Did you know that there are 97,568 public schools in the United States? In 2020, 985 of those schools were hit with ransomware. What’s more, there are even more incidents that were not reported!
Schools are a particularly vulnerable target for cyber crime, as they house an abundance of sensitive data (e.g., social security numbers, medical files, family information, and academic records). The Multi-State Information Sharing and Analysis Center (MS-ISAC) saw a 19% increase in cyberattacks against K-12 schools between 2019–2020, with a projection of an 86% increase for 2022!
CISA’s New K-12 Study
President Biden signed the bipartisan K-12 Cybersecurity Act into effect on October 8, 2021. This act calls for the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to conduct research on the impact of cyberattacks on K–12 institutions.
Is the K-12 Cybersecurity Act the same as CISA’s mandate for all federal agencies to remediate 290+ vulnerabilities? No, the mandate and the K-12 Cybersecurity Act are different, but K-12s should be taking this seriously and taking care of those vulnerabilities as well. The K-12 Cybersecurity Act is for CISA to study the specific risks impacting K-12 institutions. Based on the study, CISA will provide recommendations for cybersecurity guidelines and create an online training toolkit for K-12 school officials.
This act marks the first step of the federal government’s involvement in the education system’s cybersecurity issues. It is a great step in the right direction; however, this is just a survey with some planning and optional guidance, and no direct help. Additionally, following the guidelines that CISA provides is on a voluntary basis!
There is another bipartisan House bill, the Enhancing K-12 Cybersecurity Act, which claims that it will promote access to threat information, improve tracking of cyberattacks nationwide, provide grants, and increase the number of cybersecurity experts in schools.
Schools Have Always Been Underfunded and Under-resourced
Lack of cybersecurity has always been a challenge for the education system. It has come to a point where it can no longer be ignored. Often, schools do not have enough funds to invest in even the most basic of cybersecurity protections.
Unfortunately, the pandemic has opened up schools to more security threats. With remote schooling options, there has been a significant influx of students and teachers with new devices connecting to networks and applications and this creates an even bigger attack surface. Even before the pandemic hit, schools were already struggling to upgrade and maintain their existing technology while their cybersecurity protections could not keep up.
Ransomware attacks can completely shut down every aspect of a school’s operations. Ransomware gangs will also sell student, teacher, and staff data on the Dark Web to identity thieves. This can massively disrupt the lives of teachers, parents, and students alike, which means that there is a lot of pressure on school leaders to pay the ransom quickly to get their systems back up and running.
Paying Ransom or Remediation? Both are Costly!
This pressure has caused some schools to have paid the ransom, while others have paid for remediation. Ransom requests can range from $5,000, all the way up to $40 million! The downtime from ransomed systems and data recovery has cost educational institutions billions of dollars. Some schools have even been hit with ransomware more than once.
For instance, the Clark County School District in Nevada was hit with ransomware in 2020. As the fifth-largest school district in the U.S., the ransom affected 328,991 students from 374 schools. The county did not pay the ransom and the hackers released the student data online.
The K-12 Cybersecurity Resource Center reported more than 400 publicly disclosed cyberattacks on U.S. schools, while Comparitech’s research showed there were 77 individual ransomware attacks that affected 1,740 plus schools impacting a potential 1.36 million students.
Hackers seek out institutions such as healthcare and local governments because they are already strained and vulnerable.
What Can a School do to Protect Itself?
The K-12 Cybersecurity Act is a good place to start. The bill is establishing a research program to help schools identify their cybersecurity vulnerabilities and improve their cybersecurity defenses. However, the study will not be completed until mid-to-late 2022.
So, what can schools do to protect themselves in the meantime? Lots!
Schools need to start Security Awareness Training. Security is everyone’s job—both the staff and students—and, a little bit of awareness goes a long way. Best practices include not sharing passwords, avoiding clicking on bad links, and ensuring that everyone stays updated and learns how to be more secure. Amazon offers some free cybersecurity awareness training. There are also training modules from the Family Educational Rights and Privacy Act (FERPA).
Vulnerability management can rapidly and affordably identify where schools have weaknesses. Discovering what systems are publicly accessible and what threats are visible to a hacker is a great first step. Assessing vulnerabilities inside a school network is also critical to round out the assessment. Being able to intelligently prioritize which systems to patch and remediate can also help schools address the most critical needs first. And lastly, this should not be a one-time exercise; this should be repeated quarterly, if not monthly!
Penetration testing (or pentesting) your network and your applications will help standardize your security program. Pentesting helps test and prove out how your systems can be exploited and takes your vulnerability scanning to the next level. Schools should prioritize pentesting their networks and most critical applications at least once a year or whenever a major change takes place.
Schools should also ensure they have solid Business Continuity and Disaster Recovery (BC/DR) plans. These plans include what to do if or when an incident occurs (it is easier to think about your process before an incident). One of the key strategies for ransomware recovery is having good backups. Although this does not sound very exciting, having a solid backup program can allow you to easily recover and bypass any ransomware issues.
Our schools need all the help they can get and our students and teachers deserve to not be interrupted by ransomware. Cybersecurity does not have to be hard, especially as there are more resources available today to help than ever before.
To know more about Securin’s Vulnerability Management as a Service (VMaaS), please click here.