Key points:

• Explosive app growth has outpaced security oversights
• K-12 cyberattacks threaten data–and students
• How schools can fight growing ransomware attacks
• For more on cybersecurity, visit eSN’s IT Leadership hub

In May 2024, Microsoft identified a critical vulnerability pattern targeting Android applications, ominously called “Dirty Stream.” This vulnerability allows malicious apps to overwrite files, potentially leading to arbitrary code execution, token theft, and data manipulation. Among the apps affected were WPS Office and File Manager, both commonly used for document handling in educational settings.

Although no major exploitations have been publicly linked to the Dirty Stream vulnerability within educational institutions, the incident underscores that hackers do not discriminate when choosing victims. Instead, they prioritize industries that are data-rich and resource-poor.

With over 3.3 million apps on the Google Play Store, Android dominates the digital classroom revolution, holding a substantial 68.7 percent share of the mobile edtech market. Notably, the K-12 segment is the largest consumer of Android-based mobile learning apps.

But with such proliferation, the industry is now confronting a more sobering reality: its explosive app growth has outpaced security oversights. Excessive app sprawl, inconsistent vetting, and shared libraries with inherited vulnerabilities–the ground is ripe for exploitation.

Chaos in classrooms: Edtech’s Android problems

Tagged by the U.S. as one of the 16 critical infrastructure sectors, the edtech sector has become a hotbed for hacktivists. These hallowed halls of knowledge host sellable information, from Social Security numbers and medical histories to mental health records and bus routes on outdated systems, making them tempting targets for attackers. To make matters worse, the growing connected device networks and remote learning opportunities further exacerbate these vulnerabilities.

At the heart of this growing vulnerability, the very features that fuel Android’s supremacy have also been leading to its downfall. For instance, while the platform’s accessibility and flexibility have made Android the platform of choice for educational apps, its open-source structure allows developers to build upon shared libraries and frameworks, many of which have inherent vulnerabilities. When a vulnerability is discovered in a commonly used component, hackers can compromise numerous apps simultaneously, turning the educational network into a fragile house of cards. Moreover, with Android’s massive user base dwarfing iOS, cybercriminals are incentivized to create malware targeting Android apps, amplifying the risk.

Amidst this growing chaos, admins cannot afford to take a break. While summer breaks may offer a pause for students and staff, they often mark a hacker activity surge. As IT teams tend to enter a brief hibernation period, cybercriminals ramp up their work, meticulously “homeworking” their way into educational systems.

Today, threat actors employ stealthy, persistent strategies, planting themselves deep within the network and remaining undetected for extended periods, sometimes months, before launching attacks. This dwell time allows them to harvest intelligence, determine high-value assets, and meticulously plan their next move, making their attacks far more destructive. The longer they stay hidden, the harder it becomes to detect, contain, and neutralize the threat.

Decluttering the digital campus with smarter app management

First things first, educational institutions need a game plan–a robust and well-defined incident response plan (IRP). This cybersecurity playbook should clearly outline each phase, from detection and analysis to containment, eradication, and recovery. By implementing a comprehensive IRP, schools can not only minimize the impact of cyberattacks but also enhance their long-term cybersecurity posture.

Now, to tackle the app jungle, you will need dig into your app catalog and ask: What’s essential? Where are they installed? What data do they collect, and how is it handled? A little investigation goes a long way in helping you make informed decisions.  

Once you’ve segregated between the must-haves and the unnecessary, it’s time to lock things down. For institutions with a constricted budget, mobile application management (MAM) tools can be a good start. However, if you are looking for a more scalable and centralized approach, unified endpoint management (UEM) solutions are the way to go. These platforms give IT admins a bird’s-eye view of all apps deployed across devices, making it easier to enforce blocklist policies, manage installations, and create custom app catalogues based on user roles.

When students own the device in question, the situation gets a little trickier. With personal devices, finding the right balance between protecting a student’s privacy and securing data is crucial. Via containerization, admins can create a virtual boundary between school and personal apps, protecting sensitive data without overstepping on privacy.

Of course, digital learning also depends heavily on internet access. However, open access can lead to unsafe browsing. Therefore, institutions must also consider tools like web filtering to block such sites.

Finally, comprehensive device management is a must. This involves enforcing strong security policies like mandatory encryption, password protection, and remote wipe options to ensure that educational data remains safe, even if a device is stolen or compromised.

Cybersecure classrooms with patching and beyond

According to the State of Ransomware 2024 report, nearly one-third of cyberattacks begin with an unpatched vulnerability–a striking reminder of how critical timely updates are. While both Microsoft and Google offered tips to developers on how to avoid being victim to threats like Dirty Stream, end users are often left with one simple but vital action: keeping their apps up to date and sticking to trusted sources when installing them.

Google’s actions in March 2025 alone underscored the urgency of proactive patching. It addressed 43 vulnerabilities affecting Android devices, including two already being exploited in the wild. As the window between identifying and exploiting a vulnerability narrows, educational institutions need to come terms with good patch management habits. This means establishing alerts and working towards regular device audits, patch testing, and rollback strategies.

For schools running on lean IT teams, device management solutions offer much-needed relief. These tools enable the automation of patch deployment, giving IT teams more control through patch scheduling. Because updates don’t always go off without a hitch, UEM solutions also offer admins the ability to delay rollout and validate its stability. This is especially useful when managing many devices across multiple locations, where manual updates would be nearly impossible.

Of course, deploying endpoint management solutions or embracing zero-trust principles can be a costly affair. However, these investments can become financially rewarding with the right support from policymakers and school districts. Encouragingly, there is already a head start. In 2024, the Government Coordinating Council (GCC) for the Education Facilities Subsector was established–an initiative uniting federal, state, and local governments to provide schools with necessary counsel and resources for strengthening their cyber resilience.

Ultimately, safeguarding student data and securing the digital future of education is not a solo effort–it’s a joint venture. Our ultimate assignment is to create cyber-secure classrooms for future learners.

Key points:

• An 18-month study informs key recommendations to defend against cyberattacks
• How schools can fight growing ransomware attacks
• Preparing for evolving ransomware threats in 2025
• For more news on cybersecurity, visit eSN’s IT Leadership hub

The long-term impacts of K-12 cyberattacks, including lost learning time and disruptions to school operations, are just as damaging as stolen data, according to a new report from the Center for Internet Security, Inc. (CIS).

The 2025 CIS MS-ISAC K-12 Cybersecurity Report, released at the SXSW EDU conference, details the increasing sophistication, frequency, and impact of cyberattacks against K-12 schools.

This is the third annual CIS report dedicated to K-12 cybersecurity, and the second year CIS has partnered with the Consortium for School Networking (CoSN), to direct attention and resources to this critical issue.

Key findings

• Eighty-two percent of reporting K-12 organizations experienced cyber threat impacts
• Nearly 14,000 security events were observed, with 9,300 confirmed incidents
• Cybercriminals target human behavior at least 45 percent more than technical vulnerabilities
• Attacks surge during high-stakes periods like exams, disrupting education and forcing difficult decisions

Impact on communities

“The long-term impacts of stolen student and faculty data are only part of the story,” said Randy Rose, VP of security operations and intelligence at CIS. “Schools are a vital part of our local communities and cyberattacks against these institutions can have real-world consequences that include missed days, canceled exams, wasted food, and disruptions to child care among other things.”

Building cyber resilience: 

CIS emphasizes the importance of a collaborative approach to cybersecurity. Early engagement with the Multi-State Information Sharing and Analysis Center (MS-ISAC) improves outcomes, and schools that leverage no- and low-cost cybersecurity resources from the MS-ISAC significantly increase cybersecurity capabilities at a fraction of the cost. MS-ISAC services blocked more than one billion attempts to connect to malware domains, and over 320 million attempts to connect to phishing domains.

Recommendations

To better protect against cyberattacks:

• Create a culture of shared responsibility
• Establish direct lines of communication between IT teams and educators
• Implement smart technical controls that support learning without hindering it
• Strengthen partnerships, as collaboration amplifies impact

Final takeaways

Cybersecurity in education isn’t just about protecting data, it’s about protecting the students and families, as well as the services they rely on every day. Through proactive cybersecurity strategies and collaboration, K-12 schools can greatly improve their cyber defenses against a pervasive and evolving cyber threat.

This press release originally appeared online.

Key points:

• The education sector is a key target for cyberattackers
• Preparing for evolving ransomware threats in 2025
• How to prepare for a school cybersecurity audit
• For more news on K-12 cybersecurity, visit eSN’s IT Leadership hub

The education sector is facing a growing and multiplying menace: a surge in cyberattacks by ransomware groups that are leveraging generative artificial intelligence and other sophisticated tools.

Recently, a software provider was the target of a data breach that affected K-12 school districts across the U.S. As a result, sensitive data such as names, addresses, birth dates, financial reports, medical records, and Social Security numbers were obtained by hackers.

These attacks illustrate increasingly sophisticated and bold tactics of the ransomware gangs targeting schools and a variety of other sectors. According to a recent report, ransomware attacks targeting the U.S. education sector increased more than 25 percent between April 2023 and April 2024, compared to the same period a year earlier.

The heightened threat was part of an overall increase of 17.8 percent in ransomware attacks. Of those attempted attacks, 217 targeted the education sector–the fourth highest total of any industry.

In the era of a digital and hybrid learning world, the education sector faces numerous challenges when it comes to cybersecurity, including a lack of resources and budget, curious students, and outdated infrastructure. Combined with growing ransomware threats, schools should adhere to best practices for proper cyber hygiene, strong IT security fundamentals, and the implementation of a zero trust architecture. Taking these steps can minimize the attack surface, reduce breaches, eliminate lateral movement, stop data loss, and bolster defense capabilities.

Laying the foundation: Cyber hygiene and IT security fundamentals

However they choose to handle individual incidents, school IT teams have no choice but to stay prepared and prioritize improving their cyber hygiene and IT security fundamentals. Proactively addressing evolving ransomware threats will enable schools to remain more resilient.  

There are steps that everyone–even curious students–can take to enhance their cybersecurity posture. These include creating complex passwords, ensuring software is regularly updated, participating in phishing awareness training, and implementing multifactor authentication. Such best practices can be reinforced by integrating cybersecurity into the curriculum and ensuring that password updates and trainings occur on a set basis. Maintaining cyber hygiene and practicing IT security fundamentals is a continual effort that can become part of the daily habits of students and staff when consistently emphasized–fostering a culture of cybersecurity awareness and resilience.

Zero trust: Trust no one, always verify

Practicing proper cyber hygiene and maintaining security IT fundamentals is only part of the solution to protect against attacks. Evolving threats and technological advancements are not slowing down, and schools need a security framework that effectively keeps up with this new digital landscape. An important security progression is zero trust, which is a focus for federal agencies. Zero trust is not mandatory for the education sector, but school districts should prioritize implementing it as a strong overall security practice and specifically to help guard against ransomware attacks. 

Operating under the principle of “never trust, always verify,” zero trust assumes that breaches will happen, not might. The architecture promotes a proactive approach to cyber threats by treating every access attempt, whether from inside or outside the network, as potentially hostile. Continuous verification of identities and devices, regardless of location, is enforced.  

Should an attack occur, zero trust is inherently designed to minimize the network attack surface, prevent lateral movement of threats, and lower the impacts of a data breach. Pairing zero trust with cyber hygiene and IT security fundamentals puts a plan in place that allows schools to continue operations and secure sensitive data. 

Fortify with microsegmentation principles

A key component of a zero trust approach to cybersecurity is microsegmentation, which creates one-to-one segments that are brokered and authenticated by zero trust architectures. Based on the principles of least-privilege access, users are connected directly to requested applications without ever exposing the network. 

The implementation of a zero trust architecture and microsegmentation principles are best practices that enable schools to proactively secure critical assets such as student and other data–often the target of ransomware gangs. This approach not only protects valuable information, but lowers risks, unplanned downtime, and consequences stemming from an attack.

As these criminals become a growing threat to schools and to students’ privacy, it is imperative that the education sector take every possible step to secure its data and maintain strong security fundamentals. Having a clear plan in place and ensuring everyone recognizes the signs of potential ransomware attacks are essential first steps. From everyday practices, such as cyber hygiene and security fundamentals, to more IT-based implementations, such as zero trust and microsegmentation, everyone can play a role in the fight against ransomware attacks and bolstering cyber defenses. 

Key points:

• Schools should focus on modern cybersecurity practices and protecting critical assets
• How to prepare for a school cybersecurity audit
• Schools must bolster network continuity as they adopt more technology
• For more news on ransomware, visit eSN’s IT Leadership hub

In its 2024 threat assessment report, the U.S. Department of Homeland Security declared K-12 school districts “a near constant ransomware target.” The report attributed this alarming trend to budget constraints within school IT departments, insufficient dedicated cybersecurity resources, and the troubling success cybercriminals have had in persuading schools to pay ransoms. These vulnerabilities have made educational institutions a popular target for attackers, threatening not only the privacy of student and staff data, but also the continuity of critical operations.

As ransomware evolves, so must the strategies used to combat it. Traditional perimeter defenses, such as firewalls and antivirus software, are no longer sufficient in an era of artificial intelligence (AI)-fueled cyberattacks. Educational institutions should adopt an “assume breach” mindset focused on internal defenses, such as Zero Trust architectures, data encryption, segmentation tools, and post-breach containment strategies. By limiting attackers’ ability to move laterally within networks and quickly restoring operations after an attack, schools can minimize disruption and ensure the continuity of their missions. Without these proactive measures, the education sector risks falling further behind in ransomware attacks.

A shifting landscape in 2025

The ransomware landscape in 2025 will likely include more sophisticated attacks as threat actors leverage AI and other emerging technologies. These innovations will enable cybercriminals to identify system vulnerabilities faster by leveraging advanced tools, automated scanning methods, and sophisticated analytics. This capability will allow them to uncover weak points in security defenses and launch highly targeted attacks with unprecedented precision, often before schools can detect or respond effectively. Additionally, these tools are highly likely to further automate phishing campaigns, evade traditional detection mechanisms, and adapt in real-time to a school’s defenses.

The rise of advanced ransomware tactics underscores why schools, with their limited defenses and critical data, continue to be prime targets for cybercriminals. Attackers increasingly view the education sector as a high-reward and low-risk opportunity, underscoring the urgent need for a shift toward modern cybersecurity strategies. Fortunately, there are steps that even schools with limited resources can take that will make them better prepared to proactively face these new attacks.

Building internal defenses for education in 2025

To counter the growing sophistication of ransomware attacks, schools must embrace an “assume breach” mindset, which emphasizes strengthening internal defenses so that breaches don’t become cyber disasters. This approach shifts the focus beyond just prevention to include resilience and aims to minimize the impact of a breach by implementing proactive security measures, protocols, and tools designed under the assumption that attackers may already have access to parts of the network. By adopting this mindset, these measures prioritize safeguarding sensitive data, detecting anomalies, and enabling rapid responses to emerging threats before they even occur.

“Assume breach” is strengthened when it is paired with Zero Trust, which operates under a “never trust, always verify” mindset. As a result, measures are put in place to contain breaches quickly–such as continuously verifying users and ensuring they are only accessing the resources they need to access. From there, schools can implement protections that safeguard data in a proactive way, such as modern data encryption methods or apps, which are often quick and cost-effective.

Another vital defense is the adoption of Zero Trust Segmentation (ZTS). ZTS is designed to restrict lateral movement within a network by adopting Zero Trust measures to continuously verify communication and then creating granular policies that allow only essential interactions. For example, if an attacker breaches one segment, ZTS restricts their ability to move freely across the network and access sensitive assets, such as student records or financial databases. This containment strategy minimizes the damage of an attack, isolating threats before they can spread further. By implementing ZTS, schools create a layered defense system that safeguards critical assets while providing resilience against sophisticated cyber threats.

End-to-end visibility is also particularly critical in hybrid environments where a mix of on-premises and cloud-based systems expands the attack surface. By tracking communication between devices, workflows, and external networks, schools can better understand how data moves within their ecosystems. This understanding enables the enforcement of least-privilege policies, granting users access only to the resources they need for their roles. Such restrictions limit an attacker’s ability to exploit compromised accounts, reducing the potential impact of a breach. With a clearer picture of traffic patterns and system behavior, districts can strengthen their defenses against emerging threats.

Pairing Zero Trust principles and “assume breach” mindset with ZTS shifts the focus from preventing all breaches to containing their impact, using security measures and protocols to prevent incidents from escalating into disasters.

Flipping the paradigm: From reactive to proactive

As ransomware threats continue to evolve, schools face a critical inflection point. The growing integration of digital tools in K-12 schools, from virtual learning platforms to smart classroom technologies, has outpaced many districts’ cybersecurity resources, underscoring the urgent need for modern, proactive security strategies. Traditional perimeter defenses alone cannot withstand the sophisticated, AI-driven tactics of modern attackers. By embracing well-rounded and multi-faceted defense measures–such as an “assume breach” mindset, Zero Trust architectures, data encryption, segmentation, and post-breach containment strategies–schools can flip their cybersecurity posture from reactive to proactive. Proactive measures that emphasize containment and resilience set schools up to be better prepared to face the escalating threats of ransomware in 2025 and beyond. 

With a commitment to modern cybersecurity practices and a focus on protecting critical assets, schools can safeguard their data against new ransomware threats and continue to provide safe and secure environments for learning.

Key points:

• Every auditor is different, and it’s critical to be prepared
• How schools can take full advantage of the FCC’s new cybersecurity program
• Hackers don’t take a summer vacation–neither can school cybersecurity
• For more news on cybersecurity, visit eSN’s IT Leadership hub

School cybersecurity audits don’t have to be stressful. If you know what to expect, you can be well prepared and set yourself up for future success. The effort put into the first audit will also pay dividends in the future–once the first audit has been completed, subsequent audits are much easier. You’ll be able to recycle information and make slight adjustments for any systems or processes that have changed in the last year. Most importantly, successful cybersecurity audits allow a school to obtain cybersecurity insurance–a growing need, and one that could be mandatory in the future.

So, what exactly are auditors looking for? There are usually a few overarching things they scrutinize: multi-factor authentication (MFA), secure backups, vulnerability/endpoint protection, and cybersecurity awareness training.

The auditor will provide a list of questions and related sub-questions, and will likely include these inquiries:

1. Is your school running anti-virus on your computers, and does it provide advanced vulnerability protection and detection? Are similar protections on your email server?
2. Are your backups ‘air-gapped’–do they exist separate from your production environment or in the cloud? This is critical for ransomware protection.
3. Is MFA turned on everywhere it makes sense to? MFA can stop most hackers, especially in the event of compromised passwords.
4. Are you training your teaching staff and employees in good cyber hygiene? The human element is the weakest link in the security chain, so keeping folks aware of the threats and what they look like is paramount to good security.

Expanding on these core questions, likely additional questions include those about specific technology. For example, what kind of Wi-Fi authentication is used? Do you use an identity management platform or RADIUS server? How secure is your VPN setup? Does VPN use MFA? What kind of MFA is used for VPN? Who has physical access to servers and backups? Do you have a backup and data recovery plan? How often do you test your backups?

When the auditor evaluates your school’s cybersecurity awareness training, they will often ask both for the cadence or frequency of these training sessions, including if they are mandatory for all employees or staff. Usually, the expectation is that trainings are held at least once a year with all employees required to attend, but more frequent trainings are always better. Sometimes schools schedule these cybersecurity trainings alongside harassment training. Depending on your school’s culture, it may be better to conduct the training via webinars to enable the full school staff to conveniently participate and ask questions to help reinforce the material.

Almost all these cybersecurity audit questions can be addressed with a simple explanation alongside a photograph, screenshot, or an official document showing procedures, policy, or proof of training. In addition, responses can include logs from your backup device detailing successful backups and/or recovery. You can attach your backup recovery or continuity plan alongside the audit as well. If you have additional evidence to prove a question on the audit, add it in.

Be advised, however–every auditor is different, and every audit sheet will ask questions differently. In some instances, questions may be worded strangely or open to some interpretation. In these situations, don’t fret–simply answer and provide evidence the best you can, and the auditors will let you know if more clarity or detail is required.

An audit can become quite difficult if your current IT staff is less technically inclined, or if they simply lack documentation and knowledge to explain how current systems work. It’s not unusual for things to get lost along the way, especially if your IT department has changed hands a few times. If you know this is the case, then you may want to start preparing your IT team ahead of an audit. You can even use this article as a practice test–talk to your team, ask these questions, and discuss where there may be blind spots. If you can get out ahead of these issues, you’ll have a much easier time when the real audit comes.

After the first cybersecurity audit has been completed successfully by your school IT team, it provides a template for your next one. Keep this as a ‘living’ document and ask your IT staff to update it accordingly if anything changes. Changed your MFA for VPN? Maybe you put in more robust identity management for Wi-Fi access?  Whatever the case, update your audit document to show this, and when the next audit comes around, you (or your IT team) can kick back, relax, and send it off to the auditors. Most importantly, a cybersecurity audit can help provide assurance that your school IT environment is secure and understood by your IT staff–and should the absolute worst happen, your cybersecurity insurance can help take care of the rest.

Key points:

• Schools should be able to educate students without worrying about disruptive cyberattack
• Hackers don’t take a summer vacation–neither can school cybersecurity
• Schools must bolster network continuity as they adopt more technology
• For more news on cybersecurity, visit eSN’s IT Leadership hub

K-12 school districts are becoming an increasingly popular target of ransomware operations and other cyber threat actors. Ransomware attacks alone targeted 108 U.S. school districts in 2023–more than double the 45 attacked in 2022. Just as the 2024 school year was about to start, a ransomware attack shut down some schools in the United States and Great Britain, including 34 schools serving 17,000 students in the Seattle area.

And although the number of attacks overall declined somewhat during the past year, the costs of those attacks are escalating. So far in 2024, recovery costs for K-12 schools are averaging $3.76 million, more than double the costs from 2023.

The wealth of personal information that school districts hold on students and parents makes them a prime target for cybercriminals looking to exploit or sell the data on black markets. The fact that many schools rely on older, underfunded IT infrastructure and have not invested heavily in cybersecurity controls or defenses also makes them easier to breach–and smaller IT departments with fewer resources also mean they are slower to respond to threats.

Thankfully, the much-needed funding and resources needed to enhance schools’ cybersecurity infrastructure is coming. The Federal Communications Commission (FCC) recently announced that it is making up to $200 million available in reimbursements to help schools, school districts, and libraries purchase equipment and services to improve their cybersecurity postures.

The Schools and Libraries Cybersecurity Pilot Program, intended to help institutions improve protection against ransomware and other attacks, is accepting applications from schools, libraries, or consortia until November 1. Before applying for the pilot program, however, institutions should make an effort to understand their current security postures and vulnerabilities–and how the categories of services and product available can help–to fully ensure requested services will address the most important vulnerabilities and infrastructure challenges they face.

Let us first review the covered services and equipment, which involve four basic categories of cybersecurity.

The four pillars of cybersecurity the pilot program addresses

Advanced/next generation firewalls. These network security software process network traffic and apply rules to block potentially dangerous traffic. While most schools likely have a firewall in place, internally managed firewalls are time-consuming and laborious to administer.

Endpoint protection. Endpoint protection and response (EDR) tools monitor endpoints such as laptops, smartphones, and other devices for signs of attack or anomalous behavior. This is also a solution that some schools may already have. For example, schools using a provider like Microsoft could have licensing that includes some amount of endpoint protection, but it’s likely not robust. It’s encouraged that schools look at what they have in place for their tech stack to determine the extent of their current EDR capabilities.

