Earlier this year, a report from the K-12 Cybersecurity Resource Center identified 2020 as a "record-breaking" year for cyber attacks against U.S. schools. In all, 408 publicized incidents marked an 18% increase over 2019. Since 2016, there have been an estimated 1,180 cyber-related incidents in public schools.
The K-12 sector has long been among the most popular targets for hackers as growing technology adoption and the increasingly digital nature of classrooms outpaced what school district budgets typically allow for when it comes to hiring cybersecurity personnel and procuring resources needed for adequate protection.
When the COVID-19 pandemic shuttered schools and forced a transition to virtual learning, many districts nationwide that hadn't yet gone 1:1 with classroom devices found themselves fast-tracking multi-year plans to do so and exploring digital learning options for the first time. The ensuing influx of devices and rush to adopt digital resources opened new vulnerabilities.
Rising awareness of K-12 cybersecurity needs has also led to a number of proposals from lawmakers in the past year, including the K-12 Cybersecurity Act, signed into law Friday by President Joe Biden. Under that law, the Cybersecurity and Infrastructure Security Agency is required to conduct a study of the K-12 sector's cybersecurity needs and develop tools and guidance for school districts.
Other proposals have included the Enhancing K-12 Cybersecurity Act, which, in addition to seeking new resources from CISA, also called for additional funding to create and operate a K-12 Cybersecurity Technology Improvement Program.
"I would note that there really isn't a shortage of guidance available to school districts already provided by the federal government," said Doug Levin, national director of K-12 Security Information Exchange (K-12 SIX). "So what we are really hoping for is a deeper analysis of some of the systemic and structural challenges facing schools in trying to defend against these risks."
In the meantime, as students and all of those new devices return to school buildings — and networks — there are several actions K-12 administrators can take now to strengthen security.
Self-assess, and know the resources already available
To understand the scope of what a school district's cybersecurity needs are, the first thing leaders should do is a self-assessment. K-12 SIX has a free and quick option available that delivers a customized report with recommendations on steps to take, based on the standards developed by the organization, Levin said.
"There are four things we are asking schools to focus on," Levin said of the standards. They are:
- Protecting network traffic going in and out of school districts.
- Protecting end-user devices.
- Protecting the identities and personal information of students, teachers and community members.
- Patching regularly and maintaining offline backups.
An array of services already available from CISA can also help schools address these pillars. The agency's Stop Ransomware website offers resources and guidance for defending against one of the most prominent threats facing K-12 schools, as well as a reporting tool. And Malicious Domain Blocking and Reporting can help prevent IT systems from connecting to malicious web domains, limiting infections from known malware, ransomware, phishing, and other cyber threats.
According to the website, the technology "can block the vast majority of ransomware infections just by preventing the initial outreach to a ransomware delivery domain."
Additionally, "CISA offers a phishing campaign assessment as part of our cyber hygiene family of services, and those are available to anybody in critical infrastructure," said Tom Millar, a senior advisor at CISA. "And I believe we actually do offer those to some K-12 partners [and] public school networks."
Regular patching and offline backups are crucial
Keeping security patches and antivirus software up to date, maintaining full offline backups for school networks, and having an incidence response plan are mission critical to defending against cyberattacks.
"When I say [to update these in a] timely fashion, I mean don't put them off for a month," said Millar. "If you know there are patches coming out and you put them off for two weeks for too long, then you will immediately end up with a backlog."
Having an offline, immutable backup can make a significant difference in responding to and recovering from a ransomware attack in particular, providing a safety net for a district to fall back on if its data is locked behind a ransom.
In the event of a ransomware attack, Millar also advises that, along with the Stop Ransomware resource, there are many other templates freely available for developing an incident response plan. That plan should be exercised not just with IT staff, but also with other key school and district-level leadership, he said.
"If the worst does happen, our advice is to never pay the ransom," said Millar. "That will just encourage the perpetrators to continue."
He added that in a majority of cases where victims did pay a ransom, they were later hit with another attack.
"There's also no guarantee that you actually get your data back," said Millar. "If you pay the ransom, rebuilding from whatever data is backed up in any fashion somewhere is the main option available if you don't have offline backups."
Know what you shouldn't do
In addition to advice on what to do, Millar advises that school leaders understand bad practices that should be avoided at all costs. Among them:
- Using software that is "end-of-life" or no longer supported with security updates.
- Using weak or default passwords.
- Using remote administrative tools that only have single-factor authentication.
The last two points in particular highlight that it is also essential not to overlook the potential impact of end users. No matter the level of cybersecurity safeguards in place, an educator or student clicking the wrong link in an email, for instance, can be the weakest link in the chain.
At the higher ed level, some institutions, like the University of Dayton, have chosen to address this with "cyber mindfulness" campaigns. As Associate Provost and CIO Thomas Skill told Higher Ed Dive back in 2016, teaching faculty, students and staff to think of everything they do as a potential security risk can make a significant difference.
'"We didn't wanna roll out two-factor and have people walk away thinking, 'Oh, security is fixed because we all have two-factor now,'" said Skill. "Our goal here is that this is no different than any athlete training for the toughest competition. Every day, the bad guys out there are coming up with newer, better, smarter, faster ways to trick us into doing stuff, so we've gotta be exercising every day with our effort to understand when we can recognize a phish and when we can't, and we're tracking all the data on what we're doing here."