School districts need to step up their cybersecurity efforts to protect their systems from costly virtual attacks that can disrupt and, in some cases, shut down operations.
The K12 Security Information Exchange (K12 Six), a non-profit organization dedicated to protecting schools from cybersecurity threats, says in its 2022 annual report, “The State of K-12 Cybersecurity: Year in Review” (www.k12six.org/the-report), that school leaders need to be more forthcoming about the cyberattacks they have experienced, so that other districts can better defend their operations and law enforcement can pursue wrongdoers more effectively.
K12 Six says that in 2021, it cataloged 166 incidents of cyberattacks in 162 school districts across 38 states. But the report says the number of incidents is likely to be much higher.
“An exclusive focus on publicly disclosed incidents also dramatically understates the scope of the issues facing K-12 schools, especially when disclosure requirements are weak and routinely circumvented,” the report says. “The true picture is surely bleaker; anecdotal evidence suggests perhaps 10 to 20 times more K-12 cyber incidents go undisclosed every year.”
That underreporting is likely because many school districts have been reluctant to disclose when they have been victimized. But K12 Six urges school system to cooperate with one another to protect themselves more effectively.
“Given limited resources and capacity, it is in the best interests of school district leaders—not just those working in IT positions—to collaborate with each other to increase their schools’ resilience to cybersecurity threats.," the report says. "School districts should put a premium on sharing threat intelligence, sharing best practices, developing model policies, pursuing mutually beneficial risk mitigation solutions that can be deployed at scale, and to educating state and federal policymakers about K-12 cybersecurity challenges and potential solutions."
The most common cyberattack on schools in 2021 was ransomware; the report noted 62 incidents in 2021. The attacks commonly led to canceled classes and districtwide closures, and in some cases, school districts were extorted for significant sums. In August 2021, the Judson (Texas) district disclosed that it paid more than $547,000 to cyberthieves "to protect sensitive, identifiable information from being published."
The K12 Six report says many factors can be blamed for making schools a target for cyberattacks: teachers, administrators, or school board member who may lack the training and guidance necessary to avoid the errant sharing of personal data and credentials; tech-savvy students, who try to circumvent existing cybersecurity controls to disrupt systems; suppliers and vendors with less-than-adequate security practices during school district procurement; and online criminals who seek to profit from weak school district cybersecurity controls.
The numbers indicate that larger districts (10,000 or more students) tend to be victimized more frequently. The report suggests that may be because larger districts manage more technology devices and more complex systems than smaller districts and have more students and employees using that technology. They also have larger budgets.
K12 Six asserts that if school systems carried out the “essential protections” it recommends, that could “dramatically improve the cybersecurity posture of all school districts from the most common threats.”
The recommended protections:
- Sanitize network traffic to and from the internet: Filter out malware; campaign against email scams; block malicious documents; and limit exposed services.
- Safeguard the devices of students, teachers and staff: Restrict administrative access; apply endpoint protection.
- Protect the identities of students, teachers and staff: Protect user logins; improve password management; stop online class invasions.
- Perform regular maintenance: Install security updates; back up critical systems; manage sensitive data.
Because operations in many school systems depend on outsourced software applications—often hosted offsite “in the cloud,” vendors and suppliers serving the K-12 market also must improve their cybersecurity practices.
“A holistic effort focused on not only school district cybersecurity risk management practices and policies, but also those of K-12 vendors and suppliers, is what will be required to significantly reduce the frequency and severity of cyber incidents experienced by the K-12 sector,” the report says.