Identity protection and authentication. As credential compromises have become the primary means of access for attackers, the front line of defense has shifted from endpoint devices to the user. This means that individual users, particularly those with privileged access, will be the most likely target for cybercriminals. Identity and access management (IAM) tools control which users can access resources. As schools adopt more digital platforms for learning, administration, and communication, these tools help manage and control who has access to various resources, ensuring that only authorized individuals can access sensitive data like student records, health data, and financial details. As with EDR tools, current IAM tools provided to schools may not be robust enough.

Monitoring, detection and response. This category includes equipment, services, or a combination of both that monitor and/or detect threats to a network and take responsive action to remediate or otherwise address those threats. This includes managed service providers, who combine technology with human expertise to identify attackers and limit the impact of threats as they move through a school’s network. Under current budget constraints, this is the capability schools and libraries are least likely to have, as it requires a dedicated team to ensure no malicious actors are in the network.

Beyond funding: Essential next steps for maximizing the FCC pilot program

School districts must first understand the risks and where they stand in relation to them to fully reduce their vulnerability to cyberattacks. Once they understand which services they have and the extent of those services, they can then identify any gaps in security capabilities and make a plan for speaking to the appropriate vendors of those tools.

To make the most use of the program and the funding the FCC will supply, schools need to choose their solutions carefully. Schools can ensure cybersecurity vendors will meet their needs by following some key steps:

Put vendors through their paces. It’s important to identify the right vendors for what you need. Ask vendors to demonstrate how they have responded to attacks, as well as their proven experience in working with schools or educational institutions. These vendors will better understand the specific challenges schools face, such as limited budgets, varied user groups (students, staff, parents), and the need for a secure but accessible online learning environment.

Check customer references. Request references from other K-12 districts that have used the vendor’s services. This provides insights into the vendor’s ability to deliver on their promises, handle sensitive data, and provide ongoing support. A positive customer reference can be a major indicator of whether the vendor and their solution will be suitable to address your own needs.

Check for important features and support. A major block to getting adequate security in place within school districts is at the top of the pyramid. When evaluating vendors in any category, a key area where they can provide support is their ability to offer tabletop exercises that can engage and educate administrators and other faculty who might not understand or appreciate security. These exercises simulate real-world cyberattacks to help schools prepare for potential incidents, allowing them to practice their incident response in a low-risk environment, ultimately improving their overall cybersecurity posture. They also serve as an educational tool, raising awareness about common attack vectors like ransomware or phishing so the entire staff can be better prepared to recognize and respond to cyber incidents. Finally, they can help uncover vulnerabilities in communication, decision-making, and technical defenses–allowing leaders to understand cybersecurity deficiencies firsthand and the devastating impact they can have.

When considering monitoring, detection, and response (MDR) solutions, there are a few capabilities that are essential for robust cybersecurity. The first is user and entity behavior analytics (UEBA), which uses machine learning to help identify signs of insider threats, external attacks, and risky behavior on a network, including endpoints. It allows schools to identify whether behavior meets the standard baseline or if it’s starting to stray. For example, someone accessing an Oregon school network from the Bahamas might look fishy, but if it’s a teacher on vacation there, it could be okay.

MDR tools should also be autonomous. A solution must be able to capture information and respond automatically. If it identifies stolen credentials being used on the dark web, for example, ensure that it can initiate password resets and disable those credentials. There are various touch points that can indicate a ransomware attack or data exfiltration, such as file modifications, registry keys being added, or auto run tasks being added to the registry. A solution should be able to detect that activity and stop it before too much damage is done. In other words, these solutions should block and tackle as criminals make moves.

Safeguarding education through smart cyber investments

Schools focus primarily on educating students–and as educational institutions, their mindset has traditionally leaned toward sharing, rather than protecting, information. Cybersecurity has not always been top of mind. But the trend in cyberattacks, which can shut down schools and prevent them from teaching, is changing that.

Schools need to strengthen their cybersecurity postures, and programs like the FCC pilot can help. By clearly assessing their current security posture and taking action to close any gaps in their defenses using the appropriate services and equipment, they can get back to their main goal of educating their students without worrying about suffering from disruptive cyberattacks.

Key points:

• As we enjoy summer, we can’t forget school cybersecurity challenges
• It’s time to rethink cybersecurity in education
• Schools must bolster network continuity as they adopt more technology
• For more news on K-12 cybersecurity, visit eSN’s IT Leadership hub

School’s out for summer but, for admins, there’s no final bell. Ransomware attacks in education are doubling year-on-year and the arrival of the summer holidays doesn’t mean to expect fewer attacks. Recent history shows that hackers actually ramp up their activity during vacations and long weekends.

The good news is that summer skeleton crews can fight back–slowly but surely–by focusing their limited resources on mapping ecosystems, patching devices, and enforcing strict password practices.

When classrooms empty, cyber threats multiply

Research by Check Point backs up the theory that as we head out to enjoy the sun, hackers head to work. They know that most employees are on vacation, security teams are understaffed, and that schools are “data rich, resource poor.”

Moreover, they’re aware that most schools are still catching up to the rapid digitization imposed by remote learning and COVID-19 lockdowns. A stark example occurred in 2022 when the Los Angeles Unified School District, the nation’s second-largest school system, fell victim to a ransomware attack over Labor Day weekend. The breach resulted in a significant data leak, compromising sensitive student information.

Unfortunately, things haven’t gotten much better since this massive breach. A report last year from Emsisoft revealed a surge in K-12 cyberattacks with cases more than doubling from 45 in 2022 to 108 in 2023. This escalation isn’t coincidental. Cybercriminals target schools because they host sellable information on comparatively outdated systems with lower defenses. To bad actors, summer vacation represents a golden opportunity to exploit network backdoors and potentially remain undetected for weeks, maximizing the attack’s impact and profitability.

It’s therefore up to education to take the target from its back. This involves a two-pronged approach: bolstering security measures and making attacks less financially rewarding. Summer presents an ideal opportunity to initiate both of these crucial improvements.

Three steps for stronger school cybersecurity

To the first point–bolstering security measures–IT can make a big difference to school cybersecurity today and tomorrow by focusing on three elements over the break.

First, begin with a comprehensive inventory of all devices connected to the network. A unified endpoint management platform, for example, can reveal the extent of the ecosystem. This is what Canada’s Barnaby School District did across its 41 elementary schools and 8 secondary schools, uncovering more than 2,000 additional endpoints than previously thought. In effect, this represents 2,000 potential network entry points. Knowing what’s connected is the first step to protecting what’s connected.

Next, ensure that every endpoint is updated with the latest software. Roughly half (45 percent) of reported software vulnerabilities from last year remain unpatched–a big concern considering that such exploitable vulnerabilities are responsible for almost two-thirds of all data breaches. Good patch management starts by setting a strategy for implementation, like establishing alerts and leveraging unified consoles, and working towards regular device audits, patch testing, and rollback plans.

Finally, get serious about access. Complex passwords backed by multi-factor authentication are the gold standard for a reason. If hackers crack a device password, asking for an additional phone code or fingerprint scan sets another obstacle in their way. Before something like zero trust network architecture is mandated in education like in the military–and here’s hoping–admins can effectively thwart hackers without breaking the bank via stricter access controls. 

A summer test education can’t afford to fail

Schools can’t tackle this challenge alone. We need policymakers and school districts to step up, not just during summer but year-round. Their support is vital in funding additional resources and tackling the second point–making attacks less financially rewarding.

One area that demands top-down leadership is the issue of ransom payments. The education sector faces the highest rates of ransomware attacks across all industries, with about half (47 percent) of globally affected schools paying to recover stolen data. While banning ransom payments could help discourage these criminals, I acknowledge this is a complex issue with no easy solutions.

Encouragingly, cybersecurity coordination is advancing at the national level. This March saw the formation of the Government Coordinating Council for the Education Facilities Subsector. This collaborative effort unites federal, state, and local governments to provide schools with essential guidance and resources for strengthening their cyber resilience. By tapping into the expertise of the Department of Education and the Cybersecurity and Infrastructure Security Agency, schools can make significant progress in safeguarding data and protecting staff and students.

As we enjoy summer, let’s not forget the cybersecurity challenges facing our schools. By focusing on device inventory, software updates, and access control, skeleton crews can go a long way to thwarting potential attacks and laying the groundwork for the new school year. 

The summer months may be a break for students, but they’re the ultimate test for school cybersecurity–and one we can’t afford to fail.

Key points:

• Institutions should consider always-on connectivity through OOB management
• FCC adopts $200M cybersecurity pilot program
• Critical steps to help school districts combat ransomware attacks
• For more on network continuity, visit eSN’s IT Leadership hub

Technological innovations have always been a vital aspect of education, with today’s classrooms coming a long way from chalkboards and overhead projectors to the latest in cloud computing and the Internet of Things (IoT) devices. Network infrastructure is at the heart of these modern technologies, enabling the resources and devices teachers and their students use daily.

Unfortunately, many institutions do not have suitable networking solutions in place to facilitate always-on connectivity. Should a human error or a cyberattack compromise the network, these technologies could become unavailable, making essential educational processes impossible.

The consequences and causes of network downtime in education  

As educators become more reliant on network-dependent technologies to do their jobs, the greater the consequences when these things become inaccessible due to unexpected network outages. Just as the driver who only uses their backup camera struggles to reverse without it, so is the predicament educators find themselves in today.

Online learning, for example, requires constant connectivity–should the network go down, students will have no way of accessing learning materials or turning in assignments. Likewise, network outages can block staff from accessing financial and operational systems and learning management applications. In some cases, educators may be unable to complete fundamental tasks such as taking attendance or using grading systems.

In addition to disrupting educational processes and jeopardizing productivity, network outages can be expensive, mounting up tangible costs in recovery fees as well as intangible costs such as damaged reputations. Research from Comparitech shows that between 2018 and mid-September 2023, ransomware attacks against K-12 and higher education institutions around the world cost over $53 billion in downtime.

In recent years, cyberattacks on K-12 schools have increased mainly due to these institutions being easy targets for bad actors. A 2022 U.S. Government Accountability Office report found that classes can take up to three weeks to return to normal after an attack. The report also notes that behind the scenes, some districts can take nine months to recover.

Bolstering network resiliency with Out-of-Band Management

There are two ways to manage a network: in-band management and Out-of-Band (OOB) management. Many education institutions rely on the former, which involves managing the network through the network itself. The issue with this methodology is that when an outage occurs, there is no way for network engineers and IT personnel to access remote devices and remediate the problem.

Alternatively, OOB management allows network engineers to establish a separate management plane that operates independently from the data plane or productive infrastructure. In other words, a school’s technicians can use OOB management to reach remote devices without directly accessing the IP production address in the data plane. Even if the network is down, IT teams can still access, manage, and remediate devices remotely and securely.

Some best-in-class OOB management solutions allow network engineers to detect and remediate issues through proactive monitoring, including systems that automatically notify requisite personnel of network issues or environmental inconsistencies via email or SMS. By preemptively recognizing and remediating issues, educational institutions can detect faults before they spiral into failures, minimizing downtime and operating costs through operational continuity. Moreover, the ability to monitor and remediate problems remotely eliminates the need for schools to dispatch engineers to sites to make configuration changes and troubleshoot issues, saving precious time.

Additionally, OOB management enables education institutions to isolate and contain security incidents, like breaches or attacks. Locking down and quarantining affected parts of the network will prevent bad actors from moving freely, protecting the sensitive data of students and staff. These capabilities significantly enhance network resilience in the face of cyberattacks, preserving network integrity to ensure learning and other business operations can continue without interruption.  

The need for connectivity amid rapid technology adoption

As advanced technologies go from novelty to mainstream, more schools and universities across the world will adopt them, including artificial intelligence, wearable technology, natural language processing, and virtual and augmented reality, reshaping learning for the better. Simultaneously, students and faculty demand faster, more innovative applications and devices.

Although these technologies and applications will open the door to new educational possibilities, they will place greater strain on the network and increase the risk of outages, underscoring the need for always-on connectivity through OOB management.  

Key points:

• Cybersecurity leaders must remain vigilant and protect school networks
• We need a new approach to cybersecurity
• FCC adopts $200M cybersecurity pilot program
• For more news on cybersecurity, visit eSN’s IT Leadership hub

IT leaders are tasked with protecting school district networks and must constantly evaluate their cybersecurity strategies as attacks from outside threats increase in frequency and become more sophisticated.

Education institutions are among the most-targeted, and the move to cloud-based virtual learning has given hackers new ways to infiltrate networks, according to new data.

In a 2022 survey by the UK-based National Cyber Security Centre, 78 percent of schools had been hit by at least one cybersecurity incident.

The Los Angeles Unified School District experienced a cyberattack in September of 2022 that cause a massive computer system shut-down. In May of 2022, Lincoln College shut down permanently after a ransomware attack financially devastated the 157-year-old institution.

As IT leaders strive to find new ways to protect school networks, they often turn to Zero Trust Network Access (ZTNA) strategies. ZTNA does not trust a single user, device, or application and always assumes that the network is hostile, external and internal threats are always present, and that location is not enough to determine trust.

ZTNA approaches can help educational institutions protect their networks and get back to basics: teaching and learning.

Learn more about how ZTNA can help your district’s IT team better protect school networks and valuable personal information.

Key points:

• Already, IT teams contend with too few resources to meet cybersecurity needs
• FCC adopts $200M cybersecurity pilot program
• Cybersecurity is top priority for K-12 edtech leaders
• For more news on network protection, visit eSN’s IT Leadership hub

Tech-enabled learning is an educational mainstay and it is top of mind for IT directors as they face shifts in regulation, vulnerability, and best practices in managing student data.

Many who initially relied on policies like the General Data Protection Regulation (GDPR), Family Education Rights and Privacy Act (FERPA) or Children’s Online Privacy Protection Act (COPPA) as the standard now see them as a baseline and instead are doing far more.

Here are several trends that are emerging:

Data security is job #1 

Protecting student data and privacy is non-negotiable and that hasn’t changed since the first tech tools emerged on the scene. Cybersecurity ranks as a top concern for IT leaders. Attacks continue to increase. Cyberattacks and ransomware attacks targeting schools and districts have affected more than 2.5 million students.

In response to these threats, school leaders are building data classification frameworks, establishing firm data-sharing rules, updating technical directives, increasing district-wide data privacy training, and they are auditing current systems. They’re getting more specific on how vendors may use and secure data, and how they protect it from cyberattacks. IT teams are pressing vendors about the ways meta- and personally-identifiable data are captured and used, and are requiring detailed backup and disaster recovery plans. 

Each measure contributes to the layers needed to protect students and the school. 

Demands for easy-to-find and easy-to-understand standards

Encompassing the expansion of edtech safety and security evaluation is a growing preference for transparency and clarity from vendors. Many IT directors do not have enough time to wade through complicated statements and legalese. There are nearly half a million educational apps available for learning, as well as an innumerable number of edtech tools beyond apps. Data from 2023 reported that educators deal with an average of 42 learning apps and devices each day. Overwhelmed by the volume, school IT professionals are telling us to make it easier for them to find and understand what works.

Claire Archibold, DPO for Schools and Information Governance Consultant at Education Data Hub, told me IT teams are favoring vendors that present clear information on safety and security measures. Archibold said: “We look at a lot of edtech vendor privacy and data protection information–some are fab, others are…well…not so fab. But as we looked at one specific solution, we let out a little sigh of contentment. [It’s] easy to read, contains all the required information, a clear link to a Data Processing Agreement, which is then incorporated into the Terms of Use, and even a Vendor RFI document included which contains all the technical information for our data protection due diligence.”

Nurture and promote healthy digital engagement

Educators and IT directors today are more attentive to creating a safe and positive experience for students via the learning tools and administrative technology employed at the district. For IT directors and administrators, that has meant being extra vigilant in selecting products that nurture wellness and protect students.

District policies for selecting those products based on how well they protect student data and their well-being is a strict and serious business, usually managed by cross-departmental teams of district administration personnel and the top leadership in IT. It’s a collaboration that makes sense, because IT is tasked with keeping the checks and balances in place, while district administrators focus on the holistic view of the student.

With online safety software, for example, these teams determine who and how much access and control are given per department (like teachers, for example) and even per individual (such as the school nurse). Via the online safety software, they create monitoring and intervention policies and alerts for concerning phrases and words. Such alerts could indicate a student is being bullied or is in danger of self-harm, which, when received by approved staff, prompts them to take approved action to hopefully prevent the unimaginable from happening.

Tech and human oversight work together to protect and support students 

Since the first computers came onto the scene, teachers have worried about how much and what kind of digital content students engage with each day. I believe that more discussion is worthwhile, regardless of how hard it may be–and moreso now with the increase of alarmingly convincing phishing sites and “bad actors” intent on dupping youngsters and adults. This 2023/24 study reports that 21 percent of 12-27 year-olds have been victims of phishing scams. 

As threats grow, IT directors are giving educators more ways to steer students away from harmful (or even benign, but more entertaining, sites) so that students will stay focused on learning. Classroom management software–cloud-based or network-based–and the built-in metering features allow teachers to observe who students are collaborating with and the websites and applications they are using. 

There is another layer of support, though. Rather than only leaning on teachers to monitor online activity, leaders are leveraging technology to automate enforcement. With the right IT management solution, established lists of permitted and restricted sites and apps can be used school-wide, and even made accessible at only certain times of the day. That kind of proactive management eases everyone’s workload, and in this age of rapid technology innovation, it has become vital.  

The rapid evolution of emerging technologies, coupled with the strain on already-stretched teams, makes urgent action necessary. Already, IT teams contend with too few resources. Two-thirds of technology directors report their resources to combat cybersecurity issues are insufficient. Add to this figuring out how to safely adopt AI-powered tools, threading the needle of protecting data, privacy, and the social-emotional well-being of students, fostering healthy learning environments, and maintaining trust with internal and external stakeholders while navigating the onslaught of new tech. It all requires careful planning.

Key points:

• Schools must prioritize ZTS and integrate robust cybersecurity practices
• FCC adopts $200M cybersecurity pilot program
• Cybersecurity is top priority for K-12 edtech leaders
• For more news on cybersecurity, visit eSN’s IT Leadership hub

The Federal Communications Commission (FCC) recently voted to adopt a three-year, $200 million Schools and Libraries Cybersecurity Pilot Program. The pilot program will provide schools and libraries with cybersecurity services and equipment. It will also allow the FCC to gather and analyze data on which cybersecurity services and equipment would best help K-12 schools and libraries address growing cyber threats and attacks against their broadband networks.

While the much-needed resources and funding represent a significant step towards fortifying cybersecurity in the education sector, it remains a modest advancement for a critical issue. As K-12 schools increasingly become prime targets for cyber criminals due to their often-limited resources and reliance on outdated systems, the collaboration between the federal government and the education sector is more crucial than ever.

By providing essential funding, advanced cybersecurity resources, expert guidance, and gathering analytics and data, the federal government can help schools effectively protect against cyber threats.

The critical importance of federal collaboration with schools

Establishing partnerships between federal entities, cybersecurity experts, and the education sector offers numerous benefits, including enhanced information sharing, expanded training opportunities, and access to specialized resources. For example, the partnership between the Department of Homeland Security and K-12 schools with the Cybersecurity Education and Training Assistance Program has provided resources and training to thousands of educators, helping to integrate cybersecurity concepts into K-12 education and foster a culture of proactive cybersecurity awareness and preparedness within the educational community. Additionally, the U.S. Department of Education and the Cybersecurity and Infrastructure Security Agency launched the Government Coordinating Council (GCC) for the Education Facilities Subsector, enhancing collaboration among all levels of government to protect K-12 schools from cyber threats.

The federal government plays a pivotal role in shaping cybersecurity practices across K-12 schools, which often lack their own necessary guidance and policies around cybersecurity practices. By adhering to guidance from the federal government–like what we see in the K-12 Digital Infrastructure Brief–schools can work toward improved cybersecurity.

Collaboration efforts are most effective when schools prioritize and leverage available resources

The effectiveness of the FCC initiative, policies published by the federal government, and other similar collaborative efforts from the federal government hinges on two efforts that fall solely on schools.

First, schools must make cybersecurity a priority. Effective prioritization of cybersecurity comes from leadership and involves identifying specific vulnerabilities, allocating resources, and creating a comprehensive plan and budget to address potential threats. To respond to cyber threats effectively, cybersecurity must be supported from the top down.  

Second, schools must utilize the resources provided by the federal government to address both their immediate vulnerabilities and long-term security needs. With cyber threats increasingly targeting the education sector and threats not slowing down any time soon, it is vital that schools prioritize and adopt a strategic approach to maximize the impact of federal collaboration efforts, which focus on immediate, achievable goals.

Partnering with federal agencies grants access to specialized resources and funding and provides schools with crucial guidance on cybersecurity best practices, often enhancing their cybersecurity posture. Educational entities can also partner with one another to increase their buying power to bolster their cybersecurity resources, such as partnering to buy software and licenses as a collective.

Beyond the FCC funding

Schools, just like many other sectors, operate in a hybrid environment and must have an actionable plan in place to protect their valuable data no matter the location. It is crucial to secure endpoints, including laptops, tablets, and mobile devices, with comprehensive protection solutions that provide real-time monitoring and threat detection. This shift to digital learning environments has expanded the attack surface, making every connected device a potential entry point for cyber threats.

The education sector is not required to meet a Zero Trust deadline as required for federal government agencies. However, as the education sector looks to the federal government for collaboration and best practices, it should also consider implementing a Zero Trust framework–ideally one with segmentation at its core. Zero Trust Segmentation (ZTS)–segmentation using Zero Trust principles–is a crucial technology within the Zero Trust framework. Through the continuous visualization of all communication patterns and traffic between workflows, devices, and the internet, ZTS constantly verifies a user and creates granular policies that permit only essential communication. If an attack were to occur, ZTS applies the principles of Zero Trust to broaden visibility into all networks and across all traffic and limit free lateral movement–containing the attack and minimizing its impact.

Schools should also implement endpoint protection platforms that not only safeguard against malware and viruses but also offer advanced features, such as behavioral analysis and automated response capabilities. These solutions should be able to identify suspicious activities and isolate compromised devices to prevent the spread of infections. Real-time monitoring ensures that any anomalies are detected immediately, allowing for swift action to mitigate potential threats.

It is crucial schools enforce policies for regular software updates and patching efforts, alongside educating students and staff on best practices for device security. By securing endpoints comprehensively and prioritizing timely implementation of these measures, schools can protect the integrity of their hybrid learning environments and ensure the safety of their educational communities.

Given the constantly changing threat landscape, schools must act with urgency and have robust cybersecurity plans in place now, rather than in a decade. Any improvement is a step in the right direction, and organizations don’t need to achieve 100 percent security immediately.

Enhancing cybersecurity for educational resilience

Overall, while the FCC’s program marks a crucial investment in enhancing cybersecurity across K-12 schools and will generate valuable data on which services work best for the education community, it addresses only a fraction of the challenges faced by educational entities. To maximize the impact of this funding and other federal collaboration efforts, schools must prioritize ZTS, integrate robust cybersecurity practices into their educational frameworks, and foster collaborative partnerships with federal agencies and industry experts.

Continued advocacy for increased support and streamlined collaboration will further bolster cybersecurity resilience, ensuring that K-12 schools can adapt effectively to evolving cyber threats and provide a safe digital space for students and educators alike.

