Cathy Marques, director of the Massachusetts Office of Municipal and School Technology, said program enrollment has increased by about 15,000 since last year, as schools continue to defend against phishing and ransomware attacks.
“What they’re saying is that their IT departments have been kind of overwhelmed with phishing questions,” she said. “That’s why this year, we did a lot more reaching out to schools to offer this program, because we were aware of the uptick of the issue in schools versus the towns.”
According to state officials, the program teaches trainees about phishing attacks, “smishing” SMS attacks, USB drop attacks, data-entry attacks and data breaches. The training features cyber attack simulations to familiarize participants with malicious luring techniques used by cyber criminals to access school IT systems.
Marques said the program, introduced in 2019, has expanded its grant funding managed by the Executive Office of Technology Services and Security to about $250,000 to train more government and school employees. The program has given teachers more flexibility this semester on when to complete the modules, though Marques expects teacher enrollment to increase more after teachers adjust to the reintroduction of in-person learning this spring.
“I think that, should this program continue next year when the pandemic is more under control and teachers have a better handle on what’s going on in their schools, they’ll be able to find more time. I think more schools will be interested,” she said of the program, which builds upon other local cyber awareness efforts.
As with neighboring districts in Massachusetts, schools in Chicopee have had to grapple with new types of cyber threats. According to Chicopee Public Schools Chief Information Officer Andrew Vernon, promoting cybersecurity awareness in schools has been a top concern of education officials since before the COVID-19 pandemic, which he said has thrust K-12 cyber threats “into the limelight.”
In November 2019, the district fell victim to a ransomware attack involving a combination of Emotet and Ryuk malware, which Vernon said was uncommon at the time. The perpetrators of the attack demanded $300,000 in exchange for access to compromised devices.
Though the district recovered from the attack without paying those responsible, administrators have remained on high alert for similar ransomware incidents. Vernon said the district now uses its own web-based training program focused on phishing and ransomware, in place of the state program.
Despite increased vigilance, Chicopee officials experienced yet another, less expected cyber incident last month involving an email bomb threat directed against Chicopee Comprehensive High School. The email told parents, students and teachers that IEDs (improvised explosive devices) had been placed in 10 classrooms, prompting administrators to put the school on lockdown.
Unlike most ransomware attacks that usually extort schools and organizations in exchange for system access, Vernon said this particular incident was not motivated by monetary gain and didn't impede access to devices.
“Someone or something with malicious intent connected via a VPN to send a spoofed email back to Chicopee Public Schools,” he said. “We do not know for a fact that it was a human.”
Vernon said it is often difficult to find who is responsible for cyber crimes directed against schools, which often involve malware outside the U.S.
To his knowledge, he said, the perpetrators of the email threat have not been identified, and little is known about many ransomware attacks like the one experienced in Chicopee last year.
“Today, no one has determined the definitive vector through which the Ryuk flavor of ransomware enters their network,” he said of the attack.
Since both incidents, Vernon said administrators have encouraged parents, teachers and students to look out for common signs of cyber threats and report anything unusual to school officials. He said many cyber threats, such as phishing, can be caught early by noticing misspellings in emails or domains, among other indicators that something is “off.”
“Whether it be administrators, staff, faculty - everyone should be aware [of cyber threats], especially in the context of the pandemic, where folks are working remotely. Individuals are more tied to their devices and inboxes than they probably were a year and a half ago, and communication is key,” he said.
Cybersecurity awareness is among the most crucial factors in preventing cyber attacks, according to Vernon, along with changing passwords frequently.
As cyber criminals look to take advantage of new vulnerabilities in increasingly tech-integrated school districts, Vernon said local school districts and the state are working to promote and strengthen a culture of cyber hygiene in K-12 schools.
“You’d be hard-pressed to find any school district in the nation where that’s not happening right now,” he said. “It’s something where all citizens should be aware of it, regardless of who you are or what you do.”
