thank ClassLink, Clever, D2L, GG4L, Instructure, and PowerSchool, who have already signed this pledge and for their leadership in this area. We need all K-12 software manufacturers to help us improve cybersecurity for the education sector by committing to prioritize security as a critical element of product development.”

CISA’s principles for K-12 cybersecurity

This action brings a spotlight to the ongoing issue of K-12 cybersecurity. CISA’s goal is to persuade more K-12 software and hardware manufacturers to commit to its pledge. Signing the pledge demonstrates that the manufacturer is committing to three principles:

• Taking ownership of customer security outcomes: Includes offering Single Sign On (SSO) and security audit logs and no extra charge
• Embracing radical transparency and accountability: Includes publishing a secure by design roadmap, a vulnerability disclosure policy and security-relevant statistics and trends
• Leading from the top by making secure technology a key priority for company leadership: Includes naming a C-level leader at the company who is charged with overseeing security

Secure by design explained

What does secure by design mean? In typical software design and manufacturing, the focus is on the product’s reason for being. For example, the developers of reading improvement software are focused on building a product that delivers measurable improvements to student reading speed and comprehension. The security of the software and its user data are an afterthought. Any security considerations are made late in the development process or bolted on afterward.

In contrast, a secure by design approach means that developers bake security into the design of the product from the beginning. This has proven to be a much more effective approach to protecting software than trying to patch security holes after the fact. Secure by design was popularized by the European Union’s General Data Protection Regulation (GDPR), which went into effect in May 2018. Today, this is a more common approach to software design, but it is relatively new to K-12 education.

Ongoing K-12 cybersecurity threats

While the K-12 education industry strives for improved protection in its schools, fresh examples of security holes continue to appear on a regular basis. Most recently, Prince George’s County Public Schools was the victim of a ransomware attack on August 14 that impacted about 4,500 user accounts, mostly staff, according to the district. Cybersecurity breaches such as this can have a detrimental impact on K-12 schools, threatening both reputation and financial well-being.

Unfortunately, successful ransomware attacks can hinge on exploiting a single vulnerability hidden among the dozens of software applications running in most school districts. By following CISA’s guidance and committing to a secure by design approach to software development, developers can further reduce potential vulnerabilities and keep staff and student data more secure.

Related: Education suffers the highest rate of ransomware attacks

Key points:

• Education institutions are prime targets for hackers because they hold valuable data and often lack strong cybersecurity protections
• A crucial part of staying ahead of ransomware is staying informed
• See related article: Education suffers the highest rate of ransomware attacks
• Learn How to Lower Cybersecurity Threats to Your School

As the 2023-2024 school year commences, focus on education is accompanied by a pressing concern for better cybersecurity. Cybercriminals are poised to exploit educational institutions, seeking access to personal, financial, and health records. Recent incidents, such as New Haven School System’s $6 million breach and Prince George County schools attack, highlight potential risks facing schools today. There is a critical need for robust cybersecurity measures for protection against attacks, inclusive of a comprehensive plan to keep hackers at bay.

What’s sending hackers to schools for the ultimate ransomware field day? Educational institutions hold a wealth of valuable information but lack IT budgets and updated cybersecurity tools, making them prime targets. In a perfect world, ransomware could always be stopped at the “front door” before it enters a school’s network premises, but this is hardly the case. Detection and prevention measures such as monitoring network traffic, establishing strict permission guidelines, and implementing multi-factor authentication (MFA) to confirm identities are continuously evolving, but attackers are becoming increasingly sophisticated, often finding ways to bypass these defense measures.

Understanding why schools are prime targets is the first step to building a healthy cybersecurity ecosystem. The next step is looking at what tools are in place and considering how to optimize their performance and functionality–not only for security, but recoverability and restoration. Emphasizing backup as a key component of security strategy may be the low-effort, cost-effective solution schools need to achieve cyber-resiliency.

Stay aware: Students aren’t the only ones preparing to go back to school

We’ve witnessed an alarming surge in ransomware attacks on educational institutions. At least 120 schools have suffered a ransomware attack compared to 188 in all of 2022. Despite their crucial role in shaping the future, schools often grapple with small IT budgets, limited staff, and outdated technology, making them lucrative targets for threat actors.

With these obstacles in mind, schools are more likely to endure consequences of an attack stemming from human error from students and overly complex tech that IT staff are too strapped to manage properly. This often opens them up to the possibility of data theft, followed by extremely long recovery times. For instance, in April, Alabama-based Jefferson County Schools suffered prolonged disruptions from an attack that occurred during the end of spring break in March, and an incident at Colorado public schools in June led to data exposure of student mental health records.

Stay prepared to stay protected

A crucial part of staying ahead of ransomware is staying informed. Currently, there are types of ransomware that are intelligent enough to commit an acoustic attack by listening to your keystrokes and predicting what someone is typing with 95 percent accuracy. Hackers can listen in to text chats or leak sensitive information, which is tough to manage in a school setting given the multitude of devices and connectivity options.

Though backup typically falls second to other defense measures, its impact can be outstanding. Consider The New Haven School system, which tried to alleviate getting data back up and running by paying ransom to the attackers. The biggest concern here is there is no guarantee that stolen data will be returned post-payment.

Veeam’s 2023 Ransomware Trends Report found that while 59 percent of organizations paid the ransom and were able to recover data, 21 percent that paid the ransom still didn’t get their data back. Additionally, only 16 percent of organizations avoided paying ransom because they were able to recover from backups. The truth is, no security plan is foolproof, and schools should consider quality versus quantity when it comes to which tools to bring to the battle against cyber threats. While implementing standard security measures is highly encouraged, the reality is that nothing will keep schools completely void of ransomware attacks.

This is where data backup comes to the forefront of cybersecurity strategies. This includes conducting regular backups of school data and following the 3-2-1-1-0 strategy, comprised of three copies of data saved on two types of media, with one copy offsite and one copy offline. Should a disruption occur, this makes the difference in guaranteed availability. Incorporating strong security measures like these into backup and management practices boosts the overall resilience of a school’s data infrastructure.

Stay ahead with immutable backup storage

It’s worth noting, targeting primary data and backups is well within the realm of possibility as ransomware rises. Although criminal hackers actively target backups, these remain the best defense against ransomware. Schools must ensure they take regular backups that are immutable, stored off-site, or, ideally, both. Immutable backup storage is a type of data storage system designed to prevent unauthorized or accidental modifications, deletions, or alterations to backed-up data for a specified period. Therefore, once data is written or stored, it cannot be changed or deleted until the predefined retention period expires.

Object storage is a great partner for education as it enables versioning and object lock, rendering itself ransomware-proof. Schools should incorporate backups with hardened security and an appropriate level of redundancy for constrained IT. What’s more, it’s a simple, powerful, and secure tool that schools can use to guarantee recovery. It is generally affordable compared to file or block storage solutions, further accommodating a limited budget for school IT.

Back to school with better protection

To prepare for potential attacks, schools must establish clear roles and responsibilities for key stakeholders. With the value of data continually on the rise, it’s not a question of if a school will face an attack, but when. Cybersecurity awareness among students and staff is paramount in keeping our leaders of tomorrow and their data safe. Furthermore, aligning with the U.S. Department of Education’s Cybersecurity Resilience Efforts can provide additional resources and support.

Data should be stored in a separate system to ensure availability in case of disruption. Combat attacks on primary storage with built-in immunity as an extra layer of protection against tampering. Keep school in session with a low-effort and cost-efficient solution like on-premises object-based backup storage–a tool built for low maintenance and constrained IT.

Key points:

• Schools will likely remain the targets of cyberattacks for years to come
• Districts must prepare themselves by implementing strong cyber practices for their systems
• See related article: As invisible threats to education loom, cybersecurity is paramount
• Learn How to Lower Cybersecurity Threats to Your School

There is no question that cybersecurity threats such as ransomware continue to pummel the education system, with the White House estimating that at least eight K-12 school districts faced “significant cyberattacks” during the last school year alone, resulting in loss of learning time and even full school shutdowns. With open networks, tight budgets, and a lack of proper cybersecurity training for teachers and students, there are many factors that lead schools to become prime targets for attacks. 

On the heels of the White House’s multi-pronged plan to help bolster K-12 schools’ cybersecurity, it is crucial that schools recognize the importance of strong cyber posture within the education system and take the steps necessary to bolster their digital security, despite limited resources and an increasing number of complex cyberattacks.