Key points:

• Cybersecurity remains a real and evolving threat to K-12 schools and libraries
• K-12 cybersecurity threats to your school can be lowered–here’s how
• Cybersecurity is top priority for K-12 edtech leaders
• For more news on cybersecurity, visit eSN’s IT Leadership hub

The Federal Communications Commission (FCC) on June 6 adopted a three-year, $200 million Schools and Libraries Cybersecurity Pilot Program, which will allow the FCC to obtain and analyze actionable data about which cybersecurity services and equipment would best help K-12 schools and libraries address growing cyberthreats and attacks against their broadband networks.

Through the pilot, the FCC aims to learn how to improve school and library defenses against sophisticated ransomware and cyberattacks that put students at risk and impede their learning.

The pilot will enable the FCC to gather the data needed to better understand whether and how universal service funds could be used to support the cybersecurity needs of schools and libraries and to share lessons learned with our federal partners to jointly combat this growing problem.

“This is a landmark moment for schools and libraries across the nation. The cybersecurity threats facing our educational institutions are significant,” said Funds For Learning CEO John Harrington in a statement. “This pilot program represents a crucial step in providing the resources necessary to safeguard sensitive information and maintain secure, reliable access to digital learning tools.

“Cybersecurity in education is not just about protecting data; it’s about safeguarding our children’s future and ensuring a safe, uninterrupted learning environment for all. We commend the FCC for acknowledging the urgency of these issues and taking initial steps to address the cybersecurity concerns of E-rate applicants.”

In Funds For Learning’s annual E-rate Applicant Survey, over the past six years, more than 95 percent of respondents believe cybersecurity products and services should be eligible for E-rate support. In the 2023 survey, over 100 applicants shared their individual opinions about the need for cybersecurity.

“CoSN applauds the FCC for its leadership in helping school districts tackle the serious and universal problem of cybersecurity threats,” said Keith Krueger, CEO of CoSN. “This pilot program will not only provide much-needed support to a select group of schools and libraries but also offer valuable insights into the scope of the challenge and the resources required to keep our students and educators safe online. We look forward to working closely with the FCC to ensure the program’s success and to build a more secure future for schools’ digital infrastructure.”

Modeled after the Connected Care Pilot Program, the pilot program will make $200 million in Universal Service Fund support available to participating schools and libraries to defray the costs of eligible cybersecurity services and equipment. These funds are separate from the FCC’s E-rate program, to ensure gains in enhanced cybersecurity do not undermine the E-rate’s success in connecting schools and libraries and promoting digital equity.

This pilot is part of Chairwoman Jessica Rosenworcel’s Learn Without Limits initiative, which addresses the Homework Gap by ensuring connectivity in schools and libraries so everyone, everywhere has access to high-speed internet services. This initiative includes Wi-Fi on school buses, E-rate support for libraries in Tribal communities, and funding from the FCC’s E-rate program for the off-premises use of Wi-Fi hotspots and wireless internet access services.

Material from a press release was used in this report.

Key points:

• K-12 edtech leaders grapple with a number of challenges and priorities
• The evolving requirements of a K-12 school network
• Here’s how to protect schools from cyberattacks in 2024
• For more news on K-12 IT priorities, visit eSN’s IT Leadership hub

The majority of K-12 edtech leaders say they believe AI can benefit education, and roughly one-third have a general AI initiative–but cybersecurity remains at the top of their priority lists, according to the 2024 State of Edtech District Leadership report from CoSN.

The annual survey, now in its eleventh year, gives school district leaders and policymakers a holistic understanding of the K-12 IT landscape.

While edtech leaders can often be siloed within their own district, this year’s report offers a chance to look at best practices in other districts and measure priorities and initiatives as compared to other schools and districts.

CoSN’s edtech leadership report offers valuable insight for superintendents, school boards, and business officers as they outline priorities and budgets to address challenges and priorities outlined in the report–critical information that will also serve as a directional guide to CoSN’s resource and program development.

“The role of edtech leaders is rapidly expanding as technology is permeating every aspect of our education system, necessitating their proactive involvement. Our latest survey underscores the growing complexity of their challenges, from developing Generative AI best practices and cybersecurity measures to addressing the digital equity divide. Since 2013, demands on edtech leaders have surged, yet district resources have not kept pace with these escalating needs,” said Keith Krueger, CEO of CoSN.

The survey and report were conducted in partnership with AASA, The School Superintendents Association, CDW Education, K12 Insight, Lightspeed Systems and MCH Strategic Data. This year’s top findings include the following:

1. The overwhelming majority of edtech leaders (97 percent) see benefits in how AI can positively impact education and over a third (35 percent) of districts report having a generative AI initiative.

2. Cybersecurity remains the top concern for edtech leaders, with 99 percent of districts taking measures to improve protections. Increasingly, districts are on a path to implementing many cybersecurity best practices.

3. An overwhelming majority (93 percent) of districts are using technology solutions designed to address or improve student well-being.

4. A growing number of districts no longer provide any services to address student home broadband access–31 percent this year compared to 19 percent just two years ago.

5. Single Sign-On (SSO) is the most fully implemented interoperability initiative with 43 percent. Full implementation rates for other interoperability initiatives lag far behind.

6. Cybersecurity ranks number one on edtech leaders’ lists for professional learning, with 85 percent of respondents indicating they were extremely or very interested. Second was IT crisis preparedness with 78 percent, followed by driving and sustaining K-12 innovation with 77 percent.

7. Edtech leaders cite the inability to hire skilled staff as a top challenge, ranked second behind budget constraints.

8. Sixty-four percent of districts report taking measures to increase team diversity, with a quarter actively recruiting. However, only one-third (34 percent) of districts report adding underrepresented populations to their technology department team in the last two years.

“Leveraging and championing technologies in our school systems has never been more important in public education. Everyday terms such as artificial intelligence, cybersecurity, digital equity and interoperability are top of mind in learning communities throughout our country, which is why it’s not surprising to see some of this year’s key findings focusing on these areas,” said David R. Schuler, Executive Director, AASA. “Once again, it’s an honor to partner with CoSN on this invaluable resource. I congratulate Keith Krueger and his team for administering the survey.”

The report was developed based on a national survey of over 980 edtech leaders across U.S. school systems. According to the results, districts are modernizing their infrastructure; however, more responsibilities such as HVAC, phone systems, and physical security systems come under their purview and run on the school network. Edtech leaders are also challenged by persistent problems such as hurdles to hiring highly-qualified IT talent, issues of student home internet and device access, funding cliffs as pandemic funds expire, and enormous threats of cybersecurity attacks.

“CDW is a proud corporate partner of CoSN and this annual survey to help support our district leaders in solving problems, planning for the future and building capacity in education technology leaders,” said Janice Mertes, State Level Ambassador, CDW Education.

“As the K-12 community tackles critical challenges, including infrastructure security, data privacy, AI adoption and digital equity, the 2024 State of EdTech report again provides an important view of IT leaders’ priorities. Lightspeed Systems is proud to be a longstanding partner of CoSN, working together to understand and address these top issues head-on,” said Brian Thomas, CEO, Lightspeed Systems.

This press release originally appeared online.

Key points:

• There are steps everyone, including students, can take to enhance a school’s cyber strategies
• Cybersecurity: eSN Innovation Roundtable
• K-12 cybersecurity threats to your school can be lowered
• For more news on K-12 cybersecurity, visit eSN’s IT Leadership hub

School districts are one of the most vulnerable industries for a ransomware attack, particularly from foreign adversaries, according to Ann Neuberger, deputy national security adviser for cyber and emerging technology. In addition, a 2022 GAO report indicated that K–12 schools faced significant disruptions in learning and substantial monetary losses due to cyberattacks, with some districts reporting a halt on educational operations of three days to three weeks and recovery periods spanning two to nine months. Some school districts reported that in the 2022-2023 school year alone, breaches cost them upwards of $1 million.

From disruption in education to costly recoveries, we’ve seen how cyberattacks significantly impact schools. With ransomware attacks on the education sector doubling from 2022 to 2023, districts across the nation need to brace for another wave.

To bolster defenses against ransomware attacks, districts must first understand what makes them vulnerable to attacks. Schools often face resource constraints–many using outdated technologies, preventing them from implementing the cybersecurity tools they need. Schools also often don’t have, or don’t prioritize, their budget for an adequate IT team. Overall, districts are barely allocating budgets for cyber initiatives. Notably, recent research revealed that nearly half of districts surveyed spent only two percent or less of their budget on cybersecurity.

Having limited cybersecurity resources hinders a district’s ability to implement modern and robust security measures, and puts education, sensitive data, and much more at risk. Despite these challenges, there are steps that districts can take to proactively defend against attacks.

Assume breach

Following the footsteps of federal agencies, districts must shift their mindset from “preventing all attacks” to “containing successful attacks.” This “assume breach” mindset shift will enable the school to prepare for when an attack occurs, not if an attack occurs.

Our world is more hyperconnected and hybrid than ever before, particularly since 2020 when many schools had to transition to online schooling due to the pandemic. Even four years later, some school districts still use online learning.

Traditional security strategies establish a network perimeter, limiting inbound traffic but allowing most outbound traffic via firewalls. However, this architecture overlooks the reality that numerous threats may reside within the school network and does not take into consideration this new hyperconnected, hybrid world. This world has provided attackers with new avenues and methods of access to launch their attacks. For example, when students and teachers bring school laptops home, these laptops are outside the network perimeter and connected to public or home networks, making them more vulnerable to an attack.

To reduce the impact of an attack, districts must “assume breach” and have a plan in place that ensures critical information remains safeguarded even outside the network perimeter.

Increase end-to-end visibility

As districts adopt an “assume breach” mindset, they must simultaneously develop an actionable plan to protect against any attacks. One key part of their plan must include visibility into all networks and across all traffic. After all, they cannot defend against what they cannot see.

In today’s environment, it’s essential to have a comprehensive view of traffic across all school-issued devices, whether students are at school or at home. Visibility enables the enforcement of least-privilege security policies–a concept where a user is only granted access or permission on a network when it is absolutely necessary on all workloads–regardless of the location. End-to-end visibility across the entire hybrid attack surface will eliminate blind spots, identify vulnerabilities and critical assets, and enable IT teams to effectively monitor all network activities.

Implement a segmentation strategy

Districts can also adopt Zero Trust Segmentation (ZTS), also known as microsegmentation. ZTS is based on the principles of least-privilege access and is a foundational pillar of any Zero Trust architecture. Through the continuous visualization of all communication patterns and traffic between workflows, devices, and the internet, ZTS constantly verifies a user and creates granular policies that permit only essential communication. That way, if a breach or attack does occur, the attacker cannot easily move across the environment to compromise more assets and instead will be contained and isolated.

Through leveraging end-to-end visibility and ZTS, districts ensure the protection of critical assets and school-issued devices both in and outside of the classroom. This approach not only protects valuable information, such as student data, but also lowers the risks of consequences stemming from an attack.

The role students can play in cyber hygiene practices

There are steps everyone, including students, can take to enhance a school’s cyber strategies. Examples include creating complex passwords, ensuring software is regularly updated, participating in phishing awareness training, and implementing multifactor authentication (MFA). To ensure cybersecurity culture is reinforced and part of the curriculum, schools can make sure this is covered in teacher workshop days.

Furthermore, schools can establish a system to ensure student participation by involving IT teams in the classroom and inviting them to educate students on the importance of cyber hygiene practices. Maintaining cybersecurity awareness is a continual endeavor, and both staff and students would benefit from refresher courses and training to remain knowledgeable about emerging threats and the latest security best practices.

Protecting education

In an era where learning extends beyond the classroom, it’s crucial that districts have robust and modern strategies in place to protect valuable information and allow schools to operate as normal even when an attack occurs. From more senior strategies, like IT teams adopting an “assume breach” mindset, increasing end-to-end visibility, and implementing ZTS, to everyday practices, like students being able to identify suspicious emails and effectively set up MFA, everyone can play a part in reducing the attack surface before it’s too late.

Key points:

• Expanding classrooms mean IT leaders must prioritize network security as much as possible
• Here’s how to protect schools from cyberattacks in 2024
• Rising ransomware attacks on education demand defense readiness
• For more news on K-12 cybersecurity, visit eSN’s IT Leadership hub

Every time a parent sends their child to school, there’s a list of things they expect their child to remain safe from. That list probably includes protection from bullies, injuries during gym class, and probably rotten cafeteria food. In 2023, the internet is likely near the top of those concerns.

As the school year began this year, the White House announced several initiatives to curb cyberattacks on K-12 schools. This was in response to a 2022-2023 school year that saw eight major cyberattacks in American K-12 schools, four of which caused classes to halt or caused the school to shut down for good. 

In response to this news, K-12 IT managers in the U.S. have taken a holistic approach to cybersecurity. This is especially true as more schools take advantage of WAN, or wide-area network, tools to support the expanding nature of classroom (or outside of the classroom) instruction. If school IT staff want their security plans to be successful and at the right scale, they’ll need security tools that account for a host of possibilities and, therefore, are based on zero-trust standards.

A more popular target

The rise in cyberattacks on schools came on the back of the pandemic as remote learning forced many school districts to “expand” the classroom, thereby (unintentionally) expanding the attack surface for bad actors. Now that many schools are back in the classroom, students may no longer be remotely logging onto computers for class instruction. However, they may still need to remotely access school websites or learning modules for homework, group assignments, or to check their grades.

A wider attack surface puts sensitive information such as student health information, parents’ personal information, student addresses, and faculty and staff information at risk. Also, even if students are accessing the internet at school, one wrong move could endanger sensitive information and cost the district a lot of money. The federal government reported that successful cyberattacks in 2022 ranged from $50,000 to $1 million in damages. With many districts across the country strapped for resources, a loss in this range could have significant consequences. 

Types of attacks

To avoid the consequences of a cyberattack, it may help school administrators to know how cyberattacks usually originate. The U.S. Government Accountability Office notes four popular methods that bad actors use for cyberattacks:

Phishing: An attempt to access data or resources through a fraudulent solicitation in an email or on a website.

Ransomware: The use of malicious software to block access to computer or data systems. Usually, during these attacks the attacker requests a fee to release access back to the target of the attack.

Distributed denial-of-service attacks: The use of multiple machines operating together to overwhelm a target, thereby preventing or impairing the authorized use of networks, systems or applications. 

Video conferencing disruptions: Attacks that disrupt teleconferences or online classrooms with malicious content. This usually includes pornographic images, hate images or speech, and threatening language. 

Protecting a school from these attacks, or at the very least minimizing the damage, requires an in-depth network strategy with a zero-trust approach to cybersecurity at a K-12 school.

A wireless WAN and zero-trust approach  

As the classroom expands for many schools–with more students accessing virtual classrooms at home, doing work on school-provided laptops, and even using school bus Wi-Fi to do work–it’s become more pertinent for IT administrators to prioritize network security as much as possible. 

A growing number of schools are realizing that wireless WAN (WWAN), or the use of public or private cellular routers or adapters as a key component of their WAN infrastructure, is a great way to enhance connectivity at the network edge and make sure there is as little interruption as possible to the many ways in which classroom instruction has evolved. Even with greater connectivity opportunities with a WWAN, there still exist the security concerns plaguing many schools. This is why a zero-trust approach to WWAN is so important for students, teachers, and the IT personnel that manage school networks. 

By default, zero-trust cybersecurity solutions give IT managers the power to decide who gains access to school networks. Also, even if a member of the school is authorized, the right network solution will allow IT managers to decide where each user can go in the network. Compare this to more traditional virtual private network (VPN) solutions, which require complex configurations and, by default, give everyone access to the entire network.

There are also specific security features that school IT managers should look for in their WWAN approach. For example, role-based internet filtering allows the IT manager to dictate where a student can go whilst on the school network and, thereby, filter the content to which they are exposed. Also, the right solution will isolate virtual meetings in the cloud, which prevents hackers from gaining sensitive information through a virtual meeting, even if they somehow obtain credentials to get into a meeting.

Speaking of isolation, security features such as remote browser isolation airgaps user devices from the internet. This means even if a student or faculty member falls for a phishing attempt, that attack will not result in access to the school network.  

It’s also important that IT managers look for WWAN solutions that aren’t complicated to deploy or manage. In many cases, K-12 schools don’t have massive IT teams with multiple experts to manage the various IT concerns that can happen throughout the day. A WWAN solution that is comprehensive but not complicated to manage allows IT managers to prioritize the online safety of the school without having anything fall through the cracks. 

A secure learning experience  

Many schools have implemented security measures to make sure unwanted guests don’t enter their school. They in turn dictate who can enter the building once class has started and who can’t. In fact, even students need permission to be in certain places once class has started. While the use of WAN tools can enhance school networks, IT personnel should approach cybersecurity with the level of fervor that administrators approach students’ and faculty’s physical security.

With a zero-trust solution, K-12 IT managers can have more control over who enters the figurative doors of their network. This helps promote a scalable network and a safe online environment, no matter where learning occurs. 

Cybersecurity is arguably one of the biggest priorities in K-12 school districts across the country. IT leaders agree that a “when, not if” mentality is essential in formulating a K-12 cybersecurity strategy to keep school networks and sensitive information protected from hackers, phishing, ransomware, and other external (and internal) threats.

During an eSchool News Innovation Roundtable with a focus on cybersecurity, moderated by eSchool News Content Director Kevin Hogan, district IT leaders explored the challenging and ever-evolving topic of K-12 cybersecurity. Roundtable participants included:

• Phil Hintz, Chief Technology Officer, Niles Township District 219 (IL)
• Greg Limperis, Director of Technology, Lowell Public Schools (MA)
• Sandra Paul, Director of Information Technology, Township of Union Public Schools (NJ)
• Mohammed Saleh, Associate Chief Technology and Management Information Systems Officer, Paterson Public Schools (NJ)
• Paul Sanfrancesco, Director of Technology, Owen J. Roberts School District (PA)

Key takeaways and insights from the roundtable include:

Multi-factor authentication (MFA) is absolutely critical to your school district’s cybersecurity strategy.

“MFA is the easiest thing you can do,” Sanfrancesco said. “It will be your first line of defense and it’s the easiest, cheapest, and most effective right now.”

Often, discussions around MFA can hit roadblocks, but working with unions can help clear up resistance or misunderstandings when district staff members don’t want to give access to personal devices or ask for alternate MFA methods.

“I got in front of the union and told them how passionate I am about cybersecurity–and it’s not just for the staff members, it’s not just for the union members, it’s also for the students,” said Saleh. “Most likely, you have confidential student info in your email. It’s our job, collectively, to make sure that info is safe. It’s our responsibility. Luckily, we got some buy-in for this. We’ve been seeing more people enable MFA, and now it’s mandated.”

Managing the humans in your district can be as challenging—if not more challenging, at times—than the various programs, tests, and monitoring solutions you’ve put in place.

Often, IT leaders deal with a few staff members who are less than tech-savvy and who are resistant to change.

“We have to find ways to make their lives easier, because for some of them, their skillets are so limited, they’ve been teaching for 40 years, and they didn’t grow up with technology. We’re going to have to put a lot of effort into training,” said Limperis.

Networking is key.

“Increase your knowledge base,” Sanfrancesco said. “There are many free systems and entities out there. Become part of a network. Having the ability to network with someone else or others who are doing the same thing” is paramount.

“Networking is a big thing for me–I wouldn’t be where I am now if I hadn’t gained the knowledge from people I was around,” said Saleh.

When in doubt, pick a starting point.

“Just do one thing at a time,” said Hintz, noting that NIST, K-12 Six, and CoSN are great starting points to tackle a K-12 cybersecurity strategy. “You have to start with the end in mind. If you just jump in and start, you can begin to map out a roadmap. Map it out [with] your team, and make sure you advocate for it with your cabinet first, get everybody on top on board with it. Cast that vision and then begin that vision. Plan the work and then work the plan.”

Know your tools and resources.

Here’s a look at some of the solutions and professional organizations these IT leaders use to maintain network security and stay up-to-date:

• CoSN
• CISA
• Cisco Ironport
• Cisco Umbrella
• Cybersecurity Rubric
• GoGuardian
• Google Authenticator
• K12 Six
• KnowBe4
• Microsoft Authenticator
• NIST Framework
• Sophos

See more eSN Innovation Roundtables exploring critical education issues

Related:
Here’s how to protect schools from cyberattacks in 2024
Stay up to date on the latest K-12 tech innovation news
For more news on cybersecurity, visit eSN’s IT Leadership hub

Key points:

• Cyberattacks can impact schools and students long after an initial breach
• Rising ransomware attacks on education demand defense readiness
• K-12 cybersecurity threats to your school can be lowered–here’s how
• For more news on cybersecurity, visit eSN’s IT Leadership page

Identity theft and data breaches are on the rise and K-12 schools are one of the biggest targets. In fact, from 2016 through 2022, there have been more than 1,600 publicly reported cybersecurity-related incidents at K-12 public schools, affecting millions of current and former students. And now in 2024, it’s reaching a crisis point. Exposure of private information can have long-term impacts for not only schools, but for the students they serve. 

It’s why the nation is now taking a closer look at data vulnerabilities in K-12 schools. In late 2023, the Federal Communications Commission proposed a $200 million program to gather data on schools’ cybersecurity and firewalls, to examine how we can best protect students, teachers and schools. It’s largely in response to the recent influx of ransomware gangs targeting K-12 schools. As cyberattacks against schools continue to increase in severity, schools must take it upon themselves to implement extra protections against online threats. 

When students’ personal information is compromised, it can lead to emotional and financial harm for years to come. Schools manage a slew of personal data, from health and psychiatric records to academic test scores to even social security numbers. For school districts, financial losses from cyberattacks can be in the millions, according to the U.S. Government Accountability Office. These costs may include replacing computer hardware or enhancing cybersecurity protections, not to mention the burden and risk of identity theft. Yet, the majority of school districts do not have a single staff member solely dedicated to cybersecurity. 

While new cybersecurity measures and modernization projects are taking place at the national level, more tangible action must be taken to combat these rising risks for schools in California. What else can be done to address these rampant cybersecurity attacks at the school level?  

With a new year upon us, here are proactive steps you can take today to protect yourself or your school community against systemic cybersecurity threats in 2024: 

Multifactor authentication. The process of Multifactor Authentication (MFA) helps prove you are who you say you are by prompting the user to enter a second factor to verify your identity when signing in to a device. Because usernames and passwords can be easy to discover, implementing MFA makes it more challenging for a threat to gain access to student, staff, or your school’s information. 
 
Train staff. Attacks are often socially engineered. That means staff must know how to identify and respond to these threats. Protecting against phone-based, email-based, and SMS-based scams through regularly scheduled training for staff helps ensure they have the language and tools needed, such as phishing campaigns. Required training will help your school community not only identify cyberthreats but share actionable guidance on what to do if any information at your school is compromised. And according to experts, it would behoove districts to participate in programs that would protect against online attackers who are specifically targeting schools. 

Protect student, teacher and staff identities. Restricting administrative access to only those who need it can help keep devices and personal information protected, since users with administrative privileges can often bypass critical security settings and access sensitive information. This can be done by validating which staff members are required and authorized to carry out those tasks as part of their duties. End-to-end encryption (e2ee) can also help ensure no one but the sender and the recipient can read sensitive communications. 

