April 6, 2021
In recent years we’ve seen news of ransom attacks causing financial damage – like that on the University of Calgary where the institution allegedly handed over $20k to cybercriminals, and malware attacks causing mass disruption – similar to the disruption which, apparently, caused the Minnesota School District to shut down for a day while IT professionals rebuilt the system.
Between 2016 and 2020, there were 1,180 publicly disclosed cybersecurity-related incidents in 128 U.S. public school districts across the country. Those startling statistics are courtesy of the K-12 Cybersecurity Resource Center, whose 2020 “State of K-12 Cybersecurity” report details a worrisome trend.
Doug Levin, founder and president of EdTech Strategies, which runs the K–12 Cybersecurity Resource Center, shares with Education Week that the coronavirus pandemic presented cybercriminals with new opportunities as schools shifted to remote learning.
“With more teachers and students online, particularly if they’re doing it from less controlled environments outside of the school, the attack surface of the school community is increased,” he says.
“Notwithstanding the heroic education IT-related efforts to ensure remote learning was possible for large numbers of elementary and secondary students and their teachers during 2020,” a portion of the introduction reads, “it should hardly be surprising that school district responses to the COVID-19 pandemic also revealed significant gaps and critical failures in the resiliency and security of the K-12 educational technology ecosystem.
“Indeed, the 2020 calendar year saw a record-breaking number of publicly-disclosed school cyber incidents. Moreover, many of these incidents were significant, resulting in school closures, millions of dollars of stolen taxpayer dollars and student data breaches directly linked to identity theft and credit fraud.”
All of which is to say education-related cybersecurity needs a lot more attention and improvement. With education venues varying in size, purpose, and stature, the motives for attack can vary too. For example, what might be a common threat for world-renowned Universities/Colleges might not be an issue for schools or school districts. So, institutions need to evaluate the risk and understand what data is vulnerable to unauthorized access.
Among the various “breaches or hacks that resulted in the disclosure of personal data,” the report reveals, were ransomware attacks, phishing attacks, denial-of-service attacks and “other cyber incidents resulting in school disruptions and unauthorized disclosures.”
“Like all criminals, cybercriminals pick the weakest link,” says Mishaal Khan, Mindsight’s Cybersecurity Practice Lead. “And with plenty of schools in every town and city, there are countless easy targets. Also, IT admins at most schools focus only on keeping the lights on for their systems. Security not only seems daunting, it requires additional staff and expertise that schools typically aren’t willing to budget for.”
“Many school districts also lack the resources needed to build a strong cybersecurity program”, says Linnette Attai, founder and president of PlayWell, a compliance consulting firm, and project director for CoSN’s privacy initiative and trusted learning environment program.
“In many school systems, you don’t even have a full-time employee who is dedicated to cybersecurity,” Attai says. “Oftentimes, you have someone who is also responsible for the technology or responsible for privacy.”
From an incident in Maine, where a meddling 15-year-old halted his school’s server, to one in coastal Washington, where someone posed as the school district’s superintendent and gained access to a list of private information that included employee names, addresses, salary information and social security numbers, the crisis has impacted urban and rural areas from coast to coast.
So how can schools better protect themselves? Khan thinks it’s a matter of bringing in some expert help — a significant investment, yes, but one that will more than pay for itself by helping to thwart attacks before they occur instead of leaving companies to pay for costly clean-up (both technological and reputational) afterwards.
“The typical school IT administrator is overworked, underpaid and generally learning the ropes on the network and server administration,” Khan says. “Since hiring a security engineer is usually not in the budget, it’s best to get security services from a VAR to improve the school’s baseline security posture and harden some of the common security tools. Security is a marathon and not a race; you have to build it carefully and consistently. Testing and scanning are critical to understanding exposure and mimicking adversaries. Ongoing staff training to identify social engineering scams, phishing and threats is fundamental for the uninterrupted operations of the school. A security culture needs to be created.”
Last year, the University of California, Berkley published a helpful guide for teachers and parents that outlines cybersecurity basics. They offered 5 tips for teachers, parents, and students each. These are the very basic things all three groups must practice to ensure network safety. Many of these tips are simply a matter of having a conversation, but a few involve spending just a little bit of money per user, like encrypting data or using a password manager.
But what are cash-strapped school districts supposed to do?
Fortunately, the timing is great for schools to bolster their cybersecurity programs. Thanks to Federal funding from the CARES Act, billions of dollars in COVID relief money is available to districts that need financial assistance. So, if limited budgets were the chief bottleneck for implementing better security measures, Khan suggests taking advantage of this rare opportunity.
While there’s mounting public awareness of cybersecurity, he says, “it has “mostly spread through incidences and breaches. That’s unfortunate. It’s time to be proactive and balance the budgets to protect organizations and provide a secure learning environment for our children.”
Learn more about Mishaal’s perspective on cybersecurity by requesting a vulnerability scan of your organization’s network environment.
Mindsight is industry recognized for delivering secure IT solutions and thought leadership that address your infrastructure and communications needs. Our engineers are expert level only – and they’re known as the most respected and valued engineering team based in Chicago, serving emerging to enterprise organizations around the globe. That’s why clients trust Mindsight as an extension of their IT team.
Visit us at http://www.gomindsight.com.
About The Expert
Mishaal Khan, Mindsight’s Security Solutions Architect, has been breaking and – thankfully – rebuilding computers for as long as he can remember. As a Certified Ethical Hacker (CEH), CCIE R&S, Security Practitioner, and Certified Social Engineer Pentester, Khan offers insight into the often murky world of cybersecurity. Khan brings a multinational perspective to the business security posture, and he has consulted with SMBs, schools, government institutions, and global enterprises, seeking to spread awareness in security, privacy, and open source intelligence.