We Need Cyber Safety For Our Schools!

Did you know that there are 97,568 public schools in the United States? In 2020, 985 of those schools were hit with ransomware. What’s more, there are even more that were not reported! 

Schools are a particularly vulnerable target for cyber crime, as they house an abundance of sensitive data (e.g., social security numbers, medical files, family information, and academic records). The Multi-State Information Sharing and Analysis Center (MS-ISAC) saw a 19% increase in cyberattacks against K-12 schools between 2019–2020, with a projection of an 86% increase for 2022!

CISA’s New K-12 Study

President Biden signed the bipartisan K-12 Cybersecurity Act into effect on October 8, 2021. This act calls for the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to conduct research on the impact of cyberattacks on K–12 institutions.

Is the K-12 Cybersecurity Act the same as the mandate that all federal agencies have to remediate the 290+ vulnerabilities?  No, the mandate and the K-12 Cybersecurity Act are different, but K-12s should be taking this seriously and taking care of those vulnerabilities as well. The K-12 Cybersecurity Act is for CISA to study the specific risks impacting K-12 institutions. Based on the study, CISA will provide recommendations for cybersecurity guidelines and create an online training toolkit for K-12 school officials.

This act marks the first step of the federal government’s involvement in the education system’s cybersecurity problem. It is a great step in the right direction; however, this is just a survey with some planning and optional guidance, and no direct help. Additionally, following the guidelines that CISA provides is on a voluntary basis!

There is another bipartisan House bill, the Enhancing K-12 Cybersecurity Act, which claims that it will promote access to threat information, better track cyberattacks nationwide, provide grants, and increase the number of cybersecurity experts in schools.

Schools Have Always Been Underfunded and Under-resourced

Lack of cybersecurity has always been a challenge for the education system. It has come to a point where it can no longer be ignored. Often, schools do not have enough funds to invest in even the most basic of cybersecurity protections. 

Unfortunately, the pandemic has opened up schools to more security threats. With remote schooling options, there has been a significant influx of students and teachers with new devices connecting to networks and applications and this creates an even bigger attack surface. Even before the pandemic hit, schools were already struggling to upgrade and maintain their existing technology while their cybersecurity protections could not keep up. 

Ransomware attacks can completely shut down every aspect of a school's operations. Ransomers will also sell student, teacher, and staff data on the Dark Web to identity thieves. This can massively disrupt the lives of teachers, parents, and students alike, which means that there is a lot of pressure on school leaders to pay the ransom quickly to get their systems back up and running.

Paying Ransom or Remediation? Both are Costly!

This pressure has caused some schools to have paid the ransom, while others have paid for remediation. Ransom requests can range from $5,000, all the way up to $40 million! The downtime from ransomed systems and the data recovery has cost educational institutions billions of dollars. Some schools have even been hit with ransomware more than once. 

For instance, the Clark County School District in Nevada was hit with ransomware in 2020. As the fifth largest school district in the U.S., the ransom affected 328,991 students from 374 schools. The county did not pay the ransom and the hackers released the student data online.

The K-12 Cybersecurity Resource Center reported more than 400 publicly disclosed cyber attacks on U.S. schools, while Comparitech’s research showed there were  77 individual ransomware attacks that affected 1,740 plus schools impacting a potential 1.36 million students.

Hackers seek out institutions such as healthcare and local governments because they are already strained and vulnerable.

What Can a School do to Protect Themselves?  

The K-12 Cybersecurity Act is a good place to start. The bill is establishing a research program to help schools identify their cyber security vulnerabilities and to improve their cybersecurity defenses. However, the study will not be completed until mid to late 2022. 

So, what can schools do to protect themselves in the meantime? Lots!

Schools need to start Security Awareness Training. Security is everyone’s job—both the staff and students—and, a little bit of awareness goes a long way. Best practices include not sharing passwords, avoiding clicking on bad links, and ensuring that everyone stays updated and learns how to be more secure. Amazon offers some free cybersecurity awareness training. There are also training modules from the Family Educational Rights and Privacy Act (FERPA).

Vulnerability management can rapidly and affordably identify where schools have weaknesses. Discovering what systems are publicly accessible and what threats are visible to a hacker is a great first step. Assessing vulnerabilities inside a school network is also critical to round out the assessment. Being able to intelligently prioritize which systems to patch and remediate can also help schools address the most critical needs first. And lastly, this should not be a one-time exercise; this should be repeated quarterly, if not monthly!

Penetration testing (or pentesting) your network and your applications will help standardize your security program.  Pentesting helps test and prove out how your systems can be exploited and takes your vulnerability scanning to the next level.  Schools should prioritize pentesting their networks and most critical applications at least once a year or whenever a major change takes place.

Schools should also ensure they have solid Business Continuity and Disaster Recovery (BC/DR) plans.  These plans include what to do if or when an incident occurs (it is easier to think about your process before an incident).  One of the key strategies for ransomware recovery is having good backups. Although this does not sound very exciting, having a solid backup program can allow you to easily recover and bypass any ransomware issues.

Our schools need all the help they can get and our students and teachers deserve to not be interrupted by ransomware.  Cybersecurity does not have to be hard, especially as there are more resources available today to help than ever before.

About Aaron V Sandeen

Aaron is a visionary leader with more than 27 years of experience in technology. Aaron has served as the State Chief Information Officer for the State of Arizona.  Prior to this, Aaron helped drive technology growth in Intel, Microsoft, Syntellect, and the UnitedHealth Group.

In 2015, he co-founded Zuggand, a technology consulting and services firm specializing in Cloud, IoT, and security. Under his leadership, Zuggand quickly made its mark in the cloud computing sector as an Amazon Web Services (AWS) consulting partner.

To know more about CSW’s Vulnerability Management as a Service (VMaaS), please click here.

Never miss a patch or an update with CSW's Patch Watch Newsletter. Subscribe now!