Practice continuous improvement. Regularly patching and updating systems is one of the most important cybersecurity procedures to protect against known vulnerabilities as well as provide new features. Lastly, enact policies to regularly back up your data or material in different places or mediums (e.g. separate servers). Archiving or deleting sensitive information, in alignment with your record retention policies, can help keep information secure. 

The scale and number of attacks escalated the last few years as more schools relied on technology for instructional delivery and operations. In an increased digital age, cyberattacks will only become more hazardous for students and their school communities. Looking ahead to 2024, it has never been more important for school leaders to prioritize cyber insurance, education and security.  
 

Key points:

• Administrators say cybersecurity should be collaborative
• Rising ransomware attacks on education demand defense readiness
• Reducing K-12 cybersecurity threats to your school
• For more news on cybersecurity, visit eSN’s IT Leadership page

One in 3 school districts ranked lack of dedicated cybersecurity personnel as their top challenge in safeguarding schools, according to Cybersecure 2024, an annual survey from Clever that polls school administrators and offers an in-depth look at the state of cybersecurity across the U.S. K-12 landscape.

The survey of over 800 administrators, conducted in fall of 2023, illuminates the challenges and opportunities for schools in strengthening cybersecurity.

The results are in line with similar findings from CoSN that many district leaders lack sufficient cybersecurity resources and face budget constraints. In fact, 50 percent of districts also reported wanting to spend more on cybersecurity than they currently do, underscoring the growing need for investments and preparation. This need is evidenced by one district’s experience with a major ransomware attack:

“Our collaborative stance on cybersecurity was strengthened by experiencing a major ransomware attack, said Christy Fisher, chief technology officer with Norman Public Schools. “It emphasized the need for cybersecurity insurance and the critical role of cross-departmental cooperation in negotiating and understanding the financial aspects of cyber risk.”

Moreover, while 96 percent of administrators reported cybersecurity as something that should be a collaborative effort, only 17 percent reported their strategies truly reflect this team-based approach. As evidenced by these findings, cybersecurity must involve all staff – from IT staff to individual employees –  in awareness, training and prevention efforts to create a culture of shared data/system protection responsibility.

Other key findings from the report, which features perspectives from more than 800 administrators, include:

• Growing cybersecurity threats: Phishing and ransomware are identified as the biggest threats, with 80 percent of administrators concerned about phishing attacks.
• New cybersecurity tools: 89 percent of districts want to adopt new tech tools to enhance protection, with a focus on identity and access management systems, data encryption, and zero-trust security models.
• Increasing vendor scrutiny: Half of U.S. districts have updated vendor security criteria in the past 2 years; 55 percent are planning more changes in the year ahead.

The report also provides practical recommendations for districts, including emphasizing user-friendly cybersecurity tools, establishing clear criteria for evaluating and selecting edtech vendors and partners, and mobilizing mindshare around cybersecurity by training all staff roles.

In response to the report findings, Trish Sparks, CEO of Clever, underscored the people-first aspect of cybersecurity: “It’s not just about technology — it’s about people too. To keep schools safe, everyone involved—tech providers, admins, and teachers—needs to know cybersecurity best practices. Tools like MFA must be easy to use, making it more likely for everyone to use them and keep schools secure.”

This press release originally appeared online.

Key points:

• Ransomware disrupts learning—but vetted cybersecurity practices can help
• See article: Fixing the K-12 cybersecurity problem
• See article: How to keep hackers off your school attendance list
• For more news on ransomware, visit eSN’s Cybersecurity page

Ransomware attacks continue to wreak havoc on the education sector, hitting 80 percent of lower education providers and 79 percent of higher education providers this year. That’s a significant increase from 56 percent and 64 percent in 2022, respectively.

As “target rich, cyber poor” institutions, schools store massive amounts of sensitive data, from intellectual property to the personal information of students and faculty. Outdated software, limited IT resources and other security weaknesses further heighten their risk exposure. In a ransomware attack, adversaries exploit these vulnerabilities to infiltrate the victim’s network and encrypt their data, effectively holding it hostage. After encryption, bad actors demand ransom payment in exchange for the decryption key required to retrieve their files.

But the ramifications of ransomware extend beyond the risk of data exposure and recovery costs; attacks can also result in downtime that disrupts learning for students. The impact of ransomware has grown so severe that the Biden Administration has even committed to providing ongoing assistance and resources to support schools in strengthening their cyber defenses.

So, while ransomware in the education sector isn’t a new phenomenon, the stakes remain high. And with both higher and lower education institutions reporting the highest rates of attacks among all industries surveyed in a recent study, the need for increased defense readiness in the education sector has never been more evident.

3 ransomware trends disrupting classrooms in 2023

Cybercriminals have refined the ransomware-as-a-service (RaaS) model in recent years, enabling adversaries to specialize in different stages of attack. Amid the current ransomware surge, IT and security leaders in education must remain aware of the evolving threat landscape so they can effectively safeguard their networks and systems.

Here are some trends from The State of Ransomware in Education 2023 report that demand attention now:

1. Adversaries are leveraging compromised credentials and exploited vulnerabilities. More than three-quarters (77 percent) of attacks against higher education institutions and 65 percent against early education institutions this year originated from compromised credentials and exploited security flaws in software.

Although the root causes of attacks are similar across other industries, educators experienced a significantly higher number of attacks that originated from compromised credentials. The sector’s lack of adoption of multi-factor authentication (MFA) technology — a critical tool in preventing these types of attacks — likely plays a role in this trend.

2. Educational institutions lag behind other sectors when it comes to data backups. The use of data backups is critical in recovering encrypted data and reducing downtime in the event of an attack. Still, only 63 percent of higher educational organizations use backups, falling below the cross-sector average of 70 percent. Lower educational institutions perform slightly better in this area, with 73 percent of organizations backing up their data.

However, the use of backups to recover encrypted data decreased in the last year — a concerning trend given the high rate of ransomware attacks against the sector.

3. Educators are paying ransoms. But should they? Education had one of the highest rates of ransom payouts of all industries, with 56 percent of higher education institutions and 47 percent of lower education institutions paying the ransom in attacks in 2023. Educators’ willingness to pay ransom often stems from factors like the critical nature of their operations and the potential impact of data exposure on staff and students.

But paying the ransom is a risky and often costly move because there’s no way to guarantee adversaries will provide the decryption key. Even if they do, victims may still need to spend significant time and resources recovering data. In fact, paying the ransom actually increased recovery costs and lengthened recovery times for victims this year.

Empowering educators: How to defend against ransomware attacks

Factors like resource constraints can make it difficult to maintain comprehensive and up-to-date cybersecurity measures. But with an understanding of optimal incident response protocols and adversaries’ tools, techniques, and procedures (TTPs), you can prioritize practices and investments that bolster your institution’s defenses against ransomware.

• Explore CISA guidelines and toolkits for recommendations and best practices when it comes to information sharing, maintaining defenses with limited resources and more.

• Maintain proper cybersecurity hygiene through routine patching and regular reviews of security tool configurations. Don’t be afraid to lean on a third-party expert for help assessing the effectiveness of your defenses.

• Defend against common attack vectors with tools like MFA and zero trust network access to prevent the exploitation of compromised credentials.

• Employ managed detection and response (MDR) services to enhance your security with round-the-clock threat monitoring.

• Leverage adaptive technologies that automatically respond to attacks to buy you response time.

• Prepare for the worst by regularly backing up your data and maintaining an incident response plan that reflects the current threat landscape.

• Raise awareness among staff about the dangers of ransomware and best practices they can follow to mitigate risk.

Cyberattacks are inevitable, and ransomware is a common form of attack in the education sector. But you’re not helpless — you have the ability to exercise control over your institution’s digital preparedness.

By adhering to best cybersecurity practices, implementing tools that defend against emerging threats, and outsourcing services when necessary, you can equip your institution to respond to potential threats in an effective and timely manner.

Key points:

• Evolving technology offers learning opportunities, but also K12 cybersecurity threats
• See article: Reading, writing, and cybersecurity: Practicing good cyber hygiene
• See article: 4 back-to-school cybersecurity tips
• For more news on K12 cybersecurity, visit eSN’s IT Leadership page

The school bell is about to ring in another academic year, and as children pull out their lunchboxes and teachers decorate their rooms, schools continue to face an onslaught of K12 ransomware while also grappling with perpetually insufficient budgets, legacy IT, and under-staffing concerns.

The increased level of connectivity in today’s schools means richer opportunities for learning and community, but it also puts at further risk the financial data, personally identifiable information (PII) and other sensitive information that educational institutions hold.

K-12 schools received a cyber maturity score of 3.55 out of 7 from the Nationwide Cybersecurity Review (NCSR) risk-based assessment, despite the fact that many school districts are trying to strengthen their cybersecurity posture. And according to 29 percent of K–12 participants in that report, a cyber incident occurred in their district in the previous year. Malware and ransomware were two of the most prevalent occurrences. According to the report, ransomware attacks pose the greatest K12 cybersecurity risk to K–12 schools and districts in terms of overall cost and downtime.

The good news is that the federal government is taking this seriously. In early August, the Biden Administration announced a new plan focused on strengthening school district cybersecurity plans. While the elements of this plan are rolled out, school IT teams and leaders can also start to take action in another area: cyber hygiene for students. It’s never too early to start teaching children basic cyber literacy.

New rules for K12 cybersecurity

The Biden Administration’s new proposal comes on the heels of a report from the Cybersecurity & Infrastructure Security Agency (CISA), Protecting Our Future: Partnering to Safeguard K-12 Organizations from Cybersecurity, which offers guidelines for schools to help bolster defenses. 

Guidelines include investing in the most impactful security measures and building toward a mature cybersecurity plan, recognizing and actively overcoming resource constraints, and focusing on collaboration and information sharing. CISA will continue to engage with federal partners, including the U.S. Department of Education, and work closely with state and local officials, school leaders, emergency management officials, nonprofits, community leaders, and the private sector to identify areas for progress and provide meaningful support that measurably reduces risk.

Other elements of the administration’s new plan include a proposed pilot program that will provide up to $200 million over three years to strengthen security in schools and libraries with the help of federal agencies, and establishing a new council to coordinate between federal, state and local leaders to help bolster cyber defenses in schools. It also calls for new resources for reporting and enlists the help of private companies to provide free and low-cost resources for school districts, including training.

It’s great to have support at this level, but it will take some time for these plans to roll out to schools. In the meantime, district leaders and IT teams can start implementing good cyber security for school districts hygiene practices right away.

Fostering good cyber hygiene for teachers and students

People don’t have to be tech geniuses to practice good cyber hygiene. Teachers and even the youngest students can be taught some basic cyber hygiene practices. For instance, a very common-sense practice is to not share passwords or any kind of PII with strangers online. Teachers and students must learn what suspicious links look like and learn not to click them, or to open unexpected attachments or download anything on their computers without approval. When students are online in the classroom, teachers can ensure that they use only approved websites and applications and get approval for certain activities.

When it’s age-appropriate, children can learn how important strong passwords are and how to create them. Best practices include:

• Create longer passwords that are personally meaningful but that don’t contain any PII. An example would be a line from an obscure song with numbers and symbols mixed in to create a password that’s at least 10 characters long. These are much harder, if not impossible, for attackers to guess.
• Use a unique password for each account.
• For all your online accounts, create one-of-a-kind, long and difficult passwords using a password manager.
•  

Obviously, younger children, like those in kindergarten through third grade, aren’t going to be creating or using strong passwords. Educators at that level will need to be creative in how they help students at that age protect their work, but certainly by middle and high school, this will be a key part of learning.

Pre-teens and teenagers can learn to understand how to securely navigate social media.  For example, it’s wise to not use social media accounts to log in to certain kinds of platforms, because those platforms then have instant access to whatever PII is available in those accounts. If there’s no other way to connect to that platform, students can create dummy accounts to use only for this purpose.

Students also need to be cautious about instant messaging services due to social engineering risks. The rule about never giving out PII applies here, especially financial information. And QR codes, though convenient, can send students to a site with malicious files waiting to be downloaded.

And for teachers and staff, from the White House to the private sector, organizations are already offering cybersecurity training for K–12 school districts. Such programs provide academics and employees with the most recent information, advice, and suggestions to help them make better decisions when faced with cyberattacks and other dangers to the school. These free training programs are already being used by many districts.

Knowledge is power–and stronger K12 cybersecurity for school districts

As long as there are school IT teams working with few human and financial resources, there will be cyber adversaries trying to take advantage and break into school networks. This requires a two-pronged approach: technology and training. Because students have network access, they need to learn how to use it safely and responsibly–IT does not bear the sole responsibility for cybersecurity.

Individual cyber hygiene plays a huge role in helping to defend the network. Training for students, teachers, and staff will help IT teams keep the bad actors out and will ultimately help create a cyber-savvier generation.

What are some K12 cybersecurity tips?

Due to budget and resource constraints, many schools and other academic organizations are only able to implement very basic K12 cybersecurity tools and processes, and this leaves them extremely vulnerable to cyberattacks.

We’ve seen this play out over the past 12 months with high-profile attacks on school districts in Los Angeles, Minneapolis and Tucson, Ariz., among many others. And, because cybercriminals can compromise school networks for big gains with very little effort, we expect k12 cybersecurity attacks will only increase.

As the new school year quickly approaches, IT and security teams face a seemingly overwhelming task: protect school networks with limited budget and personnel. The good news is that there is some cybersecurity training and basic blocking and tackling that can significantly help schools build a strong cybersecurity for schools  basic training, including:

1. Mandating strong passwords for cybersecurity 

It’s easy to choose a simple password or to repeat passwords across accounts for memory’s sake, but the consequences of doing so can be severe. In fact, according to the FIDO (Fast Identity Online) Alliance, passwords are the root cause of more than 80 percent of data breaches. Educating students and staff about the importance of strong, hard-to-guess passwords cannot be overstated. Research shows that a 12-character password could take 27,000 years to crack and cost hackers $6.4 trillion to do so. Mandating strong passwords is a simple, cost-effective way to strengthen a school’s cybersecurity posture.

For schools that are able to take credentials management one step further, multi-factor authentication is a great option. MFA is a method of authenticating into an account that requires users to present at least two pieces of evidence to prove their identity — something they know (e.g., a password) as well as something they have (e.g., an authentication code via text or email) or something they are (e.g., facial recognition or a fingerprint scan).

• Implementing a K12 cybersecurity data backup solution. 

While this will certainly be an upfront investment, it will pay dividends over the long-term. Having backups of your school’s and students’ data can be extremely beneficial for compliance and business purposes, and it can also be extremely valuable in a K12 ransomware attack – where cybercriminals access data, encrypt it and then demand schools pay a ransom to decrypt it. Many schools that don’t have a data backup solution in place pay the ransom in the hopes they’ll get their data back, but this is money out of their pocket they can’t afford to lose, and worse yet, paying the ransom does not guarantee access to the data. However, if you’re the victim of a ransomware attack and have a data backup solution in place, you can evade the ransom demand by simply falling back to the backup version.

• Taking a security-in-depth approach. 

Where possible, schools should take a multi-layered approach to security, including using firewalls, anti-virus solutions, anti-malware software, and encryption. Cybercriminals don’t want to work hard to infiltrate a target, so security-in-depth is an impactful deterrent that can help fend off today’s sophisticated hackers.

Prioritizing cybersecurity training awareness

Students and staff are the first line of defense in network security, and they can’t do their part if they aren’t aware of the threats facing them or the actions to take if they suspect they are a victim of an attack. IT and K12 cybersecurity teams need to make them part of cybersecurity efforts by offering ongoing cybersecurity awareness and training. The best way to get them to pay attention and remember what they learn is to offer short, engaging training sessions on a regular basis, rather than long, drawn-out presentations once a year.

All this said, we’re living in a world where it’s no longer a matter of if a school gets attacked, but when. In this reality, it’s so important that schools have an incident response plan in place, so they know how to react following a successful incident and can do so quickly. Communicating to affected families should be a big part of this plan. Timeliness and transparency are key following an attack. Victims need to know the nature of the attack, what data was compromised, what the school is doing to remediate the problem, and the steps they should take to protect their personal information. From an internal perspective, schools need to take the incident as a learning opportunity – identifying what went wrong, so they can put the right people, processes and technologies in place to prevent a similar K12 ransomware attack from happening again.

The bottom line is schools can suffer severe consequences from a cyberattack, including disrupted instruction, impaired operations, financial losses to address the incident, and the exposure of stakeholders’ personal information. By focusing on achievable cybersecurity basics, schools can fight back by building a solid security and resilience foundation that can help them defend against cybercriminals to keep their teachers, administrators, students and families safe.

Why are schools being cyber attacked?

Strengthening K12 cybersecurity measures and optimizing attack preparation, along with good security hygiene, can help education organizations avoid ransomware attacks

Education reported the highest rate of K12 ransomware attacks in 2022, and over the past year, 79 percent of higher-ed organizations surveyed reported being hit by ransomware, while 80 percent of K-12 organizations surveyed were targeted—an increase from 64 percent and 56 percent in 2021, respectively.

These statistics come from The State of Ransomware in Education 2023, a report from cybersecurity provider Sophos.

Additionally, the education sector reported one of the highest rates of ransom payments, with more than half (56 percent) of higher-ed organizations paying and nearly half (47 percent) of K-12 educational organizations paying the ransom. However, paying the ransom significantly increased recovery costs for both higher-ed and K-12 educational organizations. Recovery costs (excluding any ransoms paid) for higher-ed organizations that paid the ransom were $1.31 million when paying the ransom versus $980,000 when using backups. For K-12 educational organizations, the average recovery costs were $2.18 million when paying the ransom versus $1.37 million when not paying.

Paying the ransom also lengthened recovery times for victims. For higher-ed organizations, 79 percent of those that used backups recovered within a month, while only 63 percent of those that paid the ransom recovered within the same timeframe. For K-12 educational organizations, 63 percent of those that used backups recovered within a month versus just 59 percent of those that paid the ransom.

“While most schools are not cash-rich, they are very highly visible targets with immediate widespread impact in their communities. The pressure to keep the doors open and respond to calls from parents to ‘do something’ likely leads to pressure to solve the problem as quickly as possible without regard for cost. Unfortunately, the data doesn’t support that paying ransoms resolves these attacks more quickly, but it is likely a factor in victim selection for the criminals,” said Chester Wisniewski, field CTO, Sophos.

For the education sector, the root causes of K12 ransomware attacks were similar to those across all sectors, but there was a significantly greater number of K12 ransomware attacks involving compromised credentials for both higher-ed and K-12 educational organizations (37 percent and 36 percent respectively versus 29 percent for the cross-sector average). 

Additional key findings from the report include:

• Exploits and compromised credentials accounted for more than three-fourths (77 percent) of ransomware attacks against higher-ed organizations; these root causes accounted for more than two-thirds (65 percent) of attacks against K-12 educational organizations
• The rate of encryption stayed about the same for higher-ed organizations (74 percent in 2021 versus 73 percent in 2022), but increased from 72 percent to 81 percent across K-12 educational organizations during the past year
• Higher-ed organizations reported a lower rate of using backups than the cross-sector average (63 percent versus 70 percent). This is the third lowest rate of backup use across all sectors. K-12 educational organizations, on the other hand, had a slightly higher rate of using backups than the global average (73 percent)
•  

“Abuse of stolen credentials is common across sectors for ransomware criminals, but the lack of adoption of multifactor authentication (MFA) technology in the education sector makes them even more at risk of this method of compromise. Like the U.S. federal government’s initiative to mandate all agencies use MFA, it is time for schools of all sizes to employ MFA for faculty, staff and students. It sets a good example and is a simple way to avoid many of these attacks from getting in the door,” said Wisniewski.

Sophos recommends the following best practices to help defend against ransomware and other cyberattacks:

• Strengthen defensive shields with:
  • Security tools that defend against the most common attack vectors, including endpoint protection with strong anti-exploit capabilities to prevent exploitation of vulnerabilities, and Zero Trust Network Access (ZTNA) to thwart the abuse of compromised credentials
  • Adaptive technologies that respond automatically to attacks, disrupting adversaries and buying defenders time to respond
  • 24/7 threat detection, investigation and response, whether delivered in-house or by a specialist Managed Detection and Response (MDR) provider
• Optimize attack preparation, including making regular backups, practicing recovering data from backups and maintaining an up-to-date incident response plan
• Maintain good security hygiene, including timely patching and regularly reviewing security tool configurations

Do schools need K12 cybersecurity?

As COVID-19 swept the nation beginning in 2019, no one knew just how life-altering the pivot to remote work and education would be. Today, we see more and more students and employees alike who are relying on technology to engage with their work and peers than ever before. As with holidays and other unanticipated events, this pivot drew in some of the biggest minds in security who worked to eliminate K12 cybersecurity challenges stemming from this change – but it also drew in hackers.

Shoring up cybersecurity for schools practices is quite the feat. User authorization is extremely challenging, as IT professionals must navigate through different levels of access for each user community. This creates even higher risks because networks must be open to employees, students, and others – an issue most businesses don’t need to manage.

Another major cybersecurity for schools challenge we see frequently with education is outdated technology. Like healthcare, we see devices that need to connect to the network — but the old software poses risks, such as a lack of updated security protocols. This creates vulnerabilities that are ideal for threat actors, many of which are looking for an easy fix they can exploit. Media devices that can be connected to computers–thumb drives, external hard drives, CDs, DVDs–also pose a challenge to MSPs/MSSPs providing cybersecurity to their clients.

As frequently as we see these attacks in the news, not much is changing in terms of recovery time or preparation. As the number of breaches rise, the Government Accountability Office (GAO) found that recovery from these attacks ranges from two to nine months. As educational professionals and MSPs battle singular hackers, sophisticated foreign governments, and crime syndicates to protect employee and student data, it begs the question: What can really be done with this information?

Upon gaining access to critical data, cybercriminals can leverage this sensitive information for an array of attacks, such as: 

• Phishing scams: Using a fraudulent solicitation over email or website.  
• Ransomware attacks: Malicious software that blocks access to computer or data systems with a fee to restore access.   
• Distributed Denial of Service (DDoS): Overwhelms websites, servers, and computers with massive and ongoing attacks to prevent authorized users from accessing networks and system.   
• Zoom bombing: Perpetrators disrupt video conferences with pornographic or hate/threating language.  

The financial breakdown of cybersecurity for school districts

The complexities that come with protecting schools and their stakeholders from threats are vast, and implementing cyber policies comes with additional challenges.

Readiness and Emergency Management for Schools (REMS) advises schools and school districts that things like filtering and blocking applications – such as firewalls, encryption, and anti-virus/anti-malware systems – are an important part of that equation. 

However, one of the biggest barriers to this is money. It’s no secret that schools don’t have the means to incorporate major cybersecurity changes into their budget, especially not on a recurring basis. K-12 respondents to the Nationwide Cybersecurity Review (NCSR) reported a lack of money as their top challenge, with nearly one-fifth of schools investing less than one percent of their overall IT budget on K12 cybersecurity. 

That said, the cost of a cyber breach is also hefty. Between recovery time and navigating stolen data, schools may end up spending the same amount in their journey to recovering from an attack as they would to prevent them. As the average cost of a data breach in the U.S. hit $9.4 million in 2022, according to IBM, administrators need to leverage security solutions to minimize their exposure. This means that MSPs need to advise and offer more robust and sustainable cyber defenses to protect these institutions. 

