Cyberattacks against K-12 school systems and student data privacy are on the rise throughout the world. In the US, valuable information such as students’ names, birth dates, and even Social Security numbers can often be found on school-issued devices, making K-12 school systems highly attractive targets for cybercriminals. Yet, many of these vulnerable school systems remain under-resourced to adequately protect themselves from a concerted attack.
School districts are responsible for safeguarding sensitive information, and the theft of students’ personal information can cause irreparable damage to a district’s reputation. A ransomware attack or other security breach can also cripple operations, bringing teaching, learning, and school administration to a halt.
Exacerbating this situation is the reality that the number of digital devices used by students has grown dramatically. In 2020, it is estimated that only a third of school systems had to support more than 7,500 digital devices, according to the Consortium for School Networking (CoSN). In 2021, that number has ballooned to nearly half (49%) of all school systems.
Couple all of this with under-resourced education IT efforts and a growing threat landscape, and we see significantly greater opportunities for cyber criminals to make inroads. Unfortunately, as a result, 57% of all reported ransomware attacks in August and September of 2020 targeted K-12 schools, according to an FBI report. And perhaps unsurprisingly, a report by the K-12 Cybersecurity Resource Center found that 2020 was the worst year on record for cyberattacks targeting schools. There were at least 408 publicly disclosed incidents, tallying an 18% increase over 2019 alone.
While strong cybersecurity strategies may seem out of reach for some schools, the solution doesn’t have to be complicated. Indeed, there are basic steps every school should take to build a solid foundation. Here are the top five:
Making sure network traffic to and from the internet is secure involves using firewalls and internet security software to filter out malware; looking for phishing emails and trying to quarantine them; restricting the downloading of macros in documents, which are a common vehicle for ransomware; and limiting the use of internet-facing services that are constantly connected. In a nutshell, if your server or system doesn’t need to be exposed to the internet, those systems should be shut off or protected in some way.
Laptops, tablets, and other devices also must be secured. Protect student, staff, and teacher devices by restricting administrative access on those machines so that users cannot install whatever software they want. The devices themselves also need endpoint protection, such as anti-virus and anti-malware software. Make sure these endpoint security controls are working by investing in platforms that make them resilient—that is, self-aware and capable of maintaining their effectiveness automatically. Get continuous access to geolocation data of devices that are both on and off your network. If a device goes missing, have the capability to lock it, freeze it, and remotely wipe any sensitive information to ensure your district remains compliant with the Family Educational Rights and Privacy Act (FERPA) and other privacy regulations.
The authentication practices that schools use for granting network access need better security. Train students and employees in best practices for establishing and using strong passwords, such as creating passwords that are hard to guess but easy to remember; never share passwords with others; and use different passwords for different accounts. Consider other measures to improve authentication, as well, such as requiring multifactor authentication and adopting a single sign-on technology.
Cybersecurity should be an ongoing area of focus. Regularly back up critical data; install security updates and patches in a timely manner; test your security defenses to make sure these are working properly; audit your systems and data to see where vulnerabilities might exist; and review the sensitive information you are storing to see what can be archived or deleted.
Another fundamental step that every district should take is to create or update an incident response plan so that if an attack does occur, your district knows how to react. A thorough cybersecurity plan should ensure that everyone knows his or her role in the event of an attack. District leaders should know who they’re going to call for help, such as their IT vendors and/or a third-party specialist who can help them respond. Conduct routine scans to identify where all sensitive information is stored. Regularly back up all data and delete any information stored on unprotected devices. Lastly, leaders should know how they’re going to communicate a data breach to the community.
Cybersecurity threats aren’t going away; in fact, they are only going to get worse. School systems need to take these threats seriously—and implementing these five steps is a positive start.
For more on how school districts can improve their security posture, download the full whitepaper, 5 Cybersecurity Best Practices Every School Should Follow. To learn more about how education IT teams can streamline device management and minimize loss, visit www.absolute.com/education.