The second cup of coffee, grading papers and parent-teacher conferences are looming — the perfect timing for a phishing email. Disguised as a benefits update from HR, that seemingly harmless attachment is a trap designed to steal your login credentials.
K-12 schools are facing an elevated cybersecurity threat landscape. At the same time, they navigate some of the most challenging budgetary decisions when managing cyberthreats in tandem with student, teacher, alumni and parent expectations.
The rise of remote learning, coupled with teacher shortages and constant staff changes, creates risks and vulnerabilities. Student data, including Social Security numbers and health information, is a gold mine for attackers. That information lets criminals easily open bank accounts, rack up debt and apply for loans in a child’s name, leading to poor credit reports even before age 18, as well as infractions against the Children’s Online Privacy Protection Act.
We’ve all heard the same security hygiene suggestions — but what do K-12 cybersecurity breaches actually look like, and how can we really stop them?
K-12 cybersecurity: Cyberattacks in the wild
Collaboration with cybersecurity firms, industry experts and local law enforcement can provide resources, expertise and support for cybersecurity education initiatives within the school community.
Let’s take a closer look at what these breaches look like in practice. In March 2021, the Buffalo Public School District in New York fell victim to a ransomware attack that exploited a gap in security software and exposed personnel data. Because the district was in the process of updating its security protocol, individual computers on the network were more susceptible to cyberattacks than before. If the district had transitioned with proper safeguards in place or outsourced to a security provider, it may have been able to avoid the ransomware breach and subsequent data encryption altogether.
Unfortunately, the district didn’t know how to identify and mitigate the threat before it became a breach. Keeping up with cybersecurity firms’ updates around threat group communications enhances districts’ security by providing insights into leading phishing scams and ransomware delivery methods. With increased threat awareness and intelligence, the district might have avoided investing nearly $10 million in network security and other services after the fact.
Investing in cybersecurity ahead of time is much less expensive than dealing with the aftermath of a cyberincident. This principle is often supported by cost comparisons between preventive measures and reactive expenses following a breach. The costs associated with a post-breach price tag often include data recovery, legal fees, notification of affected parties, regulatory fines, system repair and upgrade and public relations efforts.
According to the Ponemon Institute’s 2024 Cost of a Data Breach Report, the average cost of a breach is $4.88 million, and organizations with strong security measures save an average of $2.22 million per breach. Regular security audits, employee training programs, advanced threat detection systems, data encryption, regular software updates and patches and incident response planning are far less expensive.
Identifying the warning signs
Often, ransomware attacks stem from phishing campaigns. Recent reports highlight increased scam messages targeting students with fake job offers promising high pay and flexibility. According to the Federal Trade Commission, the number of reported scams for job opportunities grew by 118% in 2023. Malware-riddled, unofficial university communications follow a similar tactic, typically including malicious HTML attachments, which made up more than half of malicious files in 2023.
When a school or district experiences a cyberattack, the signs of a breach can vary widely depending on the nature of the attack and the sophistication of the attackers. Any staff member might notice unusual system behavior, including computers running slower than usual, applications crashing or unexpected pop-up messages. IT staff might notice increased or unusual network traffic through monitoring tools. That can lead to problems logging in or usual passwords no longer working. Educators and administrators may even notice changes to files or settings they did not make themselves.
If a ransomware attack occurs, the attackers usually deliver a note or message with their demands. An educator or staff member might initially think the ransomware note is a scam due to its appearance and demands on the infected screen. However, the device’s user should always contact their IT department or security team immediately. If possible, that team will disconnect the affected machines from the network to prevent the spread of the ransomware.
As a general rule of thumb, paying the ransom does not ever guarantee that the files will be restored and encourages further attacks.
Change how we teach cybersecurity
Ironically, the education industry requires a shift in mindset around K-12 cybersecurity education. With the right tools and information at their disposal, educators can perfect the messaging to prevent cyberattacks.
Implementing structured cybersecurity education programs should start in elementary grades, teaching students about online safety, responsible internet usage, recognizing cyberthreats and understanding the consequences of cyberactions. The Cybersecurity Infrastructure Security Agency offers a free Incident Response Training curriculum that provides a range of lessons for beginner and intermediate cyberprofessionals encompassing essential cybersecurity awareness, best practices for organizations, and hands-on labs to practice investigating and remediating to build incident response skills.