Lesson planning: How to minimize cybersecurity for schools

Planning is a big part of a successful cybersecurity program. With infrastructure being a major concern for IT teams and administrators – especially with an array of devices and operating systems. Universities have huge networks that make it easier for hackers to exploit. Last year, a ransomware group targeted Florida International University with its 48,000 students and swiped personal information that exposed accounting documents, social security numbers, and other sensitive data.

It’s also crucial to understand what is at stake. Schools don’t only have access to academic records. Things like medical records or other sensitive personal information could quickly be accessed and used by threat actors in a matter of minutes. In fact, a class action lawsuit has been filed over an alleged UC San Diego data breach in 2021 in which hackers gained access to 500,000 employee email accounts revealing lab results, diagnoses, and medical records. The lawsuit also names the Regents of the University of California, demonstrating the scope of liability for poor cybersecurity standards. 

All of these risks help to clarify just what’s at stake if cybersecurity isn’t made a priority in the education industry. This is a prime time for MSPs to help leaders in the education space to implement a strong K12 cybersecurity strategy. Opportunities to limit the data employees can access is a good start. Encouraging strong cyber hygiene and offering phishing training would also help from a user perspective. Most of all, however, is modernizing network security with backup systems and integrated protection. 

What is the biggest cybersecurity for school districts and how do you fix it?

In early September, the Cybersecurity and Infrastructure Security Agency (CISA) announced a voluntary pledge for K12 education technology software manufacturers to commit to designing products with a greater focus on security. In the announcement, CISA mentioned that six leaders in the education software industry had already committed to the pledge: PowerSchool, ClassLink, Clever, GG4L, Instructure, and D2L.

“We need to address K12 cybersecurity issues at its foundation by ensuring schools and administrators have access to technology and software that is safe and secure right out of the box,” said CISA director Jen Easterly. “I want to thank ClassLink, Clever, D2L, GG4L, Instructure, and PowerSchool, who have already signed this pledge and for their leadership in this area. We need all K-12 software manufacturers to help us improve cybersecurity for the education sector by committing to prioritize security as a critical element of product development.”

CISA’s principles for K12 cybersecurity

This action brings a spotlight to the ongoing issue of K12 cybersecurity. CISA’s goal is to persuade more K12 software and hardware manufacturers to commit to its pledge. Signing the pledge demonstrates that the manufacturer is committing to three principles:

1. Taking ownership of customer security outcomes: Includes offering Single Sign On (SSO) and security audit logs and no extra charge.

• Embracing radical transparency and accountability: Includes publishing a secure by design roadmap, a vulnerability disclosure policy and security-relevant statistics and trends.

• Leading from the top by making secure technology a key priority for company leadership: Includes naming a C-level leader at the company who is charged with overseeing security.

What does secure by design mean?

In typical software design and manufacturing, the focus is on the product’s reason for being. For example, the developers of reading improvement software are focused on building a product that delivers measurable improvements to student reading speed and comprehension. The security of the software and its user data are an afterthought. Any security considerations are made late in the development process or bolted on afterward.

In contrast, a secure by design approach means that developers bake security into the design of the product from the beginning. This has proven to be a much more effective approach to protecting software than trying to patch security holes after the fact. Secure by design was popularized by the European Union’s General Data Protection Regulation (GDPR), which went into effect in May 2018. Today, this is a more common approach to software design, but it is relatively new to K12 education.

Today’s ongoing K12 cybersecurity threats

While the K12 education industry strives for improved protection in its schools, fresh examples of security holes continue to appear on a regular basis. Most recently, Prince George’s County Public Schools was the victim of a ransomware attack on August 14 that impacted about 4,500 user accounts, mostly staff, according to the district. Cybersecurity breaches such as this can have a detrimental impact on K12 schools, threatening both reputation and financial well-being.

Unfortunately, successful ransomware attacks can hinge on exploiting a single vulnerability hidden among the dozens of software applications running in most school districts. By following CISA’s guidance and committing to a secure by design approach to software development, developers can further reduce potential vulnerabilities and keep staff and student data more secure.

Key points:

• The nation continues to face a severe cyber workforce shortage
• Defending against future ransomware attacks requires cybersecurity investments
• See related article: Fixing the K-12 cybersecurity problem
• For more news on IT security, see eSN’s IT Leadership page
• Learn How to Lower Cybersecurity Threats to Your School

According to a recent report from the Cybersecurity Infrastructure Security Agency (CISA), aggressive hacking tactics by threat actors are increasing in frequency and complexity against K-12 classrooms and higher education institutions.

With public and private schools providing a broad attack surface area for exploitation, they often find themselves repeatedly targeted by malicious hackers looking for financial gain or to steal the sensitive information of students and teachers. These cyberattacks create potentially dangerous effects on the education sector via lost instructional time and the cost to recover from the incident.

It’s no surprise that ransomware has hit the education sector hard. Schools often struggle to find room in the IT budget for a robust cybersecurity plan–and they are further constrained due to the difficulty in retaining IT talent to boost their overall security posture. As a result, hackers can often easily slip in through open vulnerabilities and wreak costly havoc on districts. Countering such devastating attacks with efficiency is going to be key in the 2023-2024 school year. 

Establish holistic approaches to security

Fortifying defenses against future ransomware attacks requires institutions to prioritize cybersecurity investments, while improving talent retention strategies and automating their patching capabilities. The nation continues to face a severe cyber workforce shortage, and at the same time, most students in the classroom are not being taught proper cyber hygiene or how to best defend themselves from exploitation in the digital world. It’s clear that cybersecurity is not simply an issue for staff or teachers. 

With malware, phishing campaigns and distributed denial-of-service attacks on the rise, school systems are requiring more eyes and ears than what a lone IT team can provide. Traditionally, IT teams in school districts or on college campuses focus their efforts on external-facing systems and often fail to properly secure internal networks that are just as at risk.  Higher education institutions are particularly susceptible to internal attacks. In fact, university breaches are more likely to come from a student who is either inadvertently or even purposely causing a disruption. This adds yet another layer of risk to mitigate. 

Promoting a culture of security awareness can transform the way districts handle these cyberthreats. Students and educators alike can learn how to quickly spot and report threats, how to maintain strong password management, as well as how to better protect themselves in an online digital environment. This holistic approach to risk and compliance is the foundation for an ecosystem that better defends itself against daily cyber threats.

Critical vulnerabilities within unprepared systems often stem from two main factors: a lack of effective threat detection and the improper storage of documents on school-provided cloud drives. Without proper threat detection in place, it is extremely difficult for vulnerabilities in system software to be recognized and ultimately mitigated. For example, last September, a ransomware attack on the Los Angeles Unified School District (LAUSD) drew national attention after it was confirmed that Social Security numbers and the private, sensitive information of staff and students was exposed. Not only was this attack a breach of information that damaged the confidence and reputation of the school, but it was also a massive disruption to the district and their network system availability. While it may have been unclear if the root cause was in fact an unpatched system or not, it is clear that unpatched systems, or delayed patches, can lead to such incidents. 

Delayed patches means that vulnerabilities can go undetected or get completely ignored for weeks or even months at a time. Unfortunately, some institutions may think it is perfectly fine to designate certain times of the year for their patch management. But trying to squeeze in 6 months’ worth of patching before the start of a new semester can financially and academically disrupt a K-12 district or university via lengthy downtimes.

Traditional patch management is out

This passive approach to patching means the education sector must wait for patches to be automatically delivered and then manually installed, which can add to the delays in addressing known vulnerabilities. It’s not a secret that patch management can be a frustrating and time-consuming process that requires scheduled maintenance and is heavy on the manual labor needs for already overworked security teams. But by moving universities, community colleges, and K-12 districts into a more automated approach to patch management, the process becomes significantly streamlined. 

Live patching is a relatively new approach that works by modifying and intercepting code at runtime that does not interrupt normal system operations. With automatic security patching in place, it not only frees up administrators, it also significantly reduces necessary downtime.

Some of the biggest benefits to switching to automated patching in place of traditional methods are:

• Reduced downtime and disruption: Applying live patches minimizes the risk of unexpected system failures, crashes, or downtime resulting from unpatched vulnerabilities. This ensures smooth operations, uninterrupted services, and safer student data.
• Timely vulnerability mitigation: Proactive patching ensures that vulnerabilities are addressed as soon as patches become available. This significantly reduces the window of opportunity for attackers, minimizing the risk of successful exploitation.
• Reduces risky reboots: Live patching eliminates the need for scheduled maintenance windows in which a system can be rebooted or services. Rolling reboots and restarts themselves can be risky and disrupt daily classroom operations if forced to shut down temporarily. 

The digital transformation process for the education sector is crucial in light of increased targeted attacks. By securing classroom environments through a strong vulnerability management platform and empowering IT administrators, educators, and students to focus their efforts on proactive defense strategies and awareness, schools can enhance their ability to defend themselves and lower the risk of exploitation. 

Key points:

• K-12 cybersecurity is of paramount importance in digital classrooms
• A secure by design approach can help reduce cybersecurity risks
• See related article: Reading, writing, and cybersecurity: Practicing good cyber hygiene
• Get the latest news on K-12 cybersecurity by visiting eSN’s IT Leadership page
• Learn How to Lower Cybersecurity Threats to Your School

In early September, the Cybersecurity and Infrastructure Security Agency (CISA) announced a voluntary pledge for K-12 education technology software manufacturers to commit to designing products with a greater focus on security. In the announcement, CISA mentioned that six leaders in the education software industry had already committed to the pledge: PowerSchool, ClassLink, Clever, GG4L, Instructure, and D2L.

“We need to address K-12 cybersecurity issues at its foundation by ensuring schools and administrators have access to technology and software that is safe and secure right out of the box,” said CISA director Jen Easterly. “I want to thank ClassLink, Clever, D2L, GG4L, Instructure, and PowerSchool, who have already signed this pledge and for their leadership in this area. We need all K-12 software manufacturers to help us improve cybersecurity for the education sector by committing to prioritize security as a critical element of product development.”

CISA’s principles for K-12 cybersecurity

This action brings a spotlight to the ongoing issue of K-12 cybersecurity. CISA’s goal is to persuade more K-12 software and hardware manufacturers to commit to its pledge. Signing the pledge demonstrates that the manufacturer is committing to three principles:

• Taking ownership of customer security outcomes: Includes offering Single Sign On (SSO) and security audit logs and no extra charge
• Embracing radical transparency and accountability: Includes publishing a secure by design roadmap, a vulnerability disclosure policy and security-relevant statistics and trends
• Leading from the top by making secure technology a key priority for company leadership: Includes naming a C-level leader at the company who is charged with overseeing security

Secure by design explained

What does secure by design mean? In typical software design and manufacturing, the focus is on the product’s reason for being. For example, the developers of reading improvement software are focused on building a product that delivers measurable improvements to student reading speed and comprehension. The security of the software and its user data are an afterthought. Any security considerations are made late in the development process or bolted on afterward.

In contrast, a secure by design approach means that developers bake security into the design of the product from the beginning. This has proven to be a much more effective approach to protecting software than trying to patch security holes after the fact. Secure by design was popularized by the European Union’s General Data Protection Regulation (GDPR), which went into effect in May 2018. Today, this is a more common approach to software design, but it is relatively new to K-12 education.

Ongoing K-12 cybersecurity threats

While the K-12 education industry strives for improved protection in its schools, fresh examples of security holes continue to appear on a regular basis. Most recently, Prince George’s County Public Schools was the victim of a ransomware attack on August 14 that impacted about 4,500 user accounts, mostly staff, according to the district. Cybersecurity breaches such as this can have a detrimental impact on K-12 schools, threatening both reputation and financial well-being.

Unfortunately, successful ransomware attacks can hinge on exploiting a single vulnerability hidden among the dozens of software applications running in most school districts. By following CISA’s guidance and committing to a secure by design approach to software development, developers can further reduce potential vulnerabilities and keep staff and student data more secure.

Related: Education suffers the highest rate of ransomware attacks

Key points:

• Education institutions are prime targets for hackers because they hold valuable data and often lack strong cybersecurity protections
• A crucial part of staying ahead of ransomware is staying informed
• See related article: Education suffers the highest rate of ransomware attacks
• Learn How to Lower Cybersecurity Threats to Your School

As the 2023-2024 school year commences, focus on education is accompanied by a pressing concern for better cybersecurity. Cybercriminals are poised to exploit educational institutions, seeking access to personal, financial, and health records. Recent incidents, such as New Haven School System’s $6 million breach and Prince George County schools attack, highlight potential risks facing schools today. There is a critical need for robust cybersecurity measures for protection against attacks, inclusive of a comprehensive plan to keep hackers at bay.

What’s sending hackers to schools for the ultimate ransomware field day? Educational institutions hold a wealth of valuable information but lack IT budgets and updated cybersecurity tools, making them prime targets. In a perfect world, ransomware could always be stopped at the “front door” before it enters a school’s network premises, but this is hardly the case. Detection and prevention measures such as monitoring network traffic, establishing strict permission guidelines, and implementing multi-factor authentication (MFA) to confirm identities are continuously evolving, but attackers are becoming increasingly sophisticated, often finding ways to bypass these defense measures.

Understanding why schools are prime targets is the first step to building a healthy cybersecurity ecosystem. The next step is looking at what tools are in place and considering how to optimize their performance and functionality–not only for security, but recoverability and restoration. Emphasizing backup as a key component of security strategy may be the low-effort, cost-effective solution schools need to achieve cyber-resiliency.

Stay aware: Students aren’t the only ones preparing to go back to school

We’ve witnessed an alarming surge in ransomware attacks on educational institutions. At least 120 schools have suffered a ransomware attack compared to 188 in all of 2022. Despite their crucial role in shaping the future, schools often grapple with small IT budgets, limited staff, and outdated technology, making them lucrative targets for threat actors.

With these obstacles in mind, schools are more likely to endure consequences of an attack stemming from human error from students and overly complex tech that IT staff are too strapped to manage properly. This often opens them up to the possibility of data theft, followed by extremely long recovery times. For instance, in April, Alabama-based Jefferson County Schools suffered prolonged disruptions from an attack that occurred during the end of spring break in March, and an incident at Colorado public schools in June led to data exposure of student mental health records.

Stay prepared to stay protected

A crucial part of staying ahead of ransomware is staying informed. Currently, there are types of ransomware that are intelligent enough to commit an acoustic attack by listening to your keystrokes and predicting what someone is typing with 95 percent accuracy. Hackers can listen in to text chats or leak sensitive information, which is tough to manage in a school setting given the multitude of devices and connectivity options.

Though backup typically falls second to other defense measures, its impact can be outstanding. Consider The New Haven School system, which tried to alleviate getting data back up and running by paying ransom to the attackers. The biggest concern here is there is no guarantee that stolen data will be returned post-payment.

Veeam’s 2023 Ransomware Trends Report found that while 59 percent of organizations paid the ransom and were able to recover data, 21 percent that paid the ransom still didn’t get their data back. Additionally, only 16 percent of organizations avoided paying ransom because they were able to recover from backups. The truth is, no security plan is foolproof, and schools should consider quality versus quantity when it comes to which tools to bring to the battle against cyber threats. While implementing standard security measures is highly encouraged, the reality is that nothing will keep schools completely void of ransomware attacks.

This is where data backup comes to the forefront of cybersecurity strategies. This includes conducting regular backups of school data and following the 3-2-1-1-0 strategy, comprised of three copies of data saved on two types of media, with one copy offsite and one copy offline. Should a disruption occur, this makes the difference in guaranteed availability. Incorporating strong security measures like these into backup and management practices boosts the overall resilience of a school’s data infrastructure.

Stay ahead with immutable backup storage

It’s worth noting, targeting primary data and backups is well within the realm of possibility as ransomware rises. Although criminal hackers actively target backups, these remain the best defense against ransomware. Schools must ensure they take regular backups that are immutable, stored off-site, or, ideally, both. Immutable backup storage is a type of data storage system designed to prevent unauthorized or accidental modifications, deletions, or alterations to backed-up data for a specified period. Therefore, once data is written or stored, it cannot be changed or deleted until the predefined retention period expires.

Object storage is a great partner for education as it enables versioning and object lock, rendering itself ransomware-proof. Schools should incorporate backups with hardened security and an appropriate level of redundancy for constrained IT. What’s more, it’s a simple, powerful, and secure tool that schools can use to guarantee recovery. It is generally affordable compared to file or block storage solutions, further accommodating a limited budget for school IT.

Back to school with better protection

To prepare for potential attacks, schools must establish clear roles and responsibilities for key stakeholders. With the value of data continually on the rise, it’s not a question of if a school will face an attack, but when. Cybersecurity awareness among students and staff is paramount in keeping our leaders of tomorrow and their data safe. Furthermore, aligning with the U.S. Department of Education’s Cybersecurity Resilience Efforts can provide additional resources and support.

Data should be stored in a separate system to ensure availability in case of disruption. Combat attacks on primary storage with built-in immunity as an extra layer of protection against tampering. Keep school in session with a low-effort and cost-efficient solution like on-premises object-based backup storage–a tool built for low maintenance and constrained IT.

Key points:

• Schools will likely remain the targets of cyberattacks for years to come
• Districts must prepare themselves by implementing strong cyber practices for their systems
• See related article: As invisible threats to education loom, cybersecurity is paramount
• Learn How to Lower Cybersecurity Threats to Your School

There is no question that cybersecurity threats such as ransomware continue to pummel the education system, with the White House estimating that at least eight K-12 school districts faced “significant cyberattacks” during the last school year alone, resulting in loss of learning time and even full school shutdowns. With open networks, tight budgets, and a lack of proper cybersecurity training for teachers and students, there are many factors that lead schools to become prime targets for attacks. 

On the heels of the White House’s multi-pronged plan to help bolster K-12 schools’ cybersecurity, it is crucial that schools recognize the importance of strong cyber posture within the education system and take the steps necessary to bolster their digital security, despite limited resources and an increasing number of complex cyberattacks.

Why schools are susceptible to attacks  

Schools do not necessarily come to mind when you think about places most likely to face a cyberattack, but they’re a big target for hackers for a number of reasons. Cyber attackers are opportunistic and seem to look for victims they know or assume have weak security measures in place. School networks, whether primary schools or universities, tend to be open (and inherently less secure) more often than most organizations due to their mission to promote learning, and unfortunately often find themselves falling victim to attack.

Schools aren’t necessarily being specifically targeted, but there are several reasons they may find themselves a victim of a cyberattack:

1. Ransomware actors focus on organizations that are likely to pay a ransom.

This is how cybercriminals make their living. School environments will often be under pressure from parents and authorities to remain open, possibly making it more likely that they would pay a ransom to restore systems quickly.

2. Institutions often have limited security protections

Historically, educational institutions have not spent money to secure their information technology infrastructure or cybersecurity posture. When cybersecurity professionals are hired, the salaries typically are much lower than normal, so schools are not getting the top prospects in the cybersecurity realm. Most educational organizations and districts do not even have full-time cybersecurity professionals or offer routine training to the educators, faculty, and students.

3. Academic institutions may use new, untried technology

While recent technologies provide benefits for educators, such as improved accessibility or access to education techniques that help students with certain learning styles, it’s important to remember not all technologies are secure. Many times, the less-secured or less-tested technologies are not as expensive as the more secure and tested technologies. This can create a conundrum for educational organizations with small budgets and lead to great risks associated with cybersecurity.

4. Attackers value email addresses ending in .edu

Emails are a valuable resource for hackers who want to stage phishing attacks. The more legitimate and trustworthy an email is, the more useful it will be in launching an attack. By taking over an email account belonging to an institution, cybercriminals can benefit from the credibility that the domain offers to their phishing email.

Still, it is simple for cybercriminals to get an education domain email address for themselves; many institutions allow anyone to create an account during an application.

5. Academic staff often more exposed to phishing

Academic staff are more likely to fall victim to phishing attacks due to a lack of security tools and a lack of awareness about cyber threats. All it takes is for a single staff member to have a momentary lapse in judgment, and their action can result in malware infecting the entire campus network. High value .edu email addresses belonging to staff members are also often published online, which makes it easy for attackers to locate and choose their victims. It is for these reasons that most academic breaches begin with an email attack.

6. Staff and students take laptops home

School staff and students usually take their laptops home for weekends and summer. This makes security concerns even more critical due to the fact that laptops are using Wi-Fi networks that may not be well protected. It can also be difficult to determine how often these laptops are being updated with security patches while away from school networks.

Achieving better cybersecurity posture

Here are some simple steps to reduce cybersecurity risk in educational settings:

• Use multifactor authentication whenever possible — never rely on passwords for security. Passwords alone cannot provide adequate security. Add MFA to passwords when authenticating to computers, applications, websites, and other networks.
• Conduct periodic vulnerability scans on everything connected to the network. These scans will find missing updates, patches, and known vulnerabilities.
• Install patching recommendations immediately when prompted or as quickly as possible.
• Perform regular penetration tests to find holes, misconfigurations, improperly secured software and applications, and a host of other security related issues. These tests should be performed at least annually by a good cybersecurity firm.
• Utilize next generation endpoint protection and log monitoring to ensure everything is being done to protect the laptops and servers, and any serious event is captured immediately so it can be investigated.
• Hire competent, well-trained cybersecurity staff who can help develop a culture of cybersecurity awareness while testing, investigating, and promoting best practices related to cybersecurity.
• Require mandatory cybersecurity training for teachers and staff. In addition to patching and MFA, basic cyber education for teachers and students is critical. This includes providing crucial tips or resources on:
  • Setting strong passwords for school computers 
  • How to identify phishing schemes through email 
  • The importance of not sharing personal or financial information through email 
  • Updating your computer software regularly to ensure any bugs are fixed and vulnerabilities are addressed
  • Reporting security issues to the appropriate staff, so issues can be thoroughly investigated

Schools will likely remain the targets of cyberattacks for years to come, so it is important that schools prepare themselves by implementing strong cyber practices for their systems. These include strong password management, next generation endpoint and event monitoring, MFA, vulnerability assessments, penetration testing, rapid patching and hiring cybersecurity professionals. When each of these fundamental strategies is performed correctly, significant risk reductions will occur, and cybercriminals will start to learn that school systems and networks are more secure and less vulnerable to common attacks than they think.

Related: Reading, writing, and cybersecurity: Practicing good cyber hygiene

Key points:

• The COVID-19 pandemic invited a number of hackers trying to take advantage of cybersecurity risks
• One of the biggest barriers to strong cybersecurity practices is money
• See related article: Schools are at a greater risk for cyberattacks than ever before
• Learn How to Lower Cybersecurity Threats to Your School

As COVID-19 swept the nation beginning in 2019, no one knew just how life-altering the pivot to remote work and education would be. Today, we see more and more students and employees alike who are relying on technology to engage with their work and peers than ever before. As with holidays and other unanticipated events, this pivot drew in some of the biggest minds in security who worked to eliminate cybersecurity challenges stemming from this change – but it also drew in hackers.

Shoring up cybersecurity practices in the education industry is quite the feat. User authorization is extremely challenging, as IT professionals must navigate through different levels of access for each user community. This creates even higher risks because networks must be open to employees, students, and others – an issue most businesses don’t need to manage.

Another major cybersecurity challenge we see frequently with education is outdated technology. Like healthcare, we see devices that need to connect to the network — but the old software poses risks, such as a lack of updated security protocols. This creates vulnerabilities that are ideal for threat actors, many of which are looking for an easy fix they can exploit. Media devices that can be connected to computers–thumb drives, external hard drives, CDs, DVDs–also pose a challenge to MSPs/MSSPs providing cybersecurity to their clients.