Why schools are susceptible to attacks  

Schools do not necessarily come to mind when you think about places most likely to face a cyberattack, but they’re a big target for hackers for a number of reasons. Cyber attackers are opportunistic and seem to look for victims they know or assume have weak security measures in place. School networks, whether primary schools or universities, tend to be open (and inherently less secure) more often than most organizations due to their mission to promote learning, and unfortunately often find themselves falling victim to attack.

Schools aren’t necessarily being specifically targeted, but there are several reasons they may find themselves a victim of a cyberattack:

1. Ransomware actors focus on organizations that are likely to pay a ransom.

This is how cybercriminals make their living. School environments will often be under pressure from parents and authorities to remain open, possibly making it more likely that they would pay a ransom to restore systems quickly.

2. Institutions often have limited security protections

Historically, educational institutions have not spent money to secure their information technology infrastructure or cybersecurity posture. When cybersecurity professionals are hired, the salaries typically are much lower than normal, so schools are not getting the top prospects in the cybersecurity realm. Most educational organizations and districts do not even have full-time cybersecurity professionals or offer routine training to the educators, faculty, and students.

3. Academic institutions may use new, untried technology

While recent technologies provide benefits for educators, such as improved accessibility or access to education techniques that help students with certain learning styles, it’s important to remember not all technologies are secure. Many times, the less-secured or less-tested technologies are not as expensive as the more secure and tested technologies. This can create a conundrum for educational organizations with small budgets and lead to great risks associated with cybersecurity.

4. Attackers value email addresses ending in .edu

Emails are a valuable resource for hackers who want to stage phishing attacks. The more legitimate and trustworthy an email is, the more useful it will be in launching an attack. By taking over an email account belonging to an institution, cybercriminals can benefit from the credibility that the domain offers to their phishing email.

Still, it is simple for cybercriminals to get an education domain email address for themselves; many institutions allow anyone to create an account during an application.

5. Academic staff often more exposed to phishing

Academic staff are more likely to fall victim to phishing attacks due to a lack of security tools and a lack of awareness about cyber threats. All it takes is for a single staff member to have a momentary lapse in judgment, and their action can result in malware infecting the entire campus network. High value .edu email addresses belonging to staff members are also often published online, which makes it easy for attackers to locate and choose their victims. It is for these reasons that most academic breaches begin with an email attack.

6. Staff and students take laptops home

School staff and students usually take their laptops home for weekends and summer. This makes security concerns even more critical due to the fact that laptops are using Wi-Fi networks that may not be well protected. It can also be difficult to determine how often these laptops are being updated with security patches while away from school networks.

Achieving better cybersecurity posture

Here are some simple steps to reduce cybersecurity risk in educational settings:

• Use multifactor authentication whenever possible — never rely on passwords for security. Passwords alone cannot provide adequate security. Add MFA to passwords when authenticating to computers, applications, websites, and other networks.
• Conduct periodic vulnerability scans on everything connected to the network. These scans will find missing updates, patches, and known vulnerabilities.
• Install patching recommendations immediately when prompted or as quickly as possible.
• Perform regular penetration tests to find holes, misconfigurations, improperly secured software and applications, and a host of other security related issues. These tests should be performed at least annually by a good cybersecurity firm.
• Utilize next generation endpoint protection and log monitoring to ensure everything is being done to protect the laptops and servers, and any serious event is captured immediately so it can be investigated.
• Hire competent, well-trained cybersecurity staff who can help develop a culture of cybersecurity awareness while testing, investigating, and promoting best practices related to cybersecurity.
• Require mandatory cybersecurity training for teachers and staff. In addition to patching and MFA, basic cyber education for teachers and students is critical. This includes providing crucial tips or resources on:
  • Setting strong passwords for school computers 
  • How to identify phishing schemes through email 
  • The importance of not sharing personal or financial information through email 
  • Updating your computer software regularly to ensure any bugs are fixed and vulnerabilities are addressed
  • Reporting security issues to the appropriate staff, so issues can be thoroughly investigated

Schools will likely remain the targets of cyberattacks for years to come, so it is important that schools prepare themselves by implementing strong cyber practices for their systems. These include strong password management, next generation endpoint and event monitoring, MFA, vulnerability assessments, penetration testing, rapid patching and hiring cybersecurity professionals. When each of these fundamental strategies is performed correctly, significant risk reductions will occur, and cybercriminals will start to learn that school systems and networks are more secure and less vulnerable to common attacks than they think.

Related: Reading, writing, and cybersecurity: Practicing good cyber hygiene

Key points:

• The COVID-19 pandemic invited a number of hackers trying to take advantage of cybersecurity risks
• One of the biggest barriers to strong cybersecurity practices is money
• See related article: Schools are at a greater risk for cyberattacks than ever before
• Learn How to Lower Cybersecurity Threats to Your School

As COVID-19 swept the nation beginning in 2019, no one knew just how life-altering the pivot to remote work and education would be. Today, we see more and more students and employees alike who are relying on technology to engage with their work and peers than ever before. As with holidays and other unanticipated events, this pivot drew in some of the biggest minds in security who worked to eliminate cybersecurity challenges stemming from this change – but it also drew in hackers.

Shoring up cybersecurity practices in the education industry is quite the feat. User authorization is extremely challenging, as IT professionals must navigate through different levels of access for each user community. This creates even higher risks because networks must be open to employees, students, and others – an issue most businesses don’t need to manage.

Another major cybersecurity challenge we see frequently with education is outdated technology. Like healthcare, we see devices that need to connect to the network — but the old software poses risks, such as a lack of updated security protocols. This creates vulnerabilities that are ideal for threat actors, many of which are looking for an easy fix they can exploit. Media devices that can be connected to computers–thumb drives, external hard drives, CDs, DVDs–also pose a challenge to MSPs/MSSPs providing cybersecurity to their clients.

As frequently as we see these attacks in the news, not much is changing in terms of recovery time or preparation. As the number of breaches rise, the Government Accountability Office (GAO) found that recovery from these attacks ranges from two to nine months. As educational professionals and MSPs battle singular hackers, sophisticated foreign governments, and crime syndicates to protect employee and student data, it begs the question: What can really be done with this information?

Upon gaining access to critical data, cybercriminals can leverage this sensitive information for an array of attacks, such as: 

• Phishing scams: Using a fraudulent solicitation over email or website.  
• Ransomware attacks: Malicious software that blocks access to computer or data systems with a fee to restore access.   
• Distributed Denial of Service (DDoS): Overwhelms websites, servers, and computers with massive and ongoing attacks to prevent authorized users from accessing networks and system.   
• Zoom bombing: Perpetrators disrupt video conferences with pornographic or hate/threating language.   

The financial breakdown

The complexities that come with protecting schools and their stakeholders from threats are vast, and implementing cyber policies comes with additional challenges.

Readiness and Emergency Management for Schools (REMS) advises schools and school districts that things like filtering and blocking applications – such as firewalls, encryption, and anti-virus/anti-malware systems – are an important part of that equation. 

However, one of the biggest barriers to this is money. It’s no secret that schools don’t have the means to incorporate major cybersecurity changes into their budget, especially not on a recurring basis. K-12 respondents to the Nationwide Cybersecurity Review (NCSR) reported a lack of money as their top challenge, with nearly one-fifth of schools investing less than one percent of their overall IT budget on cybersecurity. 

That said, the cost of a cyber breach is also hefty. Between recovery time and navigating stolen data, schools may end up spending the same amount in their journey to recovering from an attack as they would to prevent them. As the average cost of a data breach in the U.S. hit $9.4 million in 2022, according to IBM, administrators need to leverage security solutions to minimize their exposure. This means that MSPs need to advise and offer more robust and sustainable cyber defenses to protect these institutions. 

Lesson planning: How to minimize the threat

Planning is a big part of a successful cybersecurity program. With infrastructure being a major concern for IT teams and administrators – especially with an array of devices and operating systems. Universities have huge networks that make it easier for hackers to exploit. Last year, a ransomware group targeted Florida International University with its 48,000 students and swiped personal information that exposed accounting documents, social security numbers, and other sensitive data.

It’s also crucial to understand what is at stake. Schools don’t only have access to academic records. Things like medical records or other sensitive personal information could quickly be accessed and used by threat actors in a matter of minutes. In fact, a class action lawsuit has been filed over an alleged UC San Diego data breach in 2021 in which hackers gained access to 500,000 employee email accounts revealing lab results, diagnoses, and medical records. The lawsuit also names the Regents of the University of California, demonstrating the scope of liability for poor cybersecurity standards. 