Peer-to-peer education programs can also help — students who have received cybersecurity training can educate their peers, teachers and administrators about online safety practices and how to recognize and respond to cyberthreats. Last year, Amazon Web Services launched a $20 million K-12 cyber grant program in partnership with the White House to address K-12 cybersecurity. As a result of recent grants, districts such as St. Vrain Valley Schools in Longmont, Colo., have begun closely examining their cybersecurity posture and prioritizing student participation in various competitions such as Cyber Patriot, CyberStart America, PicoCTF, Code Quest, Code Wars and more, where students work collaboratively to tackle cybersecurity challenges.
Gamification techniques can also make learning about cybersecurity more fun and engaging for younger students. This could involve creating educational challenges that reward participants for demonstrating good cybersecurity practices. Organizations offer everything from cybersecurity escape rooms to simulations of real-world phishing threats where the user has to outsmart the hacker.
Leverage tech, but secure the whole perimeter
As with any industry, K-12’s digital footprint does not stop at the school or district level. Third-party cybersecurity vulnerabilities — which stem from any external entities that schools rely on for their technology needs — also introduce risk into the K-12 perimeter. To prevent security gaps, it’s essential to apply the same scrutiny and security assessments that districts would for internal systems to all partners, regardless of size.
Training for K-12 staff should be ongoing, especially with increasing fluctuations in hiring to overcome teacher shortages. The latest cybersecurity threats change on a dime, and all personnel should be up to date on these risks and ongoing cybersecurity best practices. Security teams recommend engaging advisory services for boards and top management on strategy, governance, compliance and security to maximize return on investment in school security.
Preventive measures remain the most effective defense against all types of cyberattacks. This can include mock phishing tests, regular vulnerability scans and rotating passwords. For online collaboration sites and virtual learning platforms that handle sensitive data and rely on highly accessible applications, schools must consider strict encryption and backup protocols to secure their systems and their students. If a school chooses to outsource its security, providers also offer a first line of defense with email security, data security, and firewall and technology management.
District administrators should be certain that sensitive data, including student records and administrative information, is encrypted both in transit between databases and at rest on personal and school devices. Access to network resources should be vetted and routinely restricted based on user roles and permissions.
Futureproof K-12 from a security standpoint
While basic cybersecurity hygiene is a crucial first step, it’s essential to recognize that safeguarding our schools against cyberthreats requires a more proactive and holistic approach.
The good news is that a wave of support is empowering districts in this effort. Initiatives such as the Biden-Harris administration’s 2023 launch of new programs to strengthen America’s K-12 cybersecurity demonstrate a national commitment to this critical issue.
Additionally, the Department of Homeland Security offers Homeland Security Grant Programs that can provide financial assistance for various cybersecurity initiatives in schools. Because of these new partnerships, high schools have already begun creating comprehensive security programs. For example, starting in the fall of 2024, high school students in Dearborn Public Schools in Michigan can take classes and earn certifications in a new cybersecurity program.
To truly secure the K-12 perimeter, districts can leverage their strengths by developing subject matter expertise or partnering with experts to teach cybersecurity. When districts partner with us, we provide a single dashboard to monitor threats, manage technology and identify vulnerabilities and perceived risks across a district’s entire IT environment.
A managed security services provider is effectively an extension of the district. Administrators can offload all security protocols onto these teams to build resilience over time, simplify their programs and keep their staff focused on student priorities.
Securing internal and external systems to protect against phishing and ransomware threats demands collective action, innovation and a steadfast commitment to staying ahead of the curve. Through concerted efforts, strategic investments in human and technological resources, and by capitalizing on federal programs, we can forge a resilient defense against cyberthreats, ensuring the integrity of our educational systems and the well-being of our students.
Opinions expressed by SmartBrief contributors are their own.
_________________________
Subscribe to SmartBrief’s FREE email newsletter to see the latest hot topics on edtech. It’s among SmartBrief’s more than 250 industry-focused newsletters.