As frequently as we see these attacks in the news, not much is changing in terms of recovery time or preparation. As the number of breaches rise, the Government Accountability Office (GAO) found that recovery from these attacks ranges from two to nine months. As educational professionals and MSPs battle singular hackers, sophisticated foreign governments, and crime syndicates to protect employee and student data, it begs the question: What can really be done with this information?

Upon gaining access to critical data, cybercriminals can leverage this sensitive information for an array of attacks, such as: 

• Phishing scams: Using a fraudulent solicitation over email or website.  
• Ransomware attacks: Malicious software that blocks access to computer or data systems with a fee to restore access.   
• Distributed Denial of Service (DDoS): Overwhelms websites, servers, and computers with massive and ongoing attacks to prevent authorized users from accessing networks and system.   
• Zoom bombing: Perpetrators disrupt video conferences with pornographic or hate/threating language.   

The financial breakdown

The complexities that come with protecting schools and their stakeholders from threats are vast, and implementing cyber policies comes with additional challenges.

Readiness and Emergency Management for Schools (REMS) advises schools and school districts that things like filtering and blocking applications – such as firewalls, encryption, and anti-virus/anti-malware systems – are an important part of that equation. 

However, one of the biggest barriers to this is money. It’s no secret that schools don’t have the means to incorporate major cybersecurity changes into their budget, especially not on a recurring basis. K-12 respondents to the Nationwide Cybersecurity Review (NCSR) reported a lack of money as their top challenge, with nearly one-fifth of schools investing less than one percent of their overall IT budget on cybersecurity. 

That said, the cost of a cyber breach is also hefty. Between recovery time and navigating stolen data, schools may end up spending the same amount in their journey to recovering from an attack as they would to prevent them. As the average cost of a data breach in the U.S. hit $9.4 million in 2022, according to IBM, administrators need to leverage security solutions to minimize their exposure. This means that MSPs need to advise and offer more robust and sustainable cyber defenses to protect these institutions. 

Lesson planning: How to minimize the threat

Planning is a big part of a successful cybersecurity program. With infrastructure being a major concern for IT teams and administrators – especially with an array of devices and operating systems. Universities have huge networks that make it easier for hackers to exploit. Last year, a ransomware group targeted Florida International University with its 48,000 students and swiped personal information that exposed accounting documents, social security numbers, and other sensitive data.

It’s also crucial to understand what is at stake. Schools don’t only have access to academic records. Things like medical records or other sensitive personal information could quickly be accessed and used by threat actors in a matter of minutes. In fact, a class action lawsuit has been filed over an alleged UC San Diego data breach in 2021 in which hackers gained access to 500,000 employee email accounts revealing lab results, diagnoses, and medical records. The lawsuit also names the Regents of the University of California, demonstrating the scope of liability for poor cybersecurity standards. 

All of these risks help to clarify just what’s at stake if cybersecurity isn’t made a priority in the education industry. This is a prime time for MSPs to help leaders in the education space to implement a strong cybersecurity strategy. Opportunities to limit the data employees can access is a good start. Encouraging strong cyber hygiene and offering phishing training would also help from a user perspective. Most of all, however, is modernizing network security with backup systems and integrated protection. 

Related:
Education suffers the highest rate of ransomware attacks
If zero trust is good enough for the government, it’s good enough for your school

Key points:

• Individual cyber hygiene plays a huge role in defending school networks
• Even the youngest students can be taught basic cyber hygiene practices
• See related article: Schools are at a greater risk for cyberattacks than ever before
• Learn How to Lower Cybersecurity Threats to Your School

The school bell is about to ring in another academic year, and as children pull out their lunchboxes and teachers decorate their rooms, schools continue to face an onslaught of cyberthreats while also grappling with perpetually insufficient budgets, legacy IT, and under-staffing concerns.

The increased level of connectivity in today’s schools means richer opportunities for learning and community, but it also puts at further risk the financial data, personally identifiable information (PII) and other sensitive information that educational institutions hold.

K-12 schools received a cyber maturity score of 3.55 out of 7 from the Nationwide Cybersecurity Review (NCSR) risk-based assessment, despite the fact that many school districts are trying to strengthen their cybersecurity posture. And according to 29 percent of K–12 participants in that report, a cyber incident occurred in their district in the previous year. Malware and ransomware were two of the most prevalent occurrences. According to the report, ransomware attacks pose the greatest cybersecurity risk to K–12 schools and districts in terms of overall cost and downtime.

The good news is that the federal government is taking this seriously. In early August, the Biden Administration announced a new plan focused on strengthening cybersecurity in K-12 schools. While the elements of this plan are rolled out, school IT teams and leaders can also start to take action in another area: cyber hygiene for students. It’s never too early to start teaching children basic cyber literacy.

New rules are part of the solution

The Biden Administration’s new proposal comes on the heels of a report from the Cybersecurity & Infrastructure Security Agency (CISA), Protecting Our Future: Partnering to Safeguard K-12 Organizations from Cybersecurity, which offers guidelines for schools to help bolster defenses. 

Guidelines include investing in the most impactful security measures and building toward a mature cybersecurity plan, recognizing and actively overcoming resource constraints, and focusing on collaboration and information sharing. CISA will continue to engage with federal partners, including the U.S. Department of Education, and work closely with state and local officials, school leaders, emergency management officials, nonprofits, community leaders, and the private sector to identify areas for progress and provide meaningful support that measurably reduces risk.

Other elements of the administration’s new plan include a proposed pilot program that will provide up to $200 million over three years to strengthen security in schools and libraries with the help of federal agencies, and establishing a new council to coordinate between federal, state and local leaders to help bolster cyber defenses in schools. It also calls for new resources for reporting and enlists the help of private companies to provide free and low-cost resources for school districts, including training.

It’s great to have support at this level, but it will take some time for these plans to roll out to schools. In the meantime, district leaders and IT teams can start implementing good cyber hygiene practices right away.

Fostering good cyber hygiene for teachers and students

People don’t have to be tech geniuses to practice good cyber hygiene. Teachers and even the youngest students can be taught some basic cyber hygiene practices. For instance, a very common-sense practice is to not share passwords or any kind of PII with strangers online. Teachers and students must learn what suspicious links look like and learn not to click them, or to open unexpected attachments or download anything on their computers without approval. When students are online in the classroom, teachers can ensure that they use only approved websites and applications and get approval for certain activities.

When it’s age-appropriate, children can learn how important strong passwords are and how to create them. Best practices include:

• Create longer passwords that are personally meaningful but that don’t contain any PII. An example would be a line from an obscure song with numbers and symbols mixed in to create a password that’s at least 10 characters long. These are much harder, if not impossible, for attackers to guess.
• Use a unique password for each account.
• For all your online accounts, create one-of-a-kind, long and difficult passwords using a password manager.

Obviously, younger children, like those in kindergarten through third grade, aren’t going to be creating or using strong passwords. Educators at that level will need to be creative in how they help students at that age protect their work, but certainly by middle and high school, this will be a key part of learning.

Pre-teens and teenagers can learn to understand how to securely navigate social media.  For example, it’s wise to not use social media accounts to log in to certain kinds of platforms, because those platforms then have instant access to whatever PII is available in those accounts. If there’s no other way to connect to that platform, students can create dummy accounts to use only for this purpose.

Students also need to be cautious about instant messaging services due to social engineering risks. The rule about never giving out PII applies here, especially financial information. And QR codes, though convenient, can send students to a site with malicious files waiting to be downloaded.

And for teachers and staff, from the White House to the private sector, organizations are already offering cybersecurity training for K–12 school districts. Such programs provide academics and employees with the most recent information, advice, and suggestions to help them make better decisions when faced with cyberattacks and other dangers to the school. These free training programs are already being used by many districts.

Knowledge is power–and stronger security

As long as there are school IT teams working with few human and financial resources, there will be cyber adversaries trying to take advantage and break into school networks. This requires a two-pronged approach: technology and training. Because students have network access, they need to learn how to use it safely and responsibly–IT does not bear the sole responsibility for cybersecurity.

Individual cyber hygiene plays a huge role in helping to defend the network. Training for students, teachers, and staff will help IT teams keep the bad actors out and will ultimately help create a cyber-savvier generation.

Related:
4 back-to-school cybersecurity tips
Education suffers the highest rate of ransomware attacks

Key points:

• Both K-12 and higher-ed reported alarmingly high rates of ransomware attacks in 2022
• Survey results show that paying ransoms increases recovery times
• See related article: Defending against the most common cyberattacks
• Learn How to Lower Cybersecurity Threats to Your School

Education reported the highest rate of ransomware attacks in 2022, and over the past year, 79 percent of higher-ed organizations surveyed reported being hit by ransomware, while 80 percent of K-12 organizations surveyed were targeted—an increase from 64 percent and 56 percent in 2021, respectively.

These statistics come from The State of Ransomware in Education 2023, a report from cybersecurity provider Sophos.

Additionally, the education sector reported one of the highest rates of ransom payments, with more than half (56 percent) of higher-ed organizations paying and nearly half (47 percent) of K-12 educational organizations paying the ransom. However, paying the ransom significantly increased recovery costs for both higher-ed and K-12 educational organizations. Recovery costs (excluding any ransoms paid) for higher-ed organizations that paid the ransom were $1.31 million when paying the ransom versus $980,000 when using backups. For K-12 educational organizations, the average recovery costs were $2.18 million when paying the ransom versus $1.37 million when not paying.

Paying the ransom also lengthened recovery times for victims. For higher-ed organizations, 79 percent of those that used backups recovered within a month, while only 63 percent of those that paid the ransom recovered within the same timeframe. For K-12 educational organizations, 63 percent of those that used backups recovered within a month versus just 59 percent of those that paid the ransom.

“While most schools are not cash-rich, they are very highly visible targets with immediate widespread impact in their communities. The pressure to keep the doors open and respond to calls from parents to ‘do something’ likely leads to pressure to solve the problem as quickly as possible without regard for cost. Unfortunately, the data doesn’t support that paying ransoms resolves these attacks more quickly, but it is likely a factor in victim selection for the criminals,” said Chester Wisniewski, field CTO, Sophos.

For the education sector, the root causes of ransomware attacks were similar to those across all sectors, but there was a significantly greater number of ransomware attacks involving compromised credentials for both higher-ed and K-12 educational organizations (37 percent and 36 percent respectively versus 29 percent for the cross-sector average). 

Additional key findings from the report include:

• Exploits and compromised credentials accounted for more than three-fourths (77 percent) of ransomware attacks against higher-ed organizations; these root causes accounted for more than two-thirds (65 percent) of attacks against K-12 educational organizations
• The rate of encryption stayed about the same for higher-ed organizations (74 percent in 2021 versus 73 percent in 2022), but increased from 72 percent to 81 percent across K-12 educational organizations during the past year
• Higher-ed organizations reported a lower rate of using backups than the cross-sector average (63 percent versus 70 percent). This is the third lowest rate of backup use across all sectors. K-12 educational organizations, on the other hand, had a slightly higher rate of using backups than the global average (73 percent)

“Abuse of stolen credentials is common across sectors for ransomware criminals, but the lack of adoption of multifactor authentication (MFA) technology in the education sector makes them even more at risk of this method of compromise. Like the U.S. federal government’s initiative to mandate all agencies use MFA, it is time for schools of all sizes to employ MFA for faculty, staff and students. It sets a good example and is a simple way to avoid many of these attacks from getting in the door,” said Wisniewski.

Sophos recommends the following best practices to help defend against ransomware and other cyberattacks:

• Strengthen defensive shields with:
  • Security tools that defend against the most common attack vectors, including endpoint protection with strong anti-exploit capabilities to prevent exploitation of vulnerabilities, and Zero Trust Network Access (ZTNA) to thwart the abuse of compromised credentials
  • Adaptive technologies that respond automatically to attacks, disrupting adversaries and buying defenders time to respond
  • 24/7 threat detection, investigation and response, whether delivered in-house or by a specialist Managed Detection and Response (MDR) provider
• Optimize attack preparation, including making regular backups, practicing recovering data from backups and maintaining an up-to-date incident response plan
• Maintain good security hygiene, including timely patching and regularly reviewing security tool configurations

This press release originally appeared online.

Related:
IBM grants $5 million for cybersecurity, enhanced skilling on AI
Preparing for ransomware attacks begins with education

Key points:

• IT teams face a major challenge: protect school networks with limited budget and personnel
• Experts say it’s no longer a matter of if a school gets attacked, but when
• See related article: Are ransomware attacks the new snow days?
• Learn How to Lower Cybersecurity Threats to Your School

Due to budget and resource constraints, many schools and other academic organizations are only able to implement very basic cybersecurity tools and processes, and this leaves them extremely vulnerable to cyberattacks.

We’ve seen this play out over the past 12 months with high-profile attacks on school districts in Los Angeles, Minneapolis and Tucson, Ariz., among many others. And, because cybercriminals can compromise school networks for big gains with very little effort, we expect attacks on education will only increase.

As the new school year quickly approaches, IT and security teams face a seemingly overwhelming task: protect school networks with limited budget and personnel. The good news is that there is some basic blocking and tackling that can significantly help schools build a strong cybersecurity and cyber resilience foundation, including:

1. Mandating strong passwords. It’s easy to choose a simple password or to repeat passwords across accounts for memory’s sake, but the consequences of doing so can be severe. In fact, according to the FIDO (Fast Identity Online) Alliance, passwords are the root cause of more than 80 percent of data breaches. Educating students and staff about the importance of strong, hard-to-guess passwords cannot be overstated. Research shows that a 12-character password could take 27,000 years to crack and cost hackers $6.4 trillion to do so. Mandating strong passwords is a simple, cost-effective way to strengthen a school’s cybersecurity posture.

For schools that are able to take credentials management one step further, multi-factor authentication is a great option. MFA is a method of authenticating into an account that requires users to present at least two pieces of evidence to prove their identity — something they know (e.g., a password) as well as something they have (e.g., an authentication code via text or email) or something they are (e.g., facial recognition or a fingerprint scan).

2. Implementing a data backup solution. While this will certainly be an upfront investment, it will pay dividends over the long-term. Having backups of your school’s and students’ data can be extremely beneficial for compliance and business purposes, and it can also be extremely valuable in a ransomware attack – where cybercriminals access data, encrypt it and then demand schools pay a ransom to decrypt it. Many schools that don’t have a data backup solution in place pay the ransom in the hopes they’ll get their data back, but this is money out of their pocket they can’t afford to lose, and worse yet, paying the ransom does not guarantee access to the data. However, if you’re the victim of a ransomware attack and have a data backup solution in place, you can evade the ransom demand by simply falling back to the backup version.

3. Taking a security-in-depth approach. Where possible, schools should take a multi-layered approach to security, including using firewalls, anti-virus solutions, anti-malware software, and encryption. Cybercriminals don’t want to work hard to infiltrate a target, so security-in-depth is an impactful deterrent that can help fend off today’s sophisticated hackers.

4. Prioritizing cybersecurity awareness and training. Students and staff are the first line of defense in network security, and they can’t do their part if they aren’t aware of the threats facing them or the actions to take if they suspect they are a victim of an attack. IT and security teams need to make them part of cybersecurity efforts by offering ongoing cybersecurity awareness and training. The best way to get them to pay attention and remember what they learn is to offer short, engaging training sessions on a regular basis, rather than long, drawn-out presentations once a year.

All this said, we’re living in a world where it’s no longer a matter of if a school gets attacked, but when. In this reality, it’s so important that schools have an incident response plan in place, so they know how to react following a successful incident and can do so quickly. Communicating to affected families should be a big part of this plan. Timeliness and transparency are key following an attack. Victims need to know the nature of the attack, what data was compromised, what the school is doing to remediate the problem, and the steps they should take to protect their personal information. From an internal perspective, schools need to take the incident as a learning opportunity – identifying what went wrong, so they can put the right people, processes and technologies in place to prevent a similar attack from happening again.

The bottom line is schools can suffer severe consequences from a cyberattack, including disrupted instruction, impaired operations, financial losses to address the incident, and the exposure of stakeholders’ personal information. By focusing on achievable cybersecurity basics, schools can fight back by building a solid security and resilience foundation that can help them defend against cybercriminals to keep their teachers, administrators, students and families safe.

Related:
Key tips to help educators thwart cyberattacks
Cybersecurity, like charity, begins at home 

Key points:

• A lack of collaboration in schools is increasing cybersecurity risks
• Most district leaders and administrators agree K-12 schools face higher risks for cyberattacks than ever before
• See related article: The essential guide to 2FA for schools
• Learn How to Lower Cybersecurity Threats to Your School

Cyber threats against K-12 school districts are on the rise, yet only minimal steps are being taken at the local level to safeguard district technology assets and student information, according to a new research report from Project Tomorrow and iboss, a Zero Trust Edge cloud security provider.

The report, Why A Different Cybersecurity Ecosystem Is Needed Today, details findings from K-12 district, technology, and communications leaders on the cybersecurity challenges they’re facing today.

The report serves as a call to districts to implement a cross-organizational strategy and a new cybersecurity ecosystem to combat the present and future threats to the security of their district technology assets—and, crucially, their students. Additionally, the report encourages districts to incorporate cybersecurity best practices into sustainable new policies and procedures in order to adequately protect district digital assets, including student and staff personal data.

The findings should alarm school district leaders and parents, as cybersecurity incidents in schools can put student information at risk of being stolen, cripple emergency communications systems, and potentially shut down schools entirely.

This year saw high profile incidents that impacted Baltimore, Minneapolis and Des Moine school districts among others. The data concludes that:

• Districts are acutely aware of the risks: 85 percent of district technology leaders and 84 percent of district administrators now agree that our nation’s K-12 schools are a higher risk now for a cyber attack than ever before. And, according to nearly half of district technology leaders (45 percent), balancing the access to online or digital educational resources with their security concerns about certain products or usage behaviors is a significant challenge.

• Little preparation is happening: Only half of district technology leaders report that they have conducted a security audit within their district to identify risks and assess preparation levels for a cyberattack. Additionally, only 37 percent of technology leaders who said they conducted a security audit say they are dictated by district policy and conducted annually.

• A lack of collaboration is partially to blame: Over two-thirds of district technology leaders (67 percent) say that ownership of cybersecurity within their district rests wholly with the IT Department. Only 32 percent say that cybersecurity is a shared responsibility across the district leadership team with collective accountability.

• Best practices may be the answer: According to nearly half (49 percent) of district technology leaders, what is needed most urgently today is education on best practices for K-12 cybersecurity. Other consensus calls for cyber threat preparation assessments (42 percent), buy-in from district leadership (42 percent), and increased funding for cybersecurity (39 percent).

Translating the awareness of cyber threats into actual support on the district level continues to be difficult. However, the district leaders surveyed contributed potential solutions to combat apathy, including continued education about the reality of cyber risks, full and regular risk assessments, and implementing small procedural changes to obtain buy-in and demonstrate successful results.

“With cyber attacks it’s not a matter of if, but when,” said [DISTRICT TECHNOLOGY LEADER] “It will happen, but the severity and extent of the attack, response, and remediation will show how well-prepared the district is. With our district response plans, everyone is involved and informed. I believe being upfront and honest in the event of an attack should be the general disposition of every district”.

“I’ve worked in both the tech and non-profit education sectors and found that enterprises have much greater awareness of cyber risk and are more willing to take action than schools,” said Dr. Julie A. Evans, CEO of Project Tomorrow. “This might be because historically, technology departments at schools have had little interaction with other departments. That has to change. IT teams must work cooperatively with administration and other departments to share their knowledge to prevent further breaches and attacks.”

Related:
Key tips to help educators thwart cyberattacks
Are ransomware attacks the new snow days?

Key points:

• Zero trust is akin to modern, agile defense systems that scrutinize every object seeking entry
• Embracing zero trust is an investment in a school’s future–and also a commitment to safeguarding knowledge and innovation
• See related article: Bolstering cybersecurity with zero trust
• Learn How to Lower Cybersecurity Threats to Your School

Educators and administrators are holding their breath at the dawn of another academic year. They are well aware that schools are increasingly targeted by hackers, with 1 in 4 falling victim to cyberattacks in the past 12 months.

These hallowed halls of knowledge store vast amounts of sensitive data, from student records to financial information. Consequently, this makes them attractive targets. To make matters worse, growing connected device networks and remote learning opportunities present even more vulnerabilities.

A paradigm shift from traditional perimeter-based security to a more robust and dynamic approach is increasingly necessary. As a result, zero trust is gaming ground across all sectors as today’s go-to cybersecurity approach. For example, the White House is ordering all civilian government agencies to establish and implement a zero trust plan by the end of next year. Let’s explore why schools should follow this lead.

Leveraging zero trust in education

The traditional approach to cybersecurity revolves around perimeter-based security, a method that trusts anything within the organization’s boundaries. But as threats grow in sophistication, so must cybersecurity. Instead of fortifying the perimeter like medieval castles, zero trust is akin to modern, agile defense systems that scrutinize every object seeking entry.

Continuous verification inspects all users and devices before granting access to resources. This approach adds an extra layer of protection by requiring multifactor authentication and limiting access based on the principle of least privilege. Additionally, continuous monitoring and logging provide institutions with real-time insights into potential threats, enabling swift responses to mitigate risks.

Embracing this framework guards against both internal and external threats. This is especially important as educational institutions often struggle with vulnerabilities introduced by human error, unauthorized personal devices, and third-party applications.

Another vital aspect is zero trust’s granular access controls. These ensure that only authorized personnel can access intellectual property and research data. By segmenting networks and implementing strict authentication measures, zero trust helps prevent data breaches and unauthorized theft of sensitive information. Continuous monitoring also allows for the swift detection of suspicious activity, further safeguarding vital data.

Finally, let’s consider the widespread adoption of remote and hybrid learning models. While these advancements offer benefits, they also introduce new security challenges. With students and faculty accessing educational resources from various locations and devices, traditional security measures become inadequate.

Zero trust is well-suited for this modern learning landscape as it accommodates the dynamic nature of remote and hybrid learning. How? By verifying identities, managing access rights, and continuously monitoring activities. In this way, zero trust ensures secure and seamless access to resources regardless of the user’s location or device.

The implementation challenges and considerations

Of course, deploying any solution or framework will always pose an obstacle or two. The initial costs and resources needed for deploying this new framework warrant some concern. However, the global average data breach costs roughly $4.3 million – a fraction of implementation.

On the technical side, educational institutions – especially those with limited IT resources – might see zero trust as a hurdle. Careful planning and partnering with cybersecurity experts can substantially reduce the hassles of implementation and ensure a smooth transition.

Another obstacle is choosing between a single-vendor solution or multiple solutions across vendors. Choosing a single provider offers simplified implementation and management policies, but that route sacrifices flexibility and customization. If you have the IT resources, always go for multiple vendors. It will allow you to customize your framework to your needs and help you actualize a more holistic and complete version of zero trust.

When choosing the latter path, some tools and solutions help put zero trust’s fundamental concepts into action. Start with identity and access management and zero trust network access for your identity and authentication needs. Then consider data and cloud security tools like data loss prevention solutions and next-gen firewalls. 

Finally, secure your endpoints with a unified endpoint management solution and an endpoint protection platform. Additionally, extended detection and response tools allow you to respond swifter with better efficiency.

The time for cybersecurity action is now

The effort is worth it. Educational institutions are hubs of innovation, research, intellectual property creation, and private data. The loss or compromise of that property can have severe consequences, not only financially but also for the institution’s reputation and future prospects. 