All of these risks help to clarify just what’s at stake if cybersecurity isn’t made a priority in the education industry. This is a prime time for MSPs to help leaders in the education space to implement a strong cybersecurity strategy. Opportunities to limit the data employees can access is a good start. Encouraging strong cyber hygiene and offering phishing training would also help from a user perspective. Most of all, however, is modernizing network security with backup systems and integrated protection. 

Related:
Education suffers the highest rate of ransomware attacks
If zero trust is good enough for the government, it’s good enough for your school

Key points:

• Individual cyber hygiene plays a huge role in defending school networks
• Even the youngest students can be taught basic cyber hygiene practices
• See related article: Schools are at a greater risk for cyberattacks than ever before
• Learn How to Lower Cybersecurity Threats to Your School

The school bell is about to ring in another academic year, and as children pull out their lunchboxes and teachers decorate their rooms, schools continue to face an onslaught of cyberthreats while also grappling with perpetually insufficient budgets, legacy IT, and under-staffing concerns.

The increased level of connectivity in today’s schools means richer opportunities for learning and community, but it also puts at further risk the financial data, personally identifiable information (PII) and other sensitive information that educational institutions hold.

K-12 schools received a cyber maturity score of 3.55 out of 7 from the Nationwide Cybersecurity Review (NCSR) risk-based assessment, despite the fact that many school districts are trying to strengthen their cybersecurity posture. And according to 29 percent of K–12 participants in that report, a cyber incident occurred in their district in the previous year. Malware and ransomware were two of the most prevalent occurrences. According to the report, ransomware attacks pose the greatest cybersecurity risk to K–12 schools and districts in terms of overall cost and downtime.

The good news is that the federal government is taking this seriously. In early August, the Biden Administration announced a new plan focused on strengthening cybersecurity in K-12 schools. While the elements of this plan are rolled out, school IT teams and leaders can also start to take action in another area: cyber hygiene for students. It’s never too early to start teaching children basic cyber literacy.

New rules are part of the solution

The Biden Administration’s new proposal comes on the heels of a report from the Cybersecurity & Infrastructure Security Agency (CISA), Protecting Our Future: Partnering to Safeguard K-12 Organizations from Cybersecurity, which offers guidelines for schools to help bolster defenses. 

Guidelines include investing in the most impactful security measures and building toward a mature cybersecurity plan, recognizing and actively overcoming resource constraints, and focusing on collaboration and information sharing. CISA will continue to engage with federal partners, including the U.S. Department of Education, and work closely with state and local officials, school leaders, emergency management officials, nonprofits, community leaders, and the private sector to identify areas for progress and provide meaningful support that measurably reduces risk.

Other elements of the administration’s new plan include a proposed pilot program that will provide up to $200 million over three years to strengthen security in schools and libraries with the help of federal agencies, and establishing a new council to coordinate between federal, state and local leaders to help bolster cyber defenses in schools. It also calls for new resources for reporting and enlists the help of private companies to provide free and low-cost resources for school districts, including training.

It’s great to have support at this level, but it will take some time for these plans to roll out to schools. In the meantime, district leaders and IT teams can start implementing good cyber hygiene practices right away.

Fostering good cyber hygiene for teachers and students

People don’t have to be tech geniuses to practice good cyber hygiene. Teachers and even the youngest students can be taught some basic cyber hygiene practices. For instance, a very common-sense practice is to not share passwords or any kind of PII with strangers online. Teachers and students must learn what suspicious links look like and learn not to click them, or to open unexpected attachments or download anything on their computers without approval. When students are online in the classroom, teachers can ensure that they use only approved websites and applications and get approval for certain activities.

When it’s age-appropriate, children can learn how important strong passwords are and how to create them. Best practices include:

• Create longer passwords that are personally meaningful but that don’t contain any PII. An example would be a line from an obscure song with numbers and symbols mixed in to create a password that’s at least 10 characters long. These are much harder, if not impossible, for attackers to guess.
• Use a unique password for each account.
• For all your online accounts, create one-of-a-kind, long and difficult passwords using a password manager.

Obviously, younger children, like those in kindergarten through third grade, aren’t going to be creating or using strong passwords. Educators at that level will need to be creative in how they help students at that age protect their work, but certainly by middle and high school, this will be a key part of learning.

Pre-teens and teenagers can learn to understand how to securely navigate social media.  For example, it’s wise to not use social media accounts to log in to certain kinds of platforms, because those platforms then have instant access to whatever PII is available in those accounts. If there’s no other way to connect to that platform, students can create dummy accounts to use only for this purpose.

Students also need to be cautious about instant messaging services due to social engineering risks. The rule about never giving out PII applies here, especially financial information. And QR codes, though convenient, can send students to a site with malicious files waiting to be downloaded.

And for teachers and staff, from the White House to the private sector, organizations are already offering cybersecurity training for K–12 school districts. Such programs provide academics and employees with the most recent information, advice, and suggestions to help them make better decisions when faced with cyberattacks and other dangers to the school. These free training programs are already being used by many districts.

Knowledge is power–and stronger security

As long as there are school IT teams working with few human and financial resources, there will be cyber adversaries trying to take advantage and break into school networks. This requires a two-pronged approach: technology and training. Because students have network access, they need to learn how to use it safely and responsibly–IT does not bear the sole responsibility for cybersecurity.

Individual cyber hygiene plays a huge role in helping to defend the network. Training for students, teachers, and staff will help IT teams keep the bad actors out and will ultimately help create a cyber-savvier generation.

Related:
4 back-to-school cybersecurity tips
Education suffers the highest rate of ransomware attacks

Key points:

• Both K-12 and higher-ed reported alarmingly high rates of ransomware attacks in 2022
• Survey results show that paying ransoms increases recovery times
• See related article: Defending against the most common cyberattacks
• Learn How to Lower Cybersecurity Threats to Your School

Education reported the highest rate of ransomware attacks in 2022, and over the past year, 79 percent of higher-ed organizations surveyed reported being hit by ransomware, while 80 percent of K-12 organizations surveyed were targeted—an increase from 64 percent and 56 percent in 2021, respectively.

These statistics come from The State of Ransomware in Education 2023, a report from cybersecurity provider Sophos.

Additionally, the education sector reported one of the highest rates of ransom payments, with more than half (56 percent) of higher-ed organizations paying and nearly half (47 percent) of K-12 educational organizations paying the ransom. However, paying the ransom significantly increased recovery costs for both higher-ed and K-12 educational organizations. Recovery costs (excluding any ransoms paid) for higher-ed organizations that paid the ransom were $1.31 million when paying the ransom versus $980,000 when using backups. For K-12 educational organizations, the average recovery costs were $2.18 million when paying the ransom versus $1.37 million when not paying.

Paying the ransom also lengthened recovery times for victims. For higher-ed organizations, 79 percent of those that used backups recovered within a month, while only 63 percent of those that paid the ransom recovered within the same timeframe. For K-12 educational organizations, 63 percent of those that used backups recovered within a month versus just 59 percent of those that paid the ransom.

“While most schools are not cash-rich, they are very highly visible targets with immediate widespread impact in their communities. The pressure to keep the doors open and respond to calls from parents to ‘do something’ likely leads to pressure to solve the problem as quickly as possible without regard for cost. Unfortunately, the data doesn’t support that paying ransoms resolves these attacks more quickly, but it is likely a factor in victim selection for the criminals,” said Chester Wisniewski, field CTO, Sophos.

For the education sector, the root causes of ransomware attacks were similar to those across all sectors, but there was a significantly greater number of ransomware attacks involving compromised credentials for both higher-ed and K-12 educational organizations (37 percent and 36 percent respectively versus 29 percent for the cross-sector average). 

Additional key findings from the report include:

• Exploits and compromised credentials accounted for more than three-fourths (77 percent) of ransomware attacks against higher-ed organizations; these root causes accounted for more than two-thirds (65 percent) of attacks against K-12 educational organizations
• The rate of encryption stayed about the same for higher-ed organizations (74 percent in 2021 versus 73 percent in 2022), but increased from 72 percent to 81 percent across K-12 educational organizations during the past year
• Higher-ed organizations reported a lower rate of using backups than the cross-sector average (63 percent versus 70 percent). This is the third lowest rate of backup use across all sectors. K-12 educational organizations, on the other hand, had a slightly higher rate of using backups than the global average (73 percent)

“Abuse of stolen credentials is common across sectors for ransomware criminals, but the lack of adoption of multifactor authentication (MFA) technology in the education sector makes them even more at risk of this method of compromise. Like the U.S. federal government’s initiative to mandate all agencies use MFA, it is time for schools of all sizes to employ MFA for faculty, staff and students. It sets a good example and is a simple way to avoid many of these attacks from getting in the door,” said Wisniewski.

