Originally published in THE Journal.
Just as the school year kicked off, families on opposite sides of the U.S. faced temporary school closures. Mother Nature was responsible for some. But not all. While several southeastern states dealt with the effects of Hurricane Dorian, across the country, one Arizona city encountered a very different type of scare. Cybercriminals waged a ransomware attack on the Flagstaff Unified School District, forcing a two-day shut down for 15 schools serving almost 10,000 students.
Flagstaff is far from alone. In July and August, 2019, the number of publicly disclosed security incidents in K-12 schools reached 160 — exceeding the total of all incidents experienced in 2018 by an incredible 30 percent. Nearly 50 school districts and colleges have been hit with ransomware so far in 2019 ranging in nature from disruptive, as in the case of the Flagstaff two-day closure, to catastrophic, which describes the scene in Louisiana when the governor recently declared a state of emergency following “severe, intentional security breaches” on school computer systems.
The Education Sector is Facing a Crisis
It’s one thing for impassible roads to hit pause on a school schedule. It’s an entirely different and unacceptable scenario when cyber extortion not only gets in the way of educating our youth but puts data pertaining to their health, academics and social development at risk of exposure and compromise — not to mention the public funds that are flushed away to ransom payments and cleanup efforts. Yet here we are, co-existing with cybercrime as the new normal and witnessing escalating ransomware attacks turn schools into the second-largest victims of all sectors.
The pace of growth of the “digital school district” continues to climb given the many benefits technology brings to students and educators. Funding for educational technology has increased by 62 percent in the last three years, and the new U.S. Digital Equity Act proposes to commit federal dollars to bring even more tech to the classroom. And while the many benefits of the digital classroom are clear, this rapid growth, combined with complexity and the continued restricted budgets for management, make our schools and our students increasingly vulnerable.
When Complexity and Risk Plague Today’s Digital Classroom, Resilience Matters
Technology is no doubt an asset, though we need to acknowledge not just the risks to student safety and privacy it poses, but also the complexity that IT folks have to wrangle. Education IT leaders once responsible for a few hundred devices, a few dozen apps and a single network have now found themselves managing tens of thousands of devices (as 82 percent of schools now provide students with them), hundreds of apps, and a distributed set of users accessing unknown networks — all with limited resources and budget in most cases. Meanwhile, by clicking on one bad link on a school-issued device, a student can become a conduit for a ransomware attack.
As endpoint and environmental complexities increase, and risk alongside them, it’s no surprise that 68 percent of education IT leaders in the U.S. list cybersecurity as their top priority. In tandem, several state governments, including Louisiana, Texas and North Dakota, have stepped up their efforts to safeguard schools against cyberattacks with various measures such as cyber policy mandates, cyber commission formation and state IT department oversight for schools.
For policymakers, educational institutions and their IT leaders, and even concerned parents, collaborative cybersecurity efforts should rally around the concept of resilience, or the ability to bounce back. Here are three steps to get on the path to cyber resiliency:
The pace of ransomware attacks on schools in 2019 suggests another victim will feel imminent pain and, as such, the urgency to heed these steps cannot be overstated. It’s a tricky balance but doable to enable the digital classroom to thrive, while also protecting student safety and privacy.