Adopting zero trust principles allows schools to significantly enhance their cybersecurity posture, ensuring a safe and secure learning environment for students, faculty, and staff. Zero trust might seem like rocket science to some, but with the right allies and tools, it’s more like building a sandcastle on the digital beach – fun, challenging, and ultimately rewarding.

Embracing it is not only an investment in the institution’s future but also a commitment to safeguarding the integrity of knowledge and innovation for generations to come. One glance at the cybersecurity landscape shows this is the path forward. After all, if it’s good enough for the government, it’s good enough for your school.

Related:
Discover the five steps towards a zero trust campus network
Strategies to help IT leaders combat imminent cyberattacks

Key points:

• The FCC is calling attention to the urgent need for more tools–including funding–to combat K-12 cybersecurity risks
• A new proposal would allocate up to $200 million over three years to harden cyber defenses and determine the most effective methods to protect schools and libraries
• See related article: Are ransomware attacks the new snow days?
• Learn How to Lower Cybersecurity Threats to Your School

Federal Communications Commission Chairwoman Jessica Rosenworcel is asking her fellow Commissioners to support a proposal that would take further steps to enhance cybersecurity protections to protect school networks.

In a speech before the School Superintendents Association and the Association of School Business officers, Rosenworcel said she would be sharing with her colleagues a plan to create a pilot program to invest in cybersecurity services for eligible K-12 schools and libraries.

“With the growing number of sophisticated cyberattacks on schools and especially the rise in malicious ransomware attacks that harm our students, now is the time to take action,” said FCC Chairwoman Jessica Rosenworcel. “We’re proposing a significant investment of up to $200 million over three years to harden the cyber defenses and determine the most effective methods to protect our schools and libraries. Our pilot program will work in tandem with federal agency partners that have deep expertise in this area.”

While addressing the pressing need for K-12 cybersecurity defenses is essential, some industry experts caution that more is needed to support these measures.

“While the proposal is a promising start, it lacks the necessary groundwork for enduring impact,” said Doug Thompson, chief education architect at Tanium. Thompson identified three key limitations that may undermine its success without proper support: 

1. Sustainability post-pilot: The initiative is set as a 3-year pilot, raising concerns about its sustainability. Schools taking advantage of the funding to either establish or enhance their programs might find themselves in a predicament once the financial support ends, Thompson said. When considering advanced technologies, which often necessitate annual subscriptions or SaaS, schools might be unable to maintain these services without external funding. This lack of long-term financial commitment can deter schools from investing in temporary solutions. The recent history of COVID funds serves as a cautionary tale. Many schools, uncertain of sustained funding, only spent the COVID relief money on expenses they knew they could cover over time, avoiding long-term commitments. The absence of an enforcement mechanism in the proposal further diminishes its attractiveness to potential participants. 

2. Staffing and bandwidth: Schools often struggle with insufficient IT staff, and this proposal does not address this issue. Implementing advanced cybersecurity measures requires specialized skills that are hard to find and retain, especially given schools’ budget limitations. Without addressing this, the proposal may inadvertently strain already overburdened school IT departments, he noted. 

3. Outdated E-Rate program: “I’ve long argued that the E-rate program needs an overhaul. The current focus on telecommunications infrastructure does not prioritize cybersecurity. It’s an outdated approach, like building roads without considering safety measures,” Thompson added.  

A more holistic approach, which Thompson refers to as “whole of state,” is a potential solution. “This strategy would consider all state-owned devices and leverage state resources more effectively, avoiding the silo effect. This model mimics strategies used by global enterprises,” he said. “Unfortunately, technical solutions are only one piece of the puzzle. The real challenge lies in changing the policies, procedures, and cultures to support this new paradigm–a change that will require time, dedication, and courage.”

The proposal is another step in Rosenworcel’s recently launched Learn Without Limits initiative to modernize the E-rate program, which was established in 1996 to provide funds to libraries and schools for basic internet connections. Learn Without Limits was kicked off at a June 26 speech Rosenworcel gave at the American Library Association’s annual conference, where she called on her fellow Commissioners to support new efforts to allow E-rate funding to support Wi-Fi support on school buses. The goal is to provide connectivity to students living in rural areas who spend long hours on school buses to get back and forth from school.

Rosenworcel’s second phase of Learn Without Limits calls on her fellow commissioners to support a proposal allowing E-rate funding to support provision of Wi-Fi hotspots so that libraries, school libraries, and schools can check them out to patrons or students in need in the same way they check out libraries and other learning materials to patrons.

The third phase of Learn Without Limits is a Notice of Proposed Rulemaking, that seeks comment on structuring a pilot program to support cybersecurity and advanced firewall-related services for eligible K-12 schools and libraries. The Commission has been closely looking at this issue for years, and in December 2022 put out a notice seeking public comment whether to add advanced firewalls or other network security services as E-rate eligible services.

This most recent proposal would establish the pilot program within the Universal Service Fund, but separate from the E-rate program, to ensure gains in enhanced cybersecurity don’t come at a cost of undermining E-rate’s success in promoting digital equity.

The Notice of Proposed Rulemaking will require a full vote of the Commission, and the text of proposal will be released upon their adoption.

This press release originally appeared online.

Related:
Key tips to help educators thwart cyberattacks
Cybersecurity, like charity, begins at home 

Key points:

• Schools are popular targets for cyberattacks, but two-factor authentication can help protect data
• When implementing 2FA, schools should consider integration with existing systems, enhanced accountability for student activities, and preventing password sharing
• See related article: Key tips to help educators thwart cyberattacks
• Learn How to Lower Cybersecurity Threats to Your School

Education heavily relies on digital infrastructure, making it a hot spot for malicious activities. Check Point’s 2022 Mid-Year Report reinforces the urgency to secure educational institutions, highlighting a crazy 44 percent surge in cyberattacks aimed at the education sector compared to 2021. On average, schools suffered 2,297 attacks per week. That’s alarming, indeed.

The solution? Verify the identity of anyone with access to a school’s network. In this article, we’ll discuss how two-factor authentication (2FA) helps protect data in schools, compliance with 2FA in educational institutions, and the key features a 2FA solution should have for schools.

How does 2FA help protect sensitive data in schools?

Nearly all attacks require access to a school’s environment via a login–2FA helps prevent attacks on schools by fortifying login management.

How exactly does 2FA protect the login? 2FA goes beyond the password to require something the user knows (password) plus something they know or possess (hardware key or token, authenticator application). This two-layered approach ensures only authorized users access a school’s systems.

Why schools need 2FA for compliance

Why do schools need to fortify their login management? Schools often need 2FA to meet compliance standards, including the following:

• Cyber insurance: Many cyber insurers now require multi-factor authentication (MFA) for schools. It’s also expected that MFA is or will soon be a prerequisite to access the best insurance rates.
• GLBA: Many schools need to comply with GLBA, which necessitates adherence to the NIST 800-171 guidelines. MFA stands out as one of the key security measures. Schools often must ensure compliance to maintain eligibility for federal or research grants.
• PCI DSS: The Payment Card Industry Data Security Standard (PCI DSS) applies to schools and universities that process, store, or transmit payment card data. While PCI DSS currently recommends MFA as a best practice, it will become a requirement after March 31, 2025. After that, schools without MFA risk hefty compliance fines that could drain organizational resources. In fact, each person affected by a data breach could cost schools anywhere from $50 to $90 in fines.
• K-12 Cybersecurity Act: The K-12 Cybersecurity Act was signed by President Joe Biden in 2021. This act aims to provide schools with improved access to cybersecurity resources and better tracking of cyberattacks on K-12 institutions nationwide. It recommends MFA to verify user identity before any access to school data.
• FERPA: FERPA (Family Education Rights and Privacy Act) is a federal law that safeguards student information and records. Unlike other federal regulations, FERPA doesn’t mandate specific security controls. Instead, it encourages innovation while placing the responsibility on the community to safeguard student data privacy and security. So, although FERPA documentation doesn’t explicitly mention MFA, implementing MFA aligns with FERPA’s authentication requirements for protecting data.
• HIPAA: Elementary and secondary schools generally don’t have to follow the Health Insurance Portability and Accountability Act (HIPAA) rules. For universities, it depends: If a hospital runs a student health clinic for the university, FERPA applies. If students get healthcare from a university hospital, HIPAA applies.

How does 2FA for on-premise Active Directory help schools?

When implementing 2FA for schools, there are three main factors to consider:

1. Integration with existing systems: Many schools operate on legacy systems like Active Directory. 2FA should easily integrate with the school’s existing on-premise Active Directory to ensure a smooth transition and minimize extra work for the IT department.
2. Prevention of simultaneous sessions and password sharing: 2FA can help prevent simultaneous sessions and password sharing among students. This measure also prevents students from logging into multiple computers simultaneously, ensuring secure and individualized access.
3. Enhanced accountability for student activities: 2FA makes students accountable for their actions within the school’s digital environment. Whether it’s a harmless prank or a more serious insider attack, any activity within the institution’s resources can be traced back to a user. This accountability discourages malicious behavior and encourages all users to be careful.

What do schools need in a 2FA solution?

1. Granular MFA

IT teams at educational institutions should look for granular control over MFA application, allowing them to set policies based on IP address, group or OU, device, or location. This ensures a streamlined and user-friendly MFA experience.

2. Single sign-on

Combining MFA methods with single sign-on (SSO) streamlines the authentication process, addressing the common concern that MFA is time-consuming and disrupts productivity. Simplifying MFA for access to cloud apps provides a secure, unified access experience for students and employees.

3. Comprehensive session type coverage

The solution should support MFA across various session types, including remote connections. MFA should be applied on Windows Login, RDP & RD Gateway, VPN, IIS (OWA, RDWeb, Sharepoint), offline scenarios, out-of-network “offline domain access,” cloud applications with SSO, and virtual desktop (VDI) environments like Microsoft, Citrix, and VMWare.

4. Flexibility

Look for flexibility to choose authentication methods based on specific needs of students and employees. This includes options like authentication applications, as well as programmable hardware tokens like YubiKey and Token2.

5. Real-time monitoring

IT administrators will want immediate access to real-time user activity, so they can identify and react to security risks.

6. Easy adoption

A user-friendly 2FA solution eliminates the need for extensive training for students, staff, or faculty. Its straightforward implementation ensures easy adoption.

7. Cost-effectiveness

Schools and other educational organizations need to be smart with their budgets. That’s why it’s important for them to invest in a cost-effective 2FA solution. It helps them get the most out of their money while still keeping their security strong.

2FA for schools mitigates risk of a breach

Schools’ user accounts are vulnerable to unauthorized access without 2FA. This can potentially result in sensitive information exposure, as well as penalties for failure to meet compliance standards. By limiting the scope of access, 2FA effectively stops the threat actor before they can do any harm.

Related:
Are ransomware attacks the new snow days?
Cybersecurity, like charity, begins at home 

Key points:

• Some of the most school budget-friendly security tools aren’t a match for ransomware
• The bottom line: Schools need more funding to adequately thwart ransomware attacks
• See related article: Preparing for ransomware attacks begins with education

In early January, the Des Moines Public Schools, the largest school district in the state of Iowa, fell victim to a ransomware attack that forced the district to take its network offline and students to miss more instructional time.

In addition to the disruption to operations, the district discovered that the attackers compromised the personal data of nearly 7,000 individuals, putting them at increased risk of identity theft and other crimes.

This is just one attack among hundreds as ransomware gangs relentlessly target the education sector. Disruptive ransomware attacks against the education sector have become so commonplace that they are likely to cause more school closures than weather-related incidents.

In fact, the number of attacks against schools is so high that the month of June was on pace to go down in the record books for the highest volume of disclosed attacks against education organizations to date.

A problem with few solutions

The Cybersecurity and Infrastructure Security Agency (CISA), which oversees protecting government agencies and our nation’s critical infrastructure, recently issued an alert about the growing risk to the education sector from ransomware attacks.

CISA also released updated guidelines for K-12 organizations, which is good. The problem is that guidelines cannot protect schools from ransomware attacks, and they do not provide any additional resources to help stem the tide of attacks on schools.

Ransomware groups continue to victimize the education sector simply because they are easy targets. The fact is, most schools lack the appropriate funding to stand up and maintain even the most basic security programs, let alone one that can go head-to-head with highly skilled threat actors.

Combine this with the fact that legacy security tools that are affordable to the education sector, like legacy Antivirus (AV) and more advanced solutions Endpoint Detection and Response (EDR) tools, are simply not capable of addressing the unique threat that ransomware presents.

Most every organization that reports being a victim of a ransomware attack was victimized despite having these security tools deployed. Ransomware operators and other threat actors routinely bypass, blind, evade, or otherwise circumvent these defenses with relative ease.

These factors together are why we keep seeing disruptive ransomware attacks causing school closures. And even if they had better endpoint protection solutions to assist them, schools would still lack the staff to effectively manage the attacks and realize any benefits in protecting their infrastructure.

Worse yet, these students whose personal information is stolen will continue to be at risk of identity theft and financial fraud well into the unforeseeable future. Ransomware attack trends that include the theft of sensitive data will continue unabated until the profit motives for the threat actors are eliminated. This is organized crime we are dealing with; they only care about bringing pain to victims for their own financial gain.

Security is not a state of being; it is a daily exercise that must include not just the right technology, but the right people and processes as well. But these all require funding, and the education sector already struggles with funding even the most basic functions required to educate students, let alone stand up a security program that can address today’s complex, multi-stage attacks.

Schools need more resources and expertise

To protect critical systems and sensitive data, organizations in the education sector must first reevaluate what kinds of data they collect and store, for how long, and where/how it is stored. Eliminating the unnecessary storage of sensitive data will make schools a less attractive target to attackers and help reduce risk after an attack.

Because the options for detection and prevention are limited for the education sector, they should focus on implementing a resilience strategy and assume they will be the victim of a successful attack with contingencies in place to recover as quickly as possible.

This approach includes endpoint protection solutions, patch management, data backups, access controls, staff/student awareness training, and organizational procedure and resilience testing to be successful.

For the technology aspect of a robust defense, organizations require adequate funding to implement Endpoint Protection (EPP) solutions, because they will catch some commodity attacks. If possible, they should also deploy an anti-ransomware solution alongside existing endpoint solutions (NAV/GAV/EDR/XDR) to bridge the gaps in ransomware-specific coverage.

They also need to ensure they have a good Patch Management program to keep all software and operating systems up to date and free from exploitable vulnerabilities. They should also assure that all critical data is backed up offsite and protected from corruption in the case of a ransomware attack.

For the people aspect, organizations should ensure they have adequate Access Controls in place by implementing network segmentation and policies of least privilege (Zero Trust). Additionally, they should have an active Security Awareness program to educate staff and students about risky behaviors, phishing techniques, and other social engineering techniques attackers use to gain access to a network.

On the process front, organizations need to implement regular Resilience Testing that can stress-test security solutions against simulated ransomware attacks to assure effective detection, prevention, response, and full recovery of targeted systems. Furthermore, they need to also conduct regular Procedure Testing where they can prepare for failure of their defenses by running regular tabletop exercises that include all stakeholders to ensure they are ready and available to respond to an attack at all times.

The takeaway

We will never be able to stop ransomware attacks, but we can prevent attackers from achieving all their objectives by taking care to prevent the exfiltration of sensitive data, by blocking the execution of the ransomware payload, and by having the capabilities in place to rapidly recover systems and data by minimizing any potential downtime.

But schools cannot do this without adequate funding. Guidelines are an important first step to protecting our educational institutions from the impact of ransomware attacks, but they cannot implement guidelines if they do not have the prerequisite resources and skilled personnel.

If we are serious about protecting our education sector, preventing school closures due to ransomware attacks, and protecting our students from the risk of identity theft, we need to bite the bullet and make sure schools have the funding they need to be successful in the face of well-resourced attackers.

It comes down to a choice, and whether we want to collectively invest in protecting our schools and students from cyber snow days or continue with the status quo.

Related:
Defending against the most common cyberattacks
Safeguarding K-12 school networks with proactive cybersecurity approaches

Key points:

• There are simple and proven tactics to help schools avoid common cyberattacks
• Remaining vigilant and knowledgeable helps educators form safe habits to dodge cybercriminals
• See related article: Defending against the most common cyberattacks

It’s not a topic we’re unfamiliar with: Criminal hackers are increasing their activity and they’re targeting K–12 schools, threatening districts with damaging financial and learning-downtime costs. The K12 Security Information Exchange (K12 SIX) tracks publicly disclosed school cyber incidents and reports an average rate of more than one K–12 cyber incident per school day across U.S. public schools.

With increased cyberattacks, the idea of a potential threat to a school or district feels daunting to ward against, but, more often than not, these simple tactics outlined below can support educators thwart some of the most common attacks.

Know the formats

Before we can discuss tactics to avoid the traps of cyber-criminals, we first must address the forms these attacks can take. Primary types of incidents range from student-data breaches, denial-of-service (DoS) attacks, business email compromise scams, and online class and school meeting invasions. Fortunately, two of the most common attacks reported—phishing and ransomware incidents—can in many cases be easily prevented by attentive users.

In phishing attacks, the hacker tries to trick you into clicking on a link or attachment in an email or text that appears legitimate but is actually malicious. The goal is to extract or deceive you into disclosing private information. Ransomware, on the other hand, is a form of malware that infects your system, locks access to your data or computer, and demands that you pay a ransom to unlock it. While the costs of these incidents can be devastating, being aware of the shape they can take will support you whenever you’re working online.

Stay vigilant

Don’t be lulled into mindless clicking—on web addresses, emails, texts, or attachments. Stay alert. Train yourself, for example, to routinely hover your pointer over email addresses and unknown links so you can see the full link and verify if they’re legitimate before you click. Never click on a link in a pop-up ad or email unless you’re sure of the source.

Here are some other things you should—or shouldn’t—do to help prevent phishing attacks:

• Keep anti-virus and spam software updated on all your devices. Usually, you can update settings and status by clicking on the program icon. It’s worth the time to periodically make sure you have the latest versions.
• Beware of fake orders. Before you call a telephone number or click on a link asking you to confirm a product or service purchase, make sure it’s something you ordered. This common scam is an attempt to steal your credit card number or other sensitive personal data.
• Cover your webcam to keep unauthorized apps from recording you and your work environment. Use duct tape, washi tape, sticky notes, slide covers—they all do the job.
• Avoid participating in social media polls, quizzes and chain posting.
• Lock your computer screen whenever you move away from it. It’s an easy step, and some systems even let you set up automatic locking. Your IT administrator can help you determine the best method for your work setting and habits.
• Do not conduct business on public Wi-Fi accessible in coffee shops, malls, or other public spaces. While many locations utilize encryption and other security technology, don’t take the chance that the one you’re visiting is not up to date. Enjoy your latte but skip the offsite work.
• Always secure your device in a safe place.

“I clicked it, now what?”

Unfortunately, relentless hackers do sometimes trip up even the most diligent of users. If you discover you’ve clicked on a malicious link, suspect a data breach, lost a device, or have one stolen, here’s what you can do to minimize the impact:

• Notify your IT department immediately
• Run a security scan on any impacted device(s)
• Change your passwords
• Report identity theft to IdentityTheft.gov 
• Report fraud to the Federal Trade Commission or phishing to the Anti-Phishing Working Group

Finally, don’t neglect to configure the privacy settings on all the devices you use at home and in school. Typically accessed under a heading such as “Profile,” “Account,” or “Settings,” options let you set up sharing and connecting parameters, manage your public visibility and create your passwords and protection. Whenever the option is available, always choose two- or multi-factor authentication.

Following these basic steps and staying vigilant will help outsmart the hackers determined to target your school systems and data. We are all responsible for cybersecurity and the safety of our information and our students’.

Related:
Preparing for ransomware attacks begins with education
Safeguarding K-12 school networks with proactive cybersecurity approaches

Key points:

• Cybersecurity is a risk to anyone with a device–no matter their age
• Children are uniquely vulnerable, and strategies like password managers and open communication can help shore up strong cybersecurity practices
• See related article: Preparing for ransomware attacks begins with education
• Learn How to Lower Cybersecurity Threats to Your School

We are living at a time when many of the most advanced, profitable, technologically-sophisticated companies in the world are barely treading water when it comes to cybersecurity. With that being the case, what chance do our children have of staving off these threats?

More than half of U.S. children now possess their own smartphone by the age of 11. And long before they have a device of their own, they’re using their parents’—to play games, to watch movies, to do their homework. That’s not to mention the panoply of devices they interact with at school, at friends’ homes, at after-school activities — on and on and on.

Each one of these devices represents the risk that a child will surrender vulnerable information, accidentally install malware, or worse. Today’s cybercriminals are relentless, operating at unprecedented scale and seeking advantage wherever they can find it. Children—the most vulnerable among us—are an irresistible target to these bad actors. It’s no surprise, then, that one in four young people will experience identity theft or fraud before they reach the age of 18.

This isn’t necessarily a reason to panic. The benefits of our connected world far outweigh the risks presented by cybercriminals. It is, though, a reason to really talk to your child about the reality of scams online—to teach them what to look out for and present them with a realistic sense of what the risks are. Because fundamentally, proper cybersecurity— like charity — should begin at home.

Talk to your children about cybersecurity

Again: there’s no use in trying to frighten your child. The doom-and-gloom approach might be counterproductive when it comes to instilling the value of proper online safety. Instead of detailing worst-case scenarios, try instead to speak in a level-headed way about what to look out for when they’re using social media or playing internet-connected games.

Some of the advice here is straightforward and applies just as well to adults. Be guarded when communicating with strangers, especially on online chat platforms and social media; if you receive a message from someone claiming to be a friend or family member, make sure to verify their identity; avoid strange links and stay alert to requests that are really urgent or try to make you scared; etc., etc.

At the same time, parents should be checking their children’s devices regularly to make sure everything is in order. Have any strange apps been installed? Do you recognize everyone your child is interacting with? Are they visiting websites they shouldn’t be? It can be hard to stay vigilant about this after a long and hectic day of parenting, but if you make it a part of your routine—say, a quick five-minute check every evening—it can be an easy way to ensure your child is out of harm’s way online.

Use a password manager

Three out of four adults struggle with passwords — so how can we expect our children to create a unique, complex password and not share it with others?

One of the best ways to eliminate password complexity for children is to use a password manager for the whole family. A password manager is an application that is designed to store and manage online login information in an encrypted database. Most password managers have family plans that allow you to have private vaults for just your accounts, and shared vaults you can share with your partner for joint or kids accounts. After all of your family members’ login information has been stored in the app, each person needs to remember just one master password. In case you are worried about forgetting your master password, write it down on an “emergency kit” document and lock it away with your other important documents that you can grab quickly in an emergency. For example, we keep our important documents, passports, etc. in a locked, portable firebox.

Stay firm about online rules, but avoid blame

Of course, getting proactive means not just educating your children on the best safety practices, but actively minimizing the risk that they’ll end up in a hazardous situation in the first place.

Primarily, that means making extensive use of parental controls. Whether it’s a video game console, a smart TV, or your child’s smartphone or web browser, there are invariably limits you can set—on screen time, on who your child can interact with, on what games or apps they can or cannot use.

But it also means barring your child from using certain platforms before they reach a certain age. This can be difficult, especially if your child has friends who use the same platform—peer pressure can exert a strong and not always productive force on the decisions we make for our children.