Sophos recommends the following best practices to help defend against ransomware and other cyberattacks:

• Strengthen defensive shields with:
  • Security tools that defend against the most common attack vectors, including endpoint protection with strong anti-exploit capabilities to prevent exploitation of vulnerabilities, and Zero Trust Network Access (ZTNA) to thwart the abuse of compromised credentials
  • Adaptive technologies that respond automatically to attacks, disrupting adversaries and buying defenders time to respond
  • 24/7 threat detection, investigation and response, whether delivered in-house or by a specialist Managed Detection and Response (MDR) provider
• Optimize attack preparation, including making regular backups, practicing recovering data from backups and maintaining an up-to-date incident response plan
• Maintain good security hygiene, including timely patching and regularly reviewing security tool configurations

This press release originally appeared online.

Related:
IBM grants $5 million for cybersecurity, enhanced skilling on AI
Preparing for ransomware attacks begins with education

Key points:

• IT teams face a major challenge: protect school networks with limited budget and personnel
• Experts say it’s no longer a matter of if a school gets attacked, but when
• See related article: Are ransomware attacks the new snow days?
• Learn How to Lower Cybersecurity Threats to Your School

Due to budget and resource constraints, many schools and other academic organizations are only able to implement very basic cybersecurity tools and processes, and this leaves them extremely vulnerable to cyberattacks.

We’ve seen this play out over the past 12 months with high-profile attacks on school districts in Los Angeles, Minneapolis and Tucson, Ariz., among many others. And, because cybercriminals can compromise school networks for big gains with very little effort, we expect attacks on education will only increase.

As the new school year quickly approaches, IT and security teams face a seemingly overwhelming task: protect school networks with limited budget and personnel. The good news is that there is some basic blocking and tackling that can significantly help schools build a strong cybersecurity and cyber resilience foundation, including:

1. Mandating strong passwords. It’s easy to choose a simple password or to repeat passwords across accounts for memory’s sake, but the consequences of doing so can be severe. In fact, according to the FIDO (Fast Identity Online) Alliance, passwords are the root cause of more than 80 percent of data breaches. Educating students and staff about the importance of strong, hard-to-guess passwords cannot be overstated. Research shows that a 12-character password could take 27,000 years to crack and cost hackers $6.4 trillion to do so. Mandating strong passwords is a simple, cost-effective way to strengthen a school’s cybersecurity posture.

For schools that are able to take credentials management one step further, multi-factor authentication is a great option. MFA is a method of authenticating into an account that requires users to present at least two pieces of evidence to prove their identity — something they know (e.g., a password) as well as something they have (e.g., an authentication code via text or email) or something they are (e.g., facial recognition or a fingerprint scan).

2. Implementing a data backup solution. While this will certainly be an upfront investment, it will pay dividends over the long-term. Having backups of your school’s and students’ data can be extremely beneficial for compliance and business purposes, and it can also be extremely valuable in a ransomware attack – where cybercriminals access data, encrypt it and then demand schools pay a ransom to decrypt it. Many schools that don’t have a data backup solution in place pay the ransom in the hopes they’ll get their data back, but this is money out of their pocket they can’t afford to lose, and worse yet, paying the ransom does not guarantee access to the data. However, if you’re the victim of a ransomware attack and have a data backup solution in place, you can evade the ransom demand by simply falling back to the backup version.

3. Taking a security-in-depth approach. Where possible, schools should take a multi-layered approach to security, including using firewalls, anti-virus solutions, anti-malware software, and encryption. Cybercriminals don’t want to work hard to infiltrate a target, so security-in-depth is an impactful deterrent that can help fend off today’s sophisticated hackers.

4. Prioritizing cybersecurity awareness and training. Students and staff are the first line of defense in network security, and they can’t do their part if they aren’t aware of the threats facing them or the actions to take if they suspect they are a victim of an attack. IT and security teams need to make them part of cybersecurity efforts by offering ongoing cybersecurity awareness and training. The best way to get them to pay attention and remember what they learn is to offer short, engaging training sessions on a regular basis, rather than long, drawn-out presentations once a year.

All this said, we’re living in a world where it’s no longer a matter of if a school gets attacked, but when. In this reality, it’s so important that schools have an incident response plan in place, so they know how to react following a successful incident and can do so quickly. Communicating to affected families should be a big part of this plan. Timeliness and transparency are key following an attack. Victims need to know the nature of the attack, what data was compromised, what the school is doing to remediate the problem, and the steps they should take to protect their personal information. From an internal perspective, schools need to take the incident as a learning opportunity – identifying what went wrong, so they can put the right people, processes and technologies in place to prevent a similar attack from happening again.

The bottom line is schools can suffer severe consequences from a cyberattack, including disrupted instruction, impaired operations, financial losses to address the incident, and the exposure of stakeholders’ personal information. By focusing on achievable cybersecurity basics, schools can fight back by building a solid security and resilience foundation that can help them defend against cybercriminals to keep their teachers, administrators, students and families safe.

Related:
Key tips to help educators thwart cyberattacks
Cybersecurity, like charity, begins at home 

Key points:

• A lack of collaboration in schools is increasing cybersecurity risks
• Most district leaders and administrators agree K-12 schools face higher risks for cyberattacks than ever before
• See related article: The essential guide to 2FA for schools
• Learn How to Lower Cybersecurity Threats to Your School

Cyber threats against K-12 school districts are on the rise, yet only minimal steps are being taken at the local level to safeguard district technology assets and student information, according to a new research report from Project Tomorrow and iboss, a Zero Trust Edge cloud security provider.

The report, Why A Different Cybersecurity Ecosystem Is Needed Today, details findings from K-12 district, technology, and communications leaders on the cybersecurity challenges they’re facing today.

The report serves as a call to districts to implement a cross-organizational strategy and a new cybersecurity ecosystem to combat the present and future threats to the security of their district technology assets—and, crucially, their students. Additionally, the report encourages districts to incorporate cybersecurity best practices into sustainable new policies and procedures in order to adequately protect district digital assets, including student and staff personal data.

The findings should alarm school district leaders and parents, as cybersecurity incidents in schools can put student information at risk of being stolen, cripple emergency communications systems, and potentially shut down schools entirely.

This year saw high profile incidents that impacted Baltimore, Minneapolis and Des Moine school districts among others. The data concludes that:

• Districts are acutely aware of the risks: 85 percent of district technology leaders and 84 percent of district administrators now agree that our nation’s K-12 schools are a higher risk now for a cyber attack than ever before. And, according to nearly half of district technology leaders (45 percent), balancing the access to online or digital educational resources with their security concerns about certain products or usage behaviors is a significant challenge.

• Little preparation is happening: Only half of district technology leaders report that they have conducted a security audit within their district to identify risks and assess preparation levels for a cyberattack. Additionally, only 37 percent of technology leaders who said they conducted a security audit say they are dictated by district policy and conducted annually.

• A lack of collaboration is partially to blame: Over two-thirds of district technology leaders (67 percent) say that ownership of cybersecurity within their district rests wholly with the IT Department. Only 32 percent say that cybersecurity is a shared responsibility across the district leadership team with collective accountability.

• Best practices may be the answer: According to nearly half (49 percent) of district technology leaders, what is needed most urgently today is education on best practices for K-12 cybersecurity. Other consensus calls for cyber threat preparation assessments (42 percent), buy-in from district leadership (42 percent), and increased funding for cybersecurity (39 percent).

Translating the awareness of cyber threats into actual support on the district level continues to be difficult. However, the district leaders surveyed contributed potential solutions to combat apathy, including continued education about the reality of cyber risks, full and regular risk assessments, and implementing small procedural changes to obtain buy-in and demonstrate successful results.

“With cyber attacks it’s not a matter of if, but when,” said [DISTRICT TECHNOLOGY LEADER] “It will happen, but the severity and extent of the attack, response, and remediation will show how well-prepared the district is. With our district response plans, everyone is involved and informed. I believe being upfront and honest in the event of an attack should be the general disposition of every district”.

“I’ve worked in both the tech and non-profit education sectors and found that enterprises have much greater awareness of cyber risk and are more willing to take action than schools,” said Dr. Julie A. Evans, CEO of Project Tomorrow. “This might be because historically, technology departments at schools have had little interaction with other departments. That has to change. IT teams must work cooperatively with administration and other departments to share their knowledge to prevent further breaches and attacks.”

