A Legislative audit of IT security in K-12 schools released earlier this week found that, of the 147 districts (roughly half the school systems in the state) that responded to a survey 69 percent did not have a response plan in the event of cyber attack and 28 percent had not even installed anti-virus software on all school computers.
The survey was anonymous and specific details about individual districts were not made public.
The result is a financial and privacy risk for Kansas, students and families, said Alex Bardas, an assistant professor in the computer science department at the University of Kansas.
"Fixing the infrastructure in the 'middle of a storm' is costly. On the other hand, once personal employee and student data is leaked families will be affected in multiple ways," Bardas said.
The audit comes as cyber attacks against K-12 schools and government entities nationwide increase, and as more schools have moved online due to the COVID-19 pandemic. A joint advisory issued last year by the FBI and cybersecurity agencies reported that in August and September last year, 57 percent of all reported ransomware cases involved K-12 schools, up from 28 percent in January through July.
This past spring, the Park Hill district was forced to cancel classes when a ransomware attack caused a major system outage. Park Hill's computer systems locked up in March, and officials noticed that someone had encrypted several files to try to force the district to pay a ransom.
The the Northland school district turned to national experts and the FBI to help investigate. District officials were able to use system backups to avoid paying the ransom and said at the time they were working to strengthen their defenses.
A ransomware attack in Baltimore County in Maryland forced schools to cancel classes for five days around Thanksgiving 2020, according to The Baltimore Sun. Also last fall, personal data was stolen from Toledo Public Schools in a similar attack, news outlets reported. This past spring, Buffalo Public Schools in New York faced a ransomware attack, The Buffalo News reported.
The FBI has warned that hackers target schools because of their increased use of technology and sometimes limited resources for cybersecurity protections.
In Kansas, auditors found that more than half of the responding districts did not meet a variety of best practices for data and IT security, although large districts tended to perform better than smaller ones.
Roughly half the districts, auditors said, reported that funding was a major barrier to meeting best practices.
For students and districts, Bardas said, this means the data and systems that house it are vulnerable to breaches, phishing and ransomware. Furthermore, he said, compromised devices can be used to launch further attacks.
Fixing the problem during an attack, he said, would be far more costly to districts and the state than implementing safeguards now.
And Kansas families may be at risk of their data being accessed and used in illegitimate financial transactions that could harm their credit score.
"Monitoring credit scores and keeping an eye on these types of transactions comes at a price that the State or families will need to cover," Bardas said.
To resolve the problem, state auditors said the The Kansas Department of Education needs to establish statewide guidelines for IT security in school districts.
The department said in it's response to the audit that the agency is not currently equipped to provide IT support and that new staff members would need to be hired.
Though the state would be able to provide simple guidance, it anticipated schools would then require support.
"We have limited state appropriations for internal agency operations," John Hess, Director of Fiscal Services and Operations at the Department of Education, told lawmakers during a hearing Tuesday.
But lawmakers said the department should provide the guidance and rely on districts to pay for the staff and technology needed to make proper improvements.
"We are fully funded and our school districts need to take this on," said Rep. Kristey Williams, an Augusta Republican.
She and other members of the Legislative Post Audit Committee expressed frustration that the Department of Education had not proactively issued those recommendations.
"It seems to me the state school board's not even making sure we're doing some of the basic requirements of protecting the identification of some people," Sen. Rob Olson, an Olathe Republican said.
"I can't believe in this day and age that we're this far behind."
©2021 The Kansas City Star (Kansas City, Mo.). Distributed by Tribune Content Agency, LLC.
