Photo 92601613 © Benjawan Sittidech | Dreamstime.com
ransomware image

Getting schooled on cyberattacks

Sept. 22, 2022

 As students and staff return to classrooms and lecture halls for another school year, education administrators have must make sure they have systems in place to provide a safe and secure learning environment—protecting people and property not only from physical threats, but also from virtual attacks from online intruders.

Cyberattacks have been a problem for several years at schools and universities, which are heavily dependent on technology for their operations. But the number of attacks escalated in 2020 as education institutions coping with the Covid-19 pandemic had to rely to an even greater degree on technology to provide the online connections needed to provide virtual instruction.

Those working in the cybersecurity field say education institutions need to do a better job protecting their technology infrastructure from attack, but if they take steps to improve security, they can recover quickly from attacks and avoid paying ransom.

“It’s all about being resilient and being prepared—and once an attack happens, being able to recover from it,” says Lisa Plaggemier, executive director of the National Cybersecurity Alliance.

Types of threats

Cybersecurity breaches at a school may encompass everything from a student circumventing restrictions to look at a forbidden website to a sophisticated and malicious attack that disables an entire technology network

The Cybersecurity & Infrastructure Security Agency (CISA), part of the Department of Homeland Security, defines some of the common cyberattacks on education institutions:

  • Phishing: a fraudulent attempt to obtain sensitive information or data, such as usernames, passwords, and credit card or bank account details, by disguising oneself as a trustworthy entity.
  • Denial of service: Legitimate users are unable to access information systems, devices, or other network resources because of the malicious actions of a cyber attacker. 
  • Ransomware: An attacker steals and threatens to disclose confidential student and staff data unless the school pays a ransom.

Targeting schools

Anyone with a computer and internet connection is a potential victim of a cyberattack, and education institutions are not the only entities at risk. But many schools are more enticing targets for cyber thieves because their technology infrastructure is more vulnerable to attacks.

“They’re going to pick on any organization that they think is a soft target, that isn’t prepared,” says Plaggemier. “If you are behind the times at all with your technology, you’re a softer target.”

School systems may be vulnerable when they don’t train their employees not to click on phishing emails, or if they don’t have good email filtering. They may find their organizations exposed if their firewall or their anti-virus software is not up to date.

“Any of those basic technology hygiene issues—if you get too far behind, you’re a softer target,” Plaggemier says.

Many school systems have fallen behind in protecting their computer systems, Plaggemier asserts. In the rush to provide students and staff with technological advancements that enhance learning and teaching, they may be less diligent in making sure the latest gadgets and software don’t create security problems.

“Schools are very quick to want kids to have the latest technology,” says Plaggemier. “But if you just go into it with rose-colored glasses and say, ‘Look at all the great stuff the kids are going to be to do,’ in this day and age, it’s a bit naïve. When you bring in the technology without thinking about security, without thinking about the downside, or what could possibly go wrong, there is potential for harm. It’s like letting kids play in traffic or in the roughest part of town where there’s predators and criminals. It’s a free for all.

Outside access

Education institutions have to be vigilant not only about protecting their software and technology infrastructure, but also about ensuring that the vendors working with schools have equally strong security practices.

“You have to make sure that the companies you are doing business with have met your standard for protecting your data,” Flaggemier says.

The technology that many schools use will have student and staff information that is stored in third-party systems, and that data could be at risk if the third party’s security standards don’t measure up. “What a school really needs to worry about is does it have a third-party risk assessment process?” Plaggemier says. “Does it ask those vendors to provide proof that they’re doing their utmost to protect students’ and employees’ data? It can’t be just a checkbox exercise. It’s needs to be a substantive conversation that they’re having.

Be prepared

CISA recommends that schools take the following steps to help deter cyberattacks:

  • Patch operating systems, software, and firmware as soon as manufacturers release updates.
  • Regularly change passwords to network systems and accounts, and avoid reusing passwords for different accounts.
  • Set antivirus and anti-malware solutions to automatically update and conduct regular scans.
  • Monitor privacy settings and information available on social networking sites.
  • Configure network firewalls to block unauthorized IP addresses and disable port forwarding.

If an attack does occur, advanced preparation will help a school system contain the damage and recover quickly.

“It’s all about employees knowing what to do,” says Plaggemier. “Get off the network as soon as you can to keep [the attack] from spreading. Shut down your machine. And then, the IT folks should have backups, so you can roll over to your backups. It’s important to have the backup files structured properly so that the ransomware can’t spread to the backup files.”

That preparation includes going through possible attack scenarios as a regular exercise to anticipate what steps to take in an actual incident.

Plaggemier recommends that education institutions conduct table-top exercises, such as those offered by CISA, at least once a year in which key personnel practice how they should respond to an attack.

“You need not just the technical folks to participate, but everybody that would be involved if you had a ransomware incident—the superintendent and other decision makers at the administrative level,” Plaggemier says. “The leadership folks—their eyes get opened and they realize, ‘I get it now,” and budgets for the IT team suddenly appear that might not have been there before.”

Don’t pay

Both the Cybersecurity Alliance and CISA are adamant that schools and universities should succumb to threats and pay the ransom that thieves demand.

“Do not pay ransoms,” CISA urges. “Payment does not guarantee files will be recovered. It may also inspire cyber actors to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and fund illicit activities.”

Plaggemier noted that a 2019 cyberattack on 23 local governments in Texas ended with minimal disruption and with none of the entities giving in to ransom demands. State officials, who stepped in on behalf of the local government, credited advanced preparation for lessening the effect of the attack.

“Schools should look at that example as a guide to not paying,” Plaggemier says. “Don’t wait until it’s too late. It will be very costly and very disruptive.

 Kennedy, senior editor, can be reached at [email protected].

 [sidebar]

Security Tips

The National Initiative for Cybersecurity Careers and Studies (NICCS) has provided these cybersecurity tips for students and teachers returning to school:

  • Create strong passwords for new (and old) accounts.
  • Enable multi-factor authentication when possible.
  • Be suspicious of unsuspecting emails – double check links and attachments before opening.
  • Lock all devices when not in use (laptops, tablets, phones, etc.).
  • Keep all software and apps up to date.
  • Limit social media networks to people you actually know.

Sponsored Recommendations