Related:
Key tips to help educators thwart cyberattacks
Are ransomware attacks the new snow days?

Key points:

• Zero trust is akin to modern, agile defense systems that scrutinize every object seeking entry
• Embracing zero trust is an investment in a school’s future–and also a commitment to safeguarding knowledge and innovation
• See related article: Bolstering cybersecurity with zero trust
• Learn How to Lower Cybersecurity Threats to Your School

Educators and administrators are holding their breath at the dawn of another academic year. They are well aware that schools are increasingly targeted by hackers, with 1 in 4 falling victim to cyberattacks in the past 12 months.

These hallowed halls of knowledge store vast amounts of sensitive data, from student records to financial information. Consequently, this makes them attractive targets. To make matters worse, growing connected device networks and remote learning opportunities present even more vulnerabilities.

A paradigm shift from traditional perimeter-based security to a more robust and dynamic approach is increasingly necessary. As a result, zero trust is gaming ground across all sectors as today’s go-to cybersecurity approach. For example, the White House is ordering all civilian government agencies to establish and implement a zero trust plan by the end of next year. Let’s explore why schools should follow this lead.

Leveraging zero trust in education

The traditional approach to cybersecurity revolves around perimeter-based security, a method that trusts anything within the organization’s boundaries. But as threats grow in sophistication, so must cybersecurity. Instead of fortifying the perimeter like medieval castles, zero trust is akin to modern, agile defense systems that scrutinize every object seeking entry.

Continuous verification inspects all users and devices before granting access to resources. This approach adds an extra layer of protection by requiring multifactor authentication and limiting access based on the principle of least privilege. Additionally, continuous monitoring and logging provide institutions with real-time insights into potential threats, enabling swift responses to mitigate risks.

Embracing this framework guards against both internal and external threats. This is especially important as educational institutions often struggle with vulnerabilities introduced by human error, unauthorized personal devices, and third-party applications.

Another vital aspect is zero trust’s granular access controls. These ensure that only authorized personnel can access intellectual property and research data. By segmenting networks and implementing strict authentication measures, zero trust helps prevent data breaches and unauthorized theft of sensitive information. Continuous monitoring also allows for the swift detection of suspicious activity, further safeguarding vital data.

Finally, let’s consider the widespread adoption of remote and hybrid learning models. While these advancements offer benefits, they also introduce new security challenges. With students and faculty accessing educational resources from various locations and devices, traditional security measures become inadequate.

Zero trust is well-suited for this modern learning landscape as it accommodates the dynamic nature of remote and hybrid learning. How? By verifying identities, managing access rights, and continuously monitoring activities. In this way, zero trust ensures secure and seamless access to resources regardless of the user’s location or device.

The implementation challenges and considerations

Of course, deploying any solution or framework will always pose an obstacle or two. The initial costs and resources needed for deploying this new framework warrant some concern. However, the global average data breach costs roughly $4.3 million – a fraction of implementation.

On the technical side, educational institutions – especially those with limited IT resources – might see zero trust as a hurdle. Careful planning and partnering with cybersecurity experts can substantially reduce the hassles of implementation and ensure a smooth transition.

Another obstacle is choosing between a single-vendor solution or multiple solutions across vendors. Choosing a single provider offers simplified implementation and management policies, but that route sacrifices flexibility and customization. If you have the IT resources, always go for multiple vendors. It will allow you to customize your framework to your needs and help you actualize a more holistic and complete version of zero trust.

When choosing the latter path, some tools and solutions help put zero trust’s fundamental concepts into action. Start with identity and access management and zero trust network access for your identity and authentication needs. Then consider data and cloud security tools like data loss prevention solutions and next-gen firewalls. 

Finally, secure your endpoints with a unified endpoint management solution and an endpoint protection platform. Additionally, extended detection and response tools allow you to respond swifter with better efficiency.

The time for cybersecurity action is now

The effort is worth it. Educational institutions are hubs of innovation, research, intellectual property creation, and private data. The loss or compromise of that property can have severe consequences, not only financially but also for the institution’s reputation and future prospects. 

Adopting zero trust principles allows schools to significantly enhance their cybersecurity posture, ensuring a safe and secure learning environment for students, faculty, and staff. Zero trust might seem like rocket science to some, but with the right allies and tools, it’s more like building a sandcastle on the digital beach – fun, challenging, and ultimately rewarding.

Embracing it is not only an investment in the institution’s future but also a commitment to safeguarding the integrity of knowledge and innovation for generations to come. One glance at the cybersecurity landscape shows this is the path forward. After all, if it’s good enough for the government, it’s good enough for your school.

Related:
Discover the five steps towards a zero trust campus network
Strategies to help IT leaders combat imminent cyberattacks

Key points:

• The FCC is calling attention to the urgent need for more tools–including funding–to combat K-12 cybersecurity risks
• A new proposal would allocate up to $200 million over three years to harden cyber defenses and determine the most effective methods to protect schools and libraries
• See related article: Are ransomware attacks the new snow days?
• Learn How to Lower Cybersecurity Threats to Your School

Federal Communications Commission Chairwoman Jessica Rosenworcel is asking her fellow Commissioners to support a proposal that would take further steps to enhance cybersecurity protections to protect school networks.

In a speech before the School Superintendents Association and the Association of School Business officers, Rosenworcel said she would be sharing with her colleagues a plan to create a pilot program to invest in cybersecurity services for eligible K-12 schools and libraries.

“With the growing number of sophisticated cyberattacks on schools and especially the rise in malicious ransomware attacks that harm our students, now is the time to take action,” said FCC Chairwoman Jessica Rosenworcel. “We’re proposing a significant investment of up to $200 million over three years to harden the cyber defenses and determine the most effective methods to protect our schools and libraries. Our pilot program will work in tandem with federal agency partners that have deep expertise in this area.”

While addressing the pressing need for K-12 cybersecurity defenses is essential, some industry experts caution that more is needed to support these measures.

“While the proposal is a promising start, it lacks the necessary groundwork for enduring impact,” said Doug Thompson, chief education architect at Tanium. Thompson identified three key limitations that may undermine its success without proper support: 

1. Sustainability post-pilot: The initiative is set as a 3-year pilot, raising concerns about its sustainability. Schools taking advantage of the funding to either establish or enhance their programs might find themselves in a predicament once the financial support ends, Thompson said. When considering advanced technologies, which often necessitate annual subscriptions or SaaS, schools might be unable to maintain these services without external funding. This lack of long-term financial commitment can deter schools from investing in temporary solutions. The recent history of COVID funds serves as a cautionary tale. Many schools, uncertain of sustained funding, only spent the COVID relief money on expenses they knew they could cover over time, avoiding long-term commitments. The absence of an enforcement mechanism in the proposal further diminishes its attractiveness to potential participants. 

2. Staffing and bandwidth: Schools often struggle with insufficient IT staff, and this proposal does not address this issue. Implementing advanced cybersecurity measures requires specialized skills that are hard to find and retain, especially given schools’ budget limitations. Without addressing this, the proposal may inadvertently strain already overburdened school IT departments, he noted. 

3. Outdated E-Rate program: “I’ve long argued that the E-rate program needs an overhaul. The current focus on telecommunications infrastructure does not prioritize cybersecurity. It’s an outdated approach, like building roads without considering safety measures,” Thompson added.  

A more holistic approach, which Thompson refers to as “whole of state,” is a potential solution. “This strategy would consider all state-owned devices and leverage state resources more effectively, avoiding the silo effect. This model mimics strategies used by global enterprises,” he said. “Unfortunately, technical solutions are only one piece of the puzzle. The real challenge lies in changing the policies, procedures, and cultures to support this new paradigm–a change that will require time, dedication, and courage.”

The proposal is another step in Rosenworcel’s recently launched Learn Without Limits initiative to modernize the E-rate program, which was established in 1996 to provide funds to libraries and schools for basic internet connections. Learn Without Limits was kicked off at a June 26 speech Rosenworcel gave at the American Library Association’s annual conference, where she called on her fellow Commissioners to support new efforts to allow E-rate funding to support Wi-Fi support on school buses. The goal is to provide connectivity to students living in rural areas who spend long hours on school buses to get back and forth from school.

Rosenworcel’s second phase of Learn Without Limits calls on her fellow commissioners to support a proposal allowing E-rate funding to support provision of Wi-Fi hotspots so that libraries, school libraries, and schools can check them out to patrons or students in need in the same way they check out libraries and other learning materials to patrons.

