Cybersecurity in K-12 schools: How to prevent a data breach

Cyberattacks in schools have increased each year since 2016, and data tells us this isn’t going away soon. In 2019, for example, there were nearly 350 cyberattacks in schools, three times more than in 2018 — and things aren’t looking much better for 2020, especially amid a global health crisis such as the COVID-19 pandemic. Microsoft Security Intelligence found 61% of the 7.7 million malware encounters reported over the past month came from the education sector, making it the most affected — and vulnerable — industry.

Unfortunately, these issues aren’t resolved by simply upgrading your system software. Many districts lack the resources and awareness needed to build a strong cybersecurity program. The solution involves investing time and resources into making sure all of your district’s systems are secure and your staff is properly trained. Here we’ll define the most significant threats, what’s at stake, and what districts can do about them.

Ransomware and phishing attacks plague K-12 districts

The two biggest cybersecurity threats facing school districts are:

• Ransomware: Ransomware is software designed to deny access to a computer system until a ransom is paid. Since cybercriminals can get rich quickly using this method, ransomware has become increasingly popular. Ransomware technology has evolved over the years to be easier to use and requires minimal or no computer skills. K-12 districts are often eager to add new technology yet fail to vet vendors who can be vulnerable to these attacks.
• Phishing attacks: Phishing is a tactic used to trick users into providing confidential information such as passwords and network credentials or installing malicious software through downloads or attachments. Lately, attacks have appeared to come from a variety of sources, including government agencies, requesting bank account information to issue stimulus checks or fake businesses pretending to sell personal protective equipment. Like many people, busy school administrators and teachers can easily fall for these scams, which look more real every day.

School districts naturally have a lot of sensitive information in their systems, which makes them a popular target for cybercriminals. Information such as student records, employee information, proposed plans, lawsuits, and health data are valuable to cybercriminals, who sell or use this information for illegal purposes, such as identity theft.

Other common cyberattacks to watch for are online payment or fundraiser scams like fake GoFundMe accounts. Many cybercriminals use fake social media accounts that appear to be affiliated with the school district to promote these scams. Having departments and school organizations follow the district’s social media policy can help differentiate and identify this suspicious activity since official accounts won’t ask for sensitive information. Another popular attack has been “videobombings” where cybercriminals hack into a school’s virtual learning platform with disruptive and explicit messages.

What’s at stake?

If your school district doesn’t take actions to address cyberthreats, it can face numerous financial and emotional consequences such as:

1. Poor reputation and loss of enrollment: Your school district relies on the trust and support of its community and parents, but cyberattacks often cause a loss of confidence in the district’s ability to keep students and staff digitally and personally protected. This could result in parents transferring their children to another school district that may be taking more concrete action against cyberattacks. This loss of enrollment can have a significant impact on your district’s funding.
2. Fines: A lack of response can lead to fines for failing to meet industry or legal standards, such as the Family Educational Rights and Privacy Act. Your district should review and take steps to evaluate its risk through assessments in order to identify and eliminate vulnerabilities.
3. Added stress: Stress levels are already high enough during the pandemic without adding worry about data breaches. Stress can stem from not knowing how to address cyberthreats, where to start the process of securing your systems, feeling overwhelmed by the amount of information and options out there, having a lack of resources to increase cybersecurity, or the fear of experiencing a data breach plus the bad publicity that often follows it.

Steps your district can take

While this can seem overwhelming, there are actions you can take to get started now:

1. Conduct an overall risk assessment: Think of risk assessments like an annual checkup at the doctor. These assessments will identify any vulnerabilities that could result in a potential cyberthreat and provide solutions to strengthen these areas. Given the ever-changing landscape of technology and the opportunistic nature of cybercriminals, consider assessing all your district’s systems annually to ensure they are in good shape and your risk is low.
2. Establish a training program: Your district’s employees are the first line of defense against cybersecurity threats and, if they’re properly trained, can reduce the risk of data loss by 70%. To make sure new employees are equipped with this knowledge, add cybersecurity training to your onboarding process. But don’t just address it once. Implement annual training for all employees to reinforce best practices and offer instruction on new threats.
3. Conduct a risk assessment for your security network: Similar to your district’s overall risk assessment, an annual evaluation is especially critical for your school district’s network security, which is the main defense to prevent cyberbreaches and loss of data. Your district’s network security includes physical, cloud-based, and third-party storage systems that contain sensitive information about students, staff, and the district. A strong network should have multiple layers of security in order to prevent access to the information it holds.
4. Have a plan of action: Your districts should have a clear plan about the everyday management of cybersecurity and be prepared to identify and handle a cyberthreat before it occurs. Think of this as your district’s playbook to address general policies and provide your course of action. The plan should act as a guide to help staff follow best practices and procedures.
5. Vet your vendors: Your district’s cybersecurity is only as strong as your vendors’ approach. A common oversight is not properly vetting the vendors you work with. Make sure all your vendors can adopt your security protocols and habits laid out in your management plan and ensure they are not at risk for a data breach themselves.

With school districts continuing to rely on remote learning technology this fall and into 2021, cybersecurity remains a critical topic to address. School data breaches will keep growing if action isn’t taken.

Contact our cybersecurity experts to learn how to improve your strategy today.