K-12 schools face escalating cybersecurity challenges
Cybersecurity risks facing school districts are escalating as primary and secondary educational institutions have become more dependent than ever on digital systems during the pandemic, an education cybersecurity non-profit warned on Thursday. The security measures in use by school districts haven’t always kept up, leading to real-world education disruptions.
“We’ve seen school districts closed for a week or more responding to cybersecurity incidents,” in some cases schools lose access to systems for weeks or months, Doug Levin, the National Director of the K-12 Security Information Exchange, said during a Webinar hosted by the non-profit information sharing hub Thursday. Attacks on digital infrastructure in the sector have also led to data being irretrievably lost, identity fraud against school staff and students, as well as trust being lost within educational communities, he added.
Nation-states and other advanced threats are more likely to target universities or other higher education institutions that may be involved in national security related research, iBoss Vice President of Research and intelligence Jim Gogolinski said during the Webinar.
But K-12 organizations are at risk for targeting by professional cybercriminals who might see school districts with significant budgets as “easy money,” script kiddies taking advantage of sometimes poorly secured networks, as well as those with personal grudges—like disgruntled staff or community members such as parents or even students themselves, he added.
In 2019, Bethesda Magazine reported, a student at Montgomery County Public Schools in the suburbs of Washington, DC figured out the login for the district’s account with Naviance, a college and career guidance ed-tech tool, then downloaded “data including SAT scores, GPAs, personal information, student IDs, phone numbers and email addresses of 5,962 students.”
However, some of the most significant risks to K-12 are the same as other sectors. “Phishing remains a major vector for all types of compromises,” Gogolinski said, for example.
“Ransomware is big,” he also noted.
According to data collected by Recorded Future, there were four publicly-reported ransomware attacks against schools in July, down from a peak of 14 attacks in March.
In one recent example just this summer, the Judson Independent School District in Texas paid more than half a million dollars to cybercriminals who held the district’s data hostage in a ransomware attack.
The move was necessary to "protect sensitive, identifiable information from being published," the district said in a statement reported on by local CBS affiliate KENS 5.
"While these are funds that we would have rather spent on the needs of our employees, students and their families, there was no other choice for the district to ensure your safety,” the statement said.
The payouts in ransomware incidents are also not the only financial costs of an attack—there’s also unbudgeted security remediation costs, Levin noted. And ultimately, these incidents affect the sector as a whole because they are reflected in higher insurance premiums facing school districts, he added.
(they/them) is a longtime cybersecurity journalist who cut their teeth covering technology policy at ThinkProgress (RIP) and The Washington Post before doing deep-dive public records investigations at the Project on Government Oversight and American Oversight.