The third phase of Learn Without Limits is a Notice of Proposed Rulemaking, that seeks comment on structuring a pilot program to support cybersecurity and advanced firewall-related services for eligible K-12 schools and libraries. The Commission has been closely looking at this issue for years, and in December 2022 put out a notice seeking public comment whether to add advanced firewalls or other network security services as E-rate eligible services.

This most recent proposal would establish the pilot program within the Universal Service Fund, but separate from the E-rate program, to ensure gains in enhanced cybersecurity don’t come at a cost of undermining E-rate’s success in promoting digital equity.

The Notice of Proposed Rulemaking will require a full vote of the Commission, and the text of proposal will be released upon their adoption.

This press release originally appeared online.

Related:
Key tips to help educators thwart cyberattacks
Cybersecurity, like charity, begins at home 

Key points:

• Schools are popular targets for cyberattacks, but two-factor authentication can help protect data
• When implementing 2FA, schools should consider integration with existing systems, enhanced accountability for student activities, and preventing password sharing
• See related article: Key tips to help educators thwart cyberattacks
• Learn How to Lower Cybersecurity Threats to Your School

Education heavily relies on digital infrastructure, making it a hot spot for malicious activities. Check Point’s 2022 Mid-Year Report reinforces the urgency to secure educational institutions, highlighting a crazy 44 percent surge in cyberattacks aimed at the education sector compared to 2021. On average, schools suffered 2,297 attacks per week. That’s alarming, indeed.

The solution? Verify the identity of anyone with access to a school’s network. In this article, we’ll discuss how two-factor authentication (2FA) helps protect data in schools, compliance with 2FA in educational institutions, and the key features a 2FA solution should have for schools.

How does 2FA help protect sensitive data in schools?

Nearly all attacks require access to a school’s environment via a login–2FA helps prevent attacks on schools by fortifying login management.

How exactly does 2FA protect the login? 2FA goes beyond the password to require something the user knows (password) plus something they know or possess (hardware key or token, authenticator application). This two-layered approach ensures only authorized users access a school’s systems.

Why schools need 2FA for compliance

Why do schools need to fortify their login management? Schools often need 2FA to meet compliance standards, including the following:

• Cyber insurance: Many cyber insurers now require multi-factor authentication (MFA) for schools. It’s also expected that MFA is or will soon be a prerequisite to access the best insurance rates.
• GLBA: Many schools need to comply with GLBA, which necessitates adherence to the NIST 800-171 guidelines. MFA stands out as one of the key security measures. Schools often must ensure compliance to maintain eligibility for federal or research grants.
• PCI DSS: The Payment Card Industry Data Security Standard (PCI DSS) applies to schools and universities that process, store, or transmit payment card data. While PCI DSS currently recommends MFA as a best practice, it will become a requirement after March 31, 2025. After that, schools without MFA risk hefty compliance fines that could drain organizational resources. In fact, each person affected by a data breach could cost schools anywhere from $50 to $90 in fines.
• K-12 Cybersecurity Act: The K-12 Cybersecurity Act was signed by President Joe Biden in 2021. This act aims to provide schools with improved access to cybersecurity resources and better tracking of cyberattacks on K-12 institutions nationwide. It recommends MFA to verify user identity before any access to school data.
• FERPA: FERPA (Family Education Rights and Privacy Act) is a federal law that safeguards student information and records. Unlike other federal regulations, FERPA doesn’t mandate specific security controls. Instead, it encourages innovation while placing the responsibility on the community to safeguard student data privacy and security. So, although FERPA documentation doesn’t explicitly mention MFA, implementing MFA aligns with FERPA’s authentication requirements for protecting data.
• HIPAA: Elementary and secondary schools generally don’t have to follow the Health Insurance Portability and Accountability Act (HIPAA) rules. For universities, it depends: If a hospital runs a student health clinic for the university, FERPA applies. If students get healthcare from a university hospital, HIPAA applies.

How does 2FA for on-premise Active Directory help schools?

When implementing 2FA for schools, there are three main factors to consider:

1. Integration with existing systems: Many schools operate on legacy systems like Active Directory. 2FA should easily integrate with the school’s existing on-premise Active Directory to ensure a smooth transition and minimize extra work for the IT department.
2. Prevention of simultaneous sessions and password sharing: 2FA can help prevent simultaneous sessions and password sharing among students. This measure also prevents students from logging into multiple computers simultaneously, ensuring secure and individualized access.
3. Enhanced accountability for student activities: 2FA makes students accountable for their actions within the school’s digital environment. Whether it’s a harmless prank or a more serious insider attack, any activity within the institution’s resources can be traced back to a user. This accountability discourages malicious behavior and encourages all users to be careful.

What do schools need in a 2FA solution?

1. Granular MFA

IT teams at educational institutions should look for granular control over MFA application, allowing them to set policies based on IP address, group or OU, device, or location. This ensures a streamlined and user-friendly MFA experience.

2. Single sign-on

Combining MFA methods with single sign-on (SSO) streamlines the authentication process, addressing the common concern that MFA is time-consuming and disrupts productivity. Simplifying MFA for access to cloud apps provides a secure, unified access experience for students and employees.

3. Comprehensive session type coverage

The solution should support MFA across various session types, including remote connections. MFA should be applied on Windows Login, RDP & RD Gateway, VPN, IIS (OWA, RDWeb, Sharepoint), offline scenarios, out-of-network “offline domain access,” cloud applications with SSO, and virtual desktop (VDI) environments like Microsoft, Citrix, and VMWare.

4. Flexibility

Look for flexibility to choose authentication methods based on specific needs of students and employees. This includes options like authentication applications, as well as programmable hardware tokens like YubiKey and Token2.

5. Real-time monitoring

IT administrators will want immediate access to real-time user activity, so they can identify and react to security risks.

6. Easy adoption

A user-friendly 2FA solution eliminates the need for extensive training for students, staff, or faculty. Its straightforward implementation ensures easy adoption.

7. Cost-effectiveness

Schools and other educational organizations need to be smart with their budgets. That’s why it’s important for them to invest in a cost-effective 2FA solution. It helps them get the most out of their money while still keeping their security strong.

2FA for schools mitigates risk of a breach

Schools’ user accounts are vulnerable to unauthorized access without 2FA. This can potentially result in sensitive information exposure, as well as penalties for failure to meet compliance standards. By limiting the scope of access, 2FA effectively stops the threat actor before they can do any harm.

Related:
Are ransomware attacks the new snow days?
Cybersecurity, like charity, begins at home 

Key points:

• Some of the most school budget-friendly security tools aren’t a match for ransomware
• The bottom line: Schools need more funding to adequately thwart ransomware attacks
• See related article: Preparing for ransomware attacks begins with education

In early January, the Des Moines Public Schools, the largest school district in the state of Iowa, fell victim to a ransomware attack that forced the district to take its network offline and students to miss more instructional time.

In addition to the disruption to operations, the district discovered that the attackers compromised the personal data of nearly 7,000 individuals, putting them at increased risk of identity theft and other crimes.

This is just one attack among hundreds as ransomware gangs relentlessly target the education sector. Disruptive ransomware attacks against the education sector have become so commonplace that they are likely to cause more school closures than weather-related incidents.

In fact, the number of attacks against schools is so high that the month of June was on pace to go down in the record books for the highest volume of disclosed attacks against education organizations to date.

A problem with few solutions

The Cybersecurity and Infrastructure Security Agency (CISA), which oversees protecting government agencies and our nation’s critical infrastructure, recently issued an alert about the growing risk to the education sector from ransomware attacks.

CISA also released updated guidelines for K-12 organizations, which is good. The problem is that guidelines cannot protect schools from ransomware attacks, and they do not provide any additional resources to help stem the tide of attacks on schools.

Ransomware groups continue to victimize the education sector simply because they are easy targets. The fact is, most schools lack the appropriate funding to stand up and maintain even the most basic security programs, let alone one that can go head-to-head with highly skilled threat actors.

Combine this with the fact that legacy security tools that are affordable to the education sector, like legacy Antivirus (AV) and more advanced solutions Endpoint Detection and Response (EDR) tools, are simply not capable of addressing the unique threat that ransomware presents.

Most every organization that reports being a victim of a ransomware attack was victimized despite having these security tools deployed. Ransomware operators and other threat actors routinely bypass, blind, evade, or otherwise circumvent these defenses with relative ease.