My best advice is to stay firm while at the same time being compassionate and reasonable, explaining the situation in terms your child can understand. Explain why you think they’re not quite ready to use a platform like (for instance) Discord. Show them news stories about gift card scams that plague adults and youth alike and make it impossible to get their hard earned money back from the scammer.

Most importantly: never condescend, and, if and when your child does become the victim of a cyberattack, try your hardest not to come down on them. By being patient with your child if and when the worst does come to pass, and creating an environment in which they feel comfortable coming to you with similar issues, you can prevent even worse problems down the line.

The fact is that everyone—children and adults—could stand to have better cybersecurity practices. After all, the majority of the 236.1 million people targeted by ransomware attacks last year were not children. Children just happen to be uniquely vulnerable—a fact that cyberattackers are more than happy to exploit. If we want to turn the tide against these malevolent actors, we need to bring cybersecurity education into the home.

Related:
Safeguarding K-12 school networks with proactive cybersecurity approaches
3 ways MDM helps fight school cyberattacks

Key points:

• Schools are using more edtech than ever–but they’re also more vulnerable to cyberattacks
• Account monitoring, strong passwords, and strict access controls are just a few of the strategies schools can use to protect their networks
• See related article: 4 key ways schools can strengthen and advance cybersecurity strategies

K-12 schools are facing an increased risk of cyberattacks due to a combination of competing factors. School districts have sprawling networks where availability often takes precedence over security, but are constrained in managing those networks by limited resources and overstretched IT teams.

Meanwhile, the increased use of cloud-based email and remote learning technologies, along with inadequately managed virtual private networks (VPNs), have made schools an attractive target for the types of basic attacks that larger organizations are better prepared to defend against.

A recent Government Accountability Office (GAO) report on K-12 cybersecurity found that attacks have been on the rise since the COVID-19 pandemic forced schools to adopt more remote learning. It also discovered that the damage from those attacks is growing. In total, the GAO found that the range of impacts from cybersecurity attacks includes:

• Loss of instructional time for students, ranging from a couple days to over three weeks.
• Slow recovery time that often took between two and nine months.
• Large financial impact, ranging from $50,000 to over $1 million, with costs including replacement of computer hardware and enhancing cybersecurity to prevent future attacks.

That combination of contributing factors may put schools at a disadvantage against malicious actors, but there are several steps schools can take to help them deter the most common attack vectors.

Common cyberattacks targeting schools

Lax management of email and online learning systems is one example of how schools can become vulnerable. With schools making extensive use of Gmail, Google Classroom, or other cloud-based applications, over-extended IT staff can overlook the need to retire the email accounts of graduated students. In our work with schools, we routinely see expired accounts that go back decades and number in the hundreds of thousands, presenting a ripe target for attackers.

Attackers who glean stolen usernames and passwords from the dark web can, using automated tools, easily try those credentials on school accounts. If one of them works, they gain access to the network.

Credential theft is not only a common attack vector but is also among the most dangerous. Malicious actors will use tactics such as phishing, social engineering, or software vulnerabilities to steal credentials and then use them to bypass traditional security measures and gain access to the email system. From there, they can use compromised accounts to escalate privileges and conduct a variety of malicious activities such as spear-phishing, spreading malware and exfiltrating data. A cloud email system like that in Microsoft 365, for instance, uses Azure Active Directory, which is tightly connected with systems throughout an enterprise. Access via email could allow access to practically all of an organization’s systems.

VPNs are another common attack path for targeting schools where hackers frequently use credential compromise. However, exploiting the vulnerabilities of VPNs that haven’t been updated or patched is another common tactic. Man-in-the-middle attacks, which properly managed VPNs would prevent, can occur when an attacker intercepts and alters communication between the user and VPN server, possibly because of a lack of certificate validation. Attackers could eavesdrop, manipulate data or impersonate legitimate servers.

Essential steps to better security

Successful cyberattacks on schools are usually not the result of overly sophisticated tactics. In fact, we’ve detected and prevented several breaches on school districts, and every single one of them was the result of compromised credentials. This is why it’s important to remember some of the basic security practices that can get overlooked by IT teams that are stretched too thin. Those practices include:   

• Comprehensive account management. Regularly reviewing and updating user permissions, ensuring that current users have access only to the systems and applications they need, and keeping tight control of permissions can limit an attacker’s ability to escalate privileges once inside the network. It can also ensure that email and online learning accounts are disabled after students graduate, rather than remaining active and available to attackers. Effective account management of services such as Active Directory can help IT personnel implement robust security controls, reducing the risk of unauthorized access, shrinking the overall attack surface, and enabling early detection and response to threats. 
• Strong password and access management. Implementing strong password policies and access controls is essential for network security. IT personnel should enforce basic password complexity requirements—minimum length, including numerals and special characters, and requiring regular password changes—but should also implement multi-factor authentication (MFA), which has proved to be effective against credential-based attacks. MFA adds an extra layer of protection by requiring an additional verification step, such as a code sent to a mobile device.
• Regular patch management. Some of the most serious security breaches have occurred when attackers exploited a vulnerability for which a patch was available but not applied. IT teams should establish a robust patch management process that includes regularly checking for new patches, testing them in a controlled environment and promptly deploying them across the network.
• Employee training and awareness. The prevalence of credential-based cyberattacks makes it more important than ever to educate users, who are often seen as the weakest link of security programs. Employees should be educated about common threats such as phishing, social engineering, and malware. They should also be educated on best practices for email security, safe browsing, and handling sensitive information. Building a culture of cybersecurity awareness can help employees recognize and properly respond to potential risks, reducing the likelihood of human error contributing to security incidents.

In meeting the demand for remote access and online learning, schools have—unavoidably—increased their attack surfaces. However, IT personnel can improve security through effective account monitoring, the use of strong passwords, practicing regular patch management and implementing strict access controls. In addition, employee training and security awareness programs are incredibly valuable.

Taken together, those steps will help protect sensitive data, critical systems, and valuable resources from the growing number of sophisticated threats targeted at educational institutions.

Related:
Ransomware attacks on schools are only getting worse
3 ways MDM helps fight school cyberattacks

Key points:

• Ransomware attacks can be devastating to a school or district, with costly ransoms and leaked sensitive information
• The most effective security is layered; humans are only part of the equation

The biggest threat to K-12 schools’ cybersecurity is, ironically, education. It’s an expensive deficit. But there are funds and tools to help.

Ransomware – where hackers encrypt and lock victims’ data and try to sell the decryption key back to the victim for a ransom – delays education and hurts already-stretched budgets: A GAO report says a ransomware attack can cause K-12 students learning loss up to three weeks and cost from $50,000 to $1 million in expenses.

Or worse. In November 2020, a ransomware attack hit the Clark County School District in Nevada, the fifth-largest school district in the U.S. More than 320,000 students were blocked from accessing assignments and other educational materials. It cost the district more than $4 million to recover from the attack.

Even when schools don’t pay the ransom, as in the Los Angeles Unified School District case in 2022, there are costs. In the LAUSD, some of its platforms were knocked offline and sensitive personal information was released. More recently, the Minneapolis Public School District was attacked by ransomware criminals in March of 2023. District data was held hostage for $1 million. When the district did not pay, the criminals released highly sensitive personnel data.

These are a few of the cases we know about; many other attacks go unreported. The U.S. Government Accountability Office reports that, in 2021, 647,000 K-12 students were impacted by ransomware attacks.

Ransomware criminals can even double-extort, and seek ransom from parents, students, and employees who have had possibly sensitive personal or financial information stolen. When this happens, the original institutional ransomware victims can end up exposed to liability lawsuits.

There are several tools school administrators can use to counter the threats of ransomware and its potential to interfere with operations, finances, and educational experiences–starting, of course, with education.

A simple attack

Ransomware (and other) hacking attempts often start with simple social engineering. Somebody opens a forged email with a hacked attachment that gives a hacker the entre into a network, and that starts the actual attack. Attacks may occur on user-owned mobile phones or computers and make their way to facility equipment when they connect to school Wi-Fi.

Underfunding makes security gaps wider. In many schools and school districts, a lack of ongoing funding for technology upgrades – and more importantly, for full-time IT personnel with current security training – represents another vulnerability. Attacks that might be blocked by up-to-date hardware or software can be more effective against misconfigured or older systems.

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has specific recommendations for K-12 schools based on their typical vulnerabilities and resource constraints. In addition to practical technology advice such as “deploy multi-factor authentication,” the CISA recommends strong cybersecurity training programs.

Finding (and building) training programs

Training can start with products available from various sources like Infosec IQ, KnowBe4, Proofpoint, and Mimecast.

It also makes sense to create in-house training programs, especially for the users most likely to open corrupt links or emails. Offering blame-free feedback – or swag, incentivizing users to forward suspect hack attempts to the security teams — is a proven way to turn the biggest targets into a trusted defensive line. The goal is to create a friendly dialog and to break down the reluctance users may have to discuss security issues.

Inserting security tidbits into existing community email newsletters can also keep awareness of security issues, and especially emerging threats, on the minds of users. Or it can make sense to reach your community where they live: Putting security tips on Instagram or TikTok might be more effective for some groups than email.

You can also put cybersecurity into the curriculum, as North Dakota is: Its new law, HB 1398, requires that all students are educated in computer science or cybersecurity starting in July 2024. In addition to our administrators, we must educate our students about the reality of living in today’s technological world and the dangers that come with it. 

Because the human factor is such a big part of security, it makes sense to focus on it through education and community outreach. However, the most effective security is layered, and humans are only part of the equation. Applying technological gates to technological security issues needs to be done alongside education.

And no matter the solution set you have, it’s important to run trials and drills against it. School officials should practice how to deal with a security incident – from securing backups to informing the community.

Use the funds available

There are funds available for these efforts. Federal Elementary and Secondary School Emergency Relief (ESSER) funds can be used for cybersecurity to meet demands related to COVID-19, such as accommodating hybrid learning. Deadlines to use funds from ESSER II and ESSER III programs are September 2023, and September 2024 respectively.

Now more than ever is the time to look at a cybersecurity budget and weigh the costs against the risk and expenses of a ransomware breach.

There is no single solution to combating technological security attacks. Keeping a school safe from hacking requires expertise, community buy-in, technological solutions, and practice. Fortunately, there’s an industry in place to help, and some of the most important pieces of the solution come free with a positive connection to users.

Related:
North Dakota to require computer science for all K-12 students
Ransomware attacks on schools are only getting worse

Key points:

• With cyberattacks on the rise across schools, IBM Education Security Grants have already benefited more than 350,000 students globally
• Now in its third year, grants are expanding to offer students and teachers access to cyber and AI skills through IBM SkillsBuild

In response to the growing threat of ransomware attacks against schools around the world, IBM will provide in-kind grants valued at $5 million to help address cybersecurity resiliency in schools.

Since its creation in 2021, the IBM Education Security Grants program has expanded globally, and this year will also include enhanced offerings from IBM SkillsBuild on topics including AI and cybersecurity. 

Ransomware is unfolding faster than ever, with attackers managing to cut down the time required to deploy ransomware attacks from over two months to just under four days between 2019 and 2021, according to IBM’s X-Force Threat Intelligence Index 2023. In fact, the share of cybersecurity incidents observed in the education sector more than doubled in 2022 compared to the year prior, experiencing the largest increase year over year than any other industry.

“Time and time again attackers go after the education sector, yet many of these institutions remain constrained in their security resources,” said Andy Piazza, Global Head of Threat Intelligence, IBM Security X-Force.  “To date this program has helped more than 350,000 students across schools in the US and abroad, with IBM Service Corps helping them recover from ransomware attacks, strengthen their security posture against future attacks, and prevent further disruption.”

Applications for schools are now open globally. Grants valued at $500,000 each ($5 million in total) will be awarded to six school districts in the US with an additional four around the world. Volunteers through IBM Service Corps will use their professional skills to help schools establish programs to address cybersecurity resiliency.

Each selected school will receive:

• incident response plans and ransomware playbooks,
• programs to help address the need for updating operating systems,
• strategic communication plans to use in response to cyber incidents, and
• training and digital credentials through IBM SkillsBuild on topics including AI and cybersecurity, and additional benefits such as enhanced access to IBM mentors, teacher training and toolkits, and customized learning pathways.

“The global skills gap across cybersecurity and AI is a growing challenge that demands immediate attention,” said Justina Nixon-Saintil, IBM Chief Impact Officer. “To address this challenge, IBM awards Education Security Grants to drive impact with schools worldwide. This year we’re excited to expand the program to bring the benefits of IBM SkillsBuild training on topics like AI and cybersecurity for students and teachers.”

Since its inception in 2021, IBM has received hundreds of applications for this award-winning program from school districts seeking to strengthen their security postures in response to the growing threats in the education space. Past recipients of the IBM Education Security Preparedness Grants, a list of which can be found here, have encouraged other schools to apply.

“With IBM’s assistance, we improved our cybersecurity incident response plan and used it to better prepare us for handling incidents in the future,” said Robert Losinski, Manager of Information Security at Denver Public Schools. “Attackers are targeting schools because many do not have mature security frameworks to effectively defend against ransomware and other cybercrime. Getting professional assistance in expanding your cyber security program will really help you identify the most critical areas to protect.”

K-12 public schools and educational institutions/organizations that are interested in applying for IBM’s education cybersecurity grant can apply via IBM.com here: https://www.ibm.com/impact/initiatives/security. The application deadline is June 23, 2023.

For more information about IBM’s cybersecurity grants for schools visit: https://www.ibm.com/impact/initiatives/security. For more information about IBM Security X-Force’s services and capabilities visit: https://www.ibm.com/security/xforce

This press release originally appeared online.

Related:
3 ways MDM helps fight school cyberattacks
Ransomware attacks on schools are only getting worse

Key points:

• School districts need bigger cybersecurity budgets and support mechanisms
• Cybersecurity threats are not going away, and knowledge is a large factor in protecting networks
• See related article: 4 steps to avoid a ransomware attack
• Learn How to Lower Cybersecurity Threats to Your School

Now more than ever, safeguarding students and staff from targeted cyberattacks is critical to the health of our U.S. education system. Local K-12 schools are a top target for cybercrime. Estimates from the nonprofit organization K12 Security Information Exchange reveal more than 1,300 publicly disclosed cyberattacks against U.S. schools since 2016.

The size and scope of these threats amplified during COVID-era hybrid learning, when schools were forced to rapidly adopt cloud-based collaboration technologies at scale. But even though students have returned to the classroom post-pandemic, just like every other industry, the K-12 threat landscape isn’t slowing down.

It’s understandable why school networks are an opportunistic target. They hold the keys to large quantities of valuable intellectual property and sensitive PII, financial, and healthcare data that can be exploited for ransomware and monetary gain. And with myriad vulnerable access points, limited IT resources, and a continually rotating student body, maintaining a strong security posture is often riddled with complexity. According to reports cited in CISA’s first-ever K-12 security report, nearly 30 percent of K-12 school district members have reported being victims of the following cyber incidents:

1. Data breaches exploiting the personally identifiable information of students, teachers, and school community members
2. Ransomware attacks
3. Business email compromise (BEC) and phishing attacks
4. Denial of service (DDoS) attacks
5. Website and social media defacement
6. Online class and school meeting invasions

The CISA report also found that 55 percent of data breaches between 2016 and 2021 were carried out on schools’ third-party vendors. In January 2022, for example, a ransomware attack on a single website hosting vendor took down the websites of 5,000 schools across the country, preventing some of them from sending email notifications about COVID-19 related school closures.

These incidents often result in steep monetary losses and prolonged learning disruptions, which can range anywhere from days to weeks. Take the January 2023 ransomware attack on four Nantucket, MA public schools. After the breach was discovered, more than 1,700 students were abruptly sent home at noon on a Tuesday and instructed not to use school-issued electronic devices until classes resumed nearly a week later. In September 2022, a cyberattack on the Los Angeles Unified School District, the nation’s second-largest K-12 school district, leaked more than 2,000 student mental health records to the dark web. Both examples show that regardless of its size or prominence, no school is immune to the damaging impact of cyber threats.

It’s imperative for K-12 leaders to implement well-defined protocols and processes that ensure their school community can work protected. Additionally, investing in the right tools and technologies that address critical vulnerabilities and provide multi-layer integrations – allowing for localized threat intelligence sharing and automated workflows across districts – can strengthen their defenses at an affordable cost.

Fostering a Culture of Cyber Resilience

It’s no secret that most K-12 schools lack robust IT teams and best-in-class solutions to quickly identify, prioritize, and respond to cyber threats. However, there are still ways to bridge that resources gap – and it starts with proactiveness. By implementing scalable user awareness training, for example, schools can educate students, parents, teachers, and administrators on cyber-safe practices to reduce the rate of human error. From understanding the importance of multi-factor authentication to knowing how to spot phishing attempts, giving school community members the guidance they need to prevent breaches is worth its weight in gold.

In reality, cyber threats at school will never be top of mind for most students as they juggle their coursework, extracurricular activities, athletic schedules, and social life. But when user awareness trainings are personalized and tailored to their unique interests, students will be much more inclined to consider the consequences of poor cyber hygiene. Compounded at scale, it can foster a culture of cyber resilience at a time when it’s needed most – generating collective buy-in among students, parents, teachers, and administrators to all play a role in protecting their school community.   

Constructing a Cost-Effective Security Arsenal

When deciding which tools and technologies to prioritize on a limited budget, K-12 schools must have a firm understanding of their threat environment to align spending with their greatest security needs. For example, email remains a primary attack vector leveraged in social engineering campaigns targeting schools. With that in mind, investing in solutions that offer targeted protection against email-borne attacks with domain-based message authentication, reporting, and conformance (DMARC) functionality is a proactive way to maximize the value of their investments. Then, next time a phishing email impersonating Jimmy’s 11^th grade calculus teacher enters the school’s network domain, it will be immediately flagged and blocked from reaching his inbox.

Identifying opportunities for multi-layer integration is also key. By partnering with vendors who offer a deep library of API and third-party partnerships, schools can reduce the complexity of safeguarding their networks. Integrated frameworks provide improved protection via real-time threat intelligence sharing, improved efficiency via AI-enabled workflows, and improved prevention via tool consolidation – combining to generate the right balance of automated prevention, detection, and response capabilities to protect data across its lifecycle. This helps drive a team-sport approach to cybersecurity, allowing schools to defend together like a state championship soccer team.  

As underscored in the CISA K-12 report, most school districts are trying to do a lot with a little. There is a clear need for increased cybersecurity budgets and support mechanisms across the entire education sector. This resource shortfall is a major constraint to implementing effective cybersecurity programs, but with a prioritized focus on proactiveness and collaboration, schools can alleviate some of the roadblocks holding them back. Despite the unprecedented risk in front of them, hope remains on the horizon.

Related:
3 ways MDM helps fight school cyberattacks
Ransomware attacks on schools are only getting worse

Last September, the Los Angeles Unified School District was hit by a ransomware attack at the start of the new school year. The second-largest educational district in the country, with more than 600,000 students and 25,000 employees, had its email taken offline and other internal systems affected by the cyberattack. When the district chose not to pay the ransom, sensitive employee data was posted online. While this attack may seem extraordinary because of its size and scope, digital security breaches like this are happening at educational institutions across the country. And school districts need to take defensive action against cyberattacks now before it’s too late.

With school districts across the U.S. being targeted by cyberattacks, the need for robust, cost-effective cybersecurity support is not just important–it’s now considered essential. But many local governments and educational institutions remain unprepared for this type of active threat. A recent report by the Cybersecurity and Infrastructure Security Agency on the K-12 school cybersecurity landscape found that close to 50 percent of the school districts in the country have neither the staff nor the budget to adequately protect their IT infrastructure.  

As schools look for solutions to bridge this security gap, one easy and cost-effective method they should consider is the adoption of mobile device management (MDM) platforms. A small number of schools are currently using this solution to their advantage. This includes public schools like the Interboro School District in Prospect Park, PA, which employs MDM to manage a fleet of iPads used to supplement classroom instruction. Interboro uses MDM to ensure the tablets are secure and functioning properly, the students using them are staying safe online, and the costs associated with maintaining the devices are minimized.

IT departments at K-12 schools in the U.S. should follow Interboro’s example. By using MDM platforms, they can keep their technology costs low in a time of economic uncertainty and increase the impact of their existing IT staff by freeing them up to be more proactive in protecting against cyberattacks.

So how does it work? With the use of MDM software, schools can easily monitor, manage, and secure all their mobile devices to ensure they are performing well and being used safely. 

Specifically, here are three ways MDM platforms can benefit schools today:

Increased cybersecurity

Whereas PCs and laptops typically have pre-installed malware protection in them, tablets and mobile phones are much more vulnerable to cyberattacks. That means unmanaged mobile devices pose a variety of real security risks. MDM offers an effective way to safeguard these devices, ensuring their security with several configurations and restriction options.

For example, the use of certain device functionalities or apps can be prohibited, and the use of complex passwords can be enforced across all devices. With encrypted containers separating personal data from work data, companies can ensure that sensitive data does not leak to third parties, like through instant messaging apps. MDM can also create application blacklists for dangerous or distracting apps/websites, remote device lock and wipe functions, and add strong encryption requirements for sensitive files like students’ academic records.

Maximizing impact of IT staff

The automation features of an MDM platform allow IT managers to automate tedious and time-consuming tasks like device enrollment and software updates. This way a school’s IT staff can spend more time being proactive about protecting the school’s network against cyberattacks. Also, administrators can save time and money by deploying business policies, automating installations, and enforcing configurations, applications, and more. Disposing of manual tasks reduces human error and helps ensure compliance and the secure use of all mobile devices. Your chosen applications and configuration profiles, such as passcode and encryption requirements and email configurations, can be automatically installed to a group of devices.

Additionally, the use of patch management software makes it easy to centrally monitor the patching status of your IT environment. It also allows you to upload and install all necessary patches to your devices automatically. This means that your IT manager and/or device user doesn’t have to manually search for new patches and install them separately.

Cutting costs

MDM can help schools lower costs by limiting data usage, increasing the longevity of devices through automation of some maintenance tasks, increasing the efficiency of IT staff, and facilitating the convenient sharing of devices between students. MDM location tracking also helps prevent lost or stolen devices, which can be a major cost for some organizations. While time savings certainly translate directly to cost savings, especially when considering the salaries for IT managers or fees for IT service providers, the ROI of mobile device management extends to the cost savings when factoring in data usage.

MDM can ensure that devices under management have app usage restrictions (i.e., not allowing the use of entertainment streamers like Netflix), thus saving on data costs. Such control features can also ensure that students and district users are only using applications you’ve approved in advance. The enhanced longevity that MDM platforms provide can make the annual operating cost per 10 devices drop from approximately $425 to $6.25, or even less depending on the lifecycle of the device.

Schools that employ MDM platforms can also facilitate the convenient, secure sharing of iPads and other devices that can help supplement classroom instruction. By having a system that allows multiple students to easily use the same device, schools maximize utilization of their existing technology fleet and save on new device purchasing and maintenance costs in the future.

With the rising tide of cyberattacks on schools and the uncertain economic situation, there has never been a better time for schools to adopt an MDM platform to bolster cybersecurity. By maximizing the impact of existing IT staff and lowering their technology costs, administrators at K-12 schools in the U.S. can be proactive about this threat by adopting MDM platforms to combat future cyberattacks. It’s essential they act quickly because the threat is out there, as seen by recent high-profile attacks, and it’s only going to get worse. 

Related:
4 steps to avoid a ransomware attack
Ransomware attacks on schools are only getting worse