School Cybersecurity Is Everyone’s Responsibility

School districts continue to get hit by ransomware attacks. But it’s not just IT’s job to keep networks and data secure.

A person wearing a black hoodie with their back to the camera in front of lines of code with the word "hacked" in red in the middle.
Gerd Altmann/Pixabay
The Las Cruces Public Schools in New Mexico were hit by a ransomware attack in October 2019 that shut down the district’s network for weeks. It took months for Las Cruces to re-secure its data systems, while staff put in thousands of extra work hours to manually scrub 30,000 computers, back up computer files, and reinstall operating systems and software.

Though the attack rendered a serious blow to district operations, in many ways Las Cruces was fortunate it wasn’t worse. They didn’t pay the hacker’s ransom demands, and they had backup systems in place for district and student data that allowed business operations to keep running throughout the ordeal. Additionally, Las Cruces had an IT staff that was able to quickly react and implement solutions. And all of this occurred just prior to the pandemic and the district’s move to remote learning, so the timing was fortuitous.

But other districts experiencing ransomware attacks weren’t as fortunate. And those that haven’t yet been hit nor taken preventative measures are likely living on borrowed time. Because when it comes to cybersecurity, “hope” is not an effective prevention strategy.

Ransomware attacks have become a major issue for K-12 schools. It’s reported that 65 percent of recent attacks have been directed at schools, highlighting a serious issue for educators that’s only getting worse. And with schools’ moves to remote learning over the past year and a half — and a greater dependence on network-based instructional technologies going forward — the importance of stable data networks has increased. So have the potential entry points for nefarious groups scouting for vulnerabilities in district networks.

WHOSE PROBLEM IS IT?


Las Cruces school officials believe the hackers who accessed their network did so through a phishing scam, meaning someone using a computer on the district network opened a bogus email attachment, allowing the bad actors to take over the user’s device and infiltrate the network. Officials believe the intruders then had access to the district’s network for weeks to poke around and strategize actions prior to making their presence known.

So, though IT staff are typically the ones tasked with fixing the bulk of the mess created by a ransomware attack, one seemingly innocent mistake by someone using a networked computer can lead to a world of hurt for many. Meaning, the responsibility for keeping networks secure is shared by all users: staff, teachers and students alike.

WHAT’S TO BE DONE?


  • Cybersecurity assessment. If they haven’t already, districts should have a cybersecurity assessment conducted by a reputable partner. These assessments are usually free and can help districts prioritize their needs, identify their areas of greatest risk, and then define next steps and costs required to fix the issues, which may be approved expenditures for federal relief funds.
  • Data backups. School districts should regularly back up all important data in a secure location not accessible through the district network.
  • Training. An IBM-sponsored study found that 60 percent of teachers and administrators haven’t received any training or guidance on their roles in preventing cyber attacks, nor on the potential perils of connecting their personal computers to district networks. And since phishing expeditions are known to be a key tactic for hackers to access district networks, all endpoint users should be trained and regularly alerted to new intrusion scams.
  • Update and maintain applications. Districts should require that updated anti-virus and anti-malware applications be maintained on all endpoint devices, meaning any digital device connected to the district network, including those owned by staff and students. And instead of depending on users to conduct these updates, districts should be automatically and remotely updating their devices when they connect to the network. Since product developers periodically upgrade applications in response to new cybersecurity threats, districts should also keep endpoint device operating systems and software up-to-date.
  • Lock down endpoint devices. Districts should block users from independently installing new applications on district-owned devices. Having been involved in implementing this strategy, I know it can frustrate many district employees, especially teachers. Schools will need to devise a timely and workable solution to ensure educators are able to get vetted instructional applications installed on their computers, as well as on their students’ devices.
  • Separate networks. Districts should install an administrator and staff network that’s separate from a student and guest network so any intrusion issues can be isolated.
  • Improve password security. Requiring school district users to frequently change and strengthen their passwords for networked applications is a practice that’s likely to be met with resistance. One can argue that teachers’ jobs are hard enough without one more irritant. But these precautions are becoming a necessity, and offering users a password management tool can help temper their frustrations.

The Consortium for School Networking has been spearheading a push with the Federal Communications Commission to expand the federal E-rate funding program to include cybersecurity coverage to better protect schools. This is an important initiative that will require serious attention and additional funding support from all levels of government.

But as ransomware attacks become more sophisticated and prevalent in K-12, a strong first defense is a well-trained user base to help keep districts’ network doors tightly secured, making it as hard as possible for potential intruders to break in.
Kipp Bentley is a senior fellow with the Center for Digital Education. He has been a teacher, a librarian, and a district-level educational technology director. He currently writes and consults from Santa Fe, New Mexico.