These factors together are why we keep seeing disruptive ransomware attacks causing school closures. And even if they had better endpoint protection solutions to assist them, schools would still lack the staff to effectively manage the attacks and realize any benefits in protecting their infrastructure.

Worse yet, these students whose personal information is stolen will continue to be at risk of identity theft and financial fraud well into the unforeseeable future. Ransomware attack trends that include the theft of sensitive data will continue unabated until the profit motives for the threat actors are eliminated. This is organized crime we are dealing with; they only care about bringing pain to victims for their own financial gain.

Security is not a state of being; it is a daily exercise that must include not just the right technology, but the right people and processes as well. But these all require funding, and the education sector already struggles with funding even the most basic functions required to educate students, let alone stand up a security program that can address today’s complex, multi-stage attacks.

Schools need more resources and expertise

To protect critical systems and sensitive data, organizations in the education sector must first reevaluate what kinds of data they collect and store, for how long, and where/how it is stored. Eliminating the unnecessary storage of sensitive data will make schools a less attractive target to attackers and help reduce risk after an attack.

Because the options for detection and prevention are limited for the education sector, they should focus on implementing a resilience strategy and assume they will be the victim of a successful attack with contingencies in place to recover as quickly as possible.

This approach includes endpoint protection solutions, patch management, data backups, access controls, staff/student awareness training, and organizational procedure and resilience testing to be successful.

For the technology aspect of a robust defense, organizations require adequate funding to implement Endpoint Protection (EPP) solutions, because they will catch some commodity attacks. If possible, they should also deploy an anti-ransomware solution alongside existing endpoint solutions (NAV/GAV/EDR/XDR) to bridge the gaps in ransomware-specific coverage.

They also need to ensure they have a good Patch Management program to keep all software and operating systems up to date and free from exploitable vulnerabilities. They should also assure that all critical data is backed up offsite and protected from corruption in the case of a ransomware attack.

For the people aspect, organizations should ensure they have adequate Access Controls in place by implementing network segmentation and policies of least privilege (Zero Trust). Additionally, they should have an active Security Awareness program to educate staff and students about risky behaviors, phishing techniques, and other social engineering techniques attackers use to gain access to a network.

On the process front, organizations need to implement regular Resilience Testing that can stress-test security solutions against simulated ransomware attacks to assure effective detection, prevention, response, and full recovery of targeted systems. Furthermore, they need to also conduct regular Procedure Testing where they can prepare for failure of their defenses by running regular tabletop exercises that include all stakeholders to ensure they are ready and available to respond to an attack at all times.

The takeaway

We will never be able to stop ransomware attacks, but we can prevent attackers from achieving all their objectives by taking care to prevent the exfiltration of sensitive data, by blocking the execution of the ransomware payload, and by having the capabilities in place to rapidly recover systems and data by minimizing any potential downtime.

But schools cannot do this without adequate funding. Guidelines are an important first step to protecting our educational institutions from the impact of ransomware attacks, but they cannot implement guidelines if they do not have the prerequisite resources and skilled personnel.

If we are serious about protecting our education sector, preventing school closures due to ransomware attacks, and protecting our students from the risk of identity theft, we need to bite the bullet and make sure schools have the funding they need to be successful in the face of well-resourced attackers.

It comes down to a choice, and whether we want to collectively invest in protecting our schools and students from cyber snow days or continue with the status quo.

Related:
Defending against the most common cyberattacks
Safeguarding K-12 school networks with proactive cybersecurity approaches

Key points:

• There are simple and proven tactics to help schools avoid common cyberattacks
• Remaining vigilant and knowledgeable helps educators form safe habits to dodge cybercriminals
• See related article: Defending against the most common cyberattacks

It’s not a topic we’re unfamiliar with: Criminal hackers are increasing their activity and they’re targeting K–12 schools, threatening districts with damaging financial and learning-downtime costs. The K12 Security Information Exchange (K12 SIX) tracks publicly disclosed school cyber incidents and reports an average rate of more than one K–12 cyber incident per school day across U.S. public schools.

With increased cyberattacks, the idea of a potential threat to a school or district feels daunting to ward against, but, more often than not, these simple tactics outlined below can support educators thwart some of the most common attacks.

Know the formats

Before we can discuss tactics to avoid the traps of cyber-criminals, we first must address the forms these attacks can take. Primary types of incidents range from student-data breaches, denial-of-service (DoS) attacks, business email compromise scams, and online class and school meeting invasions. Fortunately, two of the most common attacks reported—phishing and ransomware incidents—can in many cases be easily prevented by attentive users.

In phishing attacks, the hacker tries to trick you into clicking on a link or attachment in an email or text that appears legitimate but is actually malicious. The goal is to extract or deceive you into disclosing private information. Ransomware, on the other hand, is a form of malware that infects your system, locks access to your data or computer, and demands that you pay a ransom to unlock it. While the costs of these incidents can be devastating, being aware of the shape they can take will support you whenever you’re working online.

Stay vigilant

Don’t be lulled into mindless clicking—on web addresses, emails, texts, or attachments. Stay alert. Train yourself, for example, to routinely hover your pointer over email addresses and unknown links so you can see the full link and verify if they’re legitimate before you click. Never click on a link in a pop-up ad or email unless you’re sure of the source.

Here are some other things you should—or shouldn’t—do to help prevent phishing attacks:

• Keep anti-virus and spam software updated on all your devices. Usually, you can update settings and status by clicking on the program icon. It’s worth the time to periodically make sure you have the latest versions.
• Beware of fake orders. Before you call a telephone number or click on a link asking you to confirm a product or service purchase, make sure it’s something you ordered. This common scam is an attempt to steal your credit card number or other sensitive personal data.
• Cover your webcam to keep unauthorized apps from recording you and your work environment. Use duct tape, washi tape, sticky notes, slide covers—they all do the job.
• Avoid participating in social media polls, quizzes and chain posting.
• Lock your computer screen whenever you move away from it. It’s an easy step, and some systems even let you set up automatic locking. Your IT administrator can help you determine the best method for your work setting and habits.
• Do not conduct business on public Wi-Fi accessible in coffee shops, malls, or other public spaces. While many locations utilize encryption and other security technology, don’t take the chance that the one you’re visiting is not up to date. Enjoy your latte but skip the offsite work.
• Always secure your device in a safe place.

“I clicked it, now what?”

Unfortunately, relentless hackers do sometimes trip up even the most diligent of users. If you discover you’ve clicked on a malicious link, suspect a data breach, lost a device, or have one stolen, here’s what you can do to minimize the impact:

• Notify your IT department immediately
• Run a security scan on any impacted device(s)
• Change your passwords
• Report identity theft to IdentityTheft.gov 
• Report fraud to the Federal Trade Commission or phishing to the Anti-Phishing Working Group

Finally, don’t neglect to configure the privacy settings on all the devices you use at home and in school. Typically accessed under a heading such as “Profile,” “Account,” or “Settings,” options let you set up sharing and connecting parameters, manage your public visibility and create your passwords and protection. Whenever the option is available, always choose two- or multi-factor authentication.

Following these basic steps and staying vigilant will help outsmart the hackers determined to target your school systems and data. We are all responsible for cybersecurity and the safety of our information and our students’.

Related:
Preparing for ransomware attacks begins with education
Safeguarding K-12 school networks with proactive cybersecurity approaches

Key points:

• Cybersecurity is a risk to anyone with a device–no matter their age
• Children are uniquely vulnerable, and strategies like password managers and open communication can help shore up strong cybersecurity practices
• See related article: Preparing for ransomware attacks begins with education
• Learn How to Lower Cybersecurity Threats to Your School

We are living at a time when many of the most advanced, profitable, technologically-sophisticated companies in the world are barely treading water when it comes to cybersecurity. With that being the case, what chance do our children have of staving off these threats?

More than half of U.S. children now possess their own smartphone by the age of 11. And long before they have a device of their own, they’re using their parents’—to play games, to watch movies, to do their homework. That’s not to mention the panoply of devices they interact with at school, at friends’ homes, at after-school activities — on and on and on.

Each one of these devices represents the risk that a child will surrender vulnerable information, accidentally install malware, or worse. Today’s cybercriminals are relentless, operating at unprecedented scale and seeking advantage wherever they can find it. Children—the most vulnerable among us—are an irresistible target to these bad actors. It’s no surprise, then, that one in four young people will experience identity theft or fraud before they reach the age of 18.

This isn’t necessarily a reason to panic. The benefits of our connected world far outweigh the risks presented by cybercriminals. It is, though, a reason to really talk to your child about the reality of scams online—to teach them what to look out for and present them with a realistic sense of what the risks are. Because fundamentally, proper cybersecurity— like charity — should begin at home.

Talk to your children about cybersecurity

Again: there’s no use in trying to frighten your child. The doom-and-gloom approach might be counterproductive when it comes to instilling the value of proper online safety. Instead of detailing worst-case scenarios, try instead to speak in a level-headed way about what to look out for when they’re using social media or playing internet-connected games.

Some of the advice here is straightforward and applies just as well to adults. Be guarded when communicating with strangers, especially on online chat platforms and social media; if you receive a message from someone claiming to be a friend or family member, make sure to verify their identity; avoid strange links and stay alert to requests that are really urgent or try to make you scared; etc., etc.

At the same time, parents should be checking their children’s devices regularly to make sure everything is in order. Have any strange apps been installed? Do you recognize everyone your child is interacting with? Are they visiting websites they shouldn’t be? It can be hard to stay vigilant about this after a long and hectic day of parenting, but if you make it a part of your routine—say, a quick five-minute check every evening—it can be an easy way to ensure your child is out of harm’s way online.

Use a password manager

Three out of four adults struggle with passwords — so how can we expect our children to create a unique, complex password and not share it with others?

One of the best ways to eliminate password complexity for children is to use a password manager for the whole family. A password manager is an application that is designed to store and manage online login information in an encrypted database. Most password managers have family plans that allow you to have private vaults for just your accounts, and shared vaults you can share with your partner for joint or kids accounts. After all of your family members’ login information has been stored in the app, each person needs to remember just one master password. In case you are worried about forgetting your master password, write it down on an “emergency kit” document and lock it away with your other important documents that you can grab quickly in an emergency. For example, we keep our important documents, passports, etc. in a locked, portable firebox.

Stay firm about online rules, but avoid blame

Of course, getting proactive means not just educating your children on the best safety practices, but actively minimizing the risk that they’ll end up in a hazardous situation in the first place.

Primarily, that means making extensive use of parental controls. Whether it’s a video game console, a smart TV, or your child’s smartphone or web browser, there are invariably limits you can set—on screen time, on who your child can interact with, on what games or apps they can or cannot use.

But it also means barring your child from using certain platforms before they reach a certain age. This can be difficult, especially if your child has friends who use the same platform—peer pressure can exert a strong and not always productive force on the decisions we make for our children.

My best advice is to stay firm while at the same time being compassionate and reasonable, explaining the situation in terms your child can understand. Explain why you think they’re not quite ready to use a platform like (for instance) Discord. Show them news stories about gift card scams that plague adults and youth alike and make it impossible to get their hard earned money back from the scammer.

Most importantly: never condescend, and, if and when your child does become the victim of a cyberattack, try your hardest not to come down on them. By being patient with your child if and when the worst does come to pass, and creating an environment in which they feel comfortable coming to you with similar issues, you can prevent even worse problems down the line.

The fact is that everyone—children and adults—could stand to have better cybersecurity practices. After all, the majority of the 236.1 million people targeted by ransomware attacks last year were not children. Children just happen to be uniquely vulnerable—a fact that cyberattackers are more than happy to exploit. If we want to turn the tide against these malevolent actors, we need to bring cybersecurity education into the home.

Related:
Safeguarding K-12 school networks with proactive cybersecurity approaches
3 ways MDM helps fight school cyberattacks

Key points:

• Schools are using more edtech than ever–but they’re also more vulnerable to cyberattacks
• Account monitoring, strong passwords, and strict access controls are just a few of the strategies schools can use to protect their networks
• See related article: 4 key ways schools can strengthen and advance cybersecurity strategies

K-12 schools are facing an increased risk of cyberattacks due to a combination of competing factors. School districts have sprawling networks where availability often takes precedence over security, but are constrained in managing those networks by limited resources and overstretched IT teams.

Meanwhile, the increased use of cloud-based email and remote learning technologies, along with inadequately managed virtual private networks (VPNs), have made schools an attractive target for the types of basic attacks that larger organizations are better prepared to defend against.

A recent Government Accountability Office (GAO) report on K-12 cybersecurity found that attacks have been on the rise since the COVID-19 pandemic forced schools to adopt more remote learning. It also discovered that the damage from those attacks is growing. In total, the GAO found that the range of impacts from cybersecurity attacks includes:

• Loss of instructional time for students, ranging from a couple days to over three weeks.
• Slow recovery time that often took between two and nine months.
• Large financial impact, ranging from $50,000 to over $1 million, with costs including replacement of computer hardware and enhancing cybersecurity to prevent future attacks.

That combination of contributing factors may put schools at a disadvantage against malicious actors, but there are several steps schools can take to help them deter the most common attack vectors.

Common cyberattacks targeting schools

Lax management of email and online learning systems is one example of how schools can become vulnerable. With schools making extensive use of Gmail, Google Classroom, or other cloud-based applications, over-extended IT staff can overlook the need to retire the email accounts of graduated students. In our work with schools, we routinely see expired accounts that go back decades and number in the hundreds of thousands, presenting a ripe target for attackers.

Attackers who glean stolen usernames and passwords from the dark web can, using automated tools, easily try those credentials on school accounts. If one of them works, they gain access to the network.

Credential theft is not only a common attack vector but is also among the most dangerous. Malicious actors will use tactics such as phishing, social engineering, or software vulnerabilities to steal credentials and then use them to bypass traditional security measures and gain access to the email system. From there, they can use compromised accounts to escalate privileges and conduct a variety of malicious activities such as spear-phishing, spreading malware and exfiltrating data. A cloud email system like that in Microsoft 365, for instance, uses Azure Active Directory, which is tightly connected with systems throughout an enterprise. Access via email could allow access to practically all of an organization’s systems.

VPNs are another common attack path for targeting schools where hackers frequently use credential compromise. However, exploiting the vulnerabilities of VPNs that haven’t been updated or patched is another common tactic. Man-in-the-middle attacks, which properly managed VPNs would prevent, can occur when an attacker intercepts and alters communication between the user and VPN server, possibly because of a lack of certificate validation. Attackers could eavesdrop, manipulate data or impersonate legitimate servers.

Essential steps to better security

Successful cyberattacks on schools are usually not the result of overly sophisticated tactics. In fact, we’ve detected and prevented several breaches on school districts, and every single one of them was the result of compromised credentials. This is why it’s important to remember some of the basic security practices that can get overlooked by IT teams that are stretched too thin. Those practices include:   

• Comprehensive account management. Regularly reviewing and updating user permissions, ensuring that current users have access only to the systems and applications they need, and keeping tight control of permissions can limit an attacker’s ability to escalate privileges once inside the network. It can also ensure that email and online learning accounts are disabled after students graduate, rather than remaining active and available to attackers. Effective account management of services such as Active Directory can help IT personnel implement robust security controls, reducing the risk of unauthorized access, shrinking the overall attack surface, and enabling early detection and response to threats. 
• Strong password and access management. Implementing strong password policies and access controls is essential for network security. IT personnel should enforce basic password complexity requirements—minimum length, including numerals and special characters, and requiring regular password changes—but should also implement multi-factor authentication (MFA), which has proved to be effective against credential-based attacks. MFA adds an extra layer of protection by requiring an additional verification step, such as a code sent to a mobile device.
• Regular patch management. Some of the most serious security breaches have occurred when attackers exploited a vulnerability for which a patch was available but not applied. IT teams should establish a robust patch management process that includes regularly checking for new patches, testing them in a controlled environment and promptly deploying them across the network.
• Employee training and awareness. The prevalence of credential-based cyberattacks makes it more important than ever to educate users, who are often seen as the weakest link of security programs. Employees should be educated about common threats such as phishing, social engineering, and malware. They should also be educated on best practices for email security, safe browsing, and handling sensitive information. Building a culture of cybersecurity awareness can help employees recognize and properly respond to potential risks, reducing the likelihood of human error contributing to security incidents.

In meeting the demand for remote access and online learning, schools have—unavoidably—increased their attack surfaces. However, IT personnel can improve security through effective account monitoring, the use of strong passwords, practicing regular patch management and implementing strict access controls. In addition, employee training and security awareness programs are incredibly valuable.

Taken together, those steps will help protect sensitive data, critical systems, and valuable resources from the growing number of sophisticated threats targeted at educational institutions.

Related:
Ransomware attacks on schools are only getting worse
3 ways MDM helps fight school cyberattacks