The number of cyber attacks on schools has grown at a “steady uptick” since September 2022, with incidents becoming both more frequent and more severe, said Doug Levin, national director of the K-12 Security Information Exchange (K12 SIX). His organization is a nonprofit and information sharing and analysis center (ISAC) that focuses on K-12 cybersecurity.
And while 2021 saw 166 reported cyber incidents impacting 62 school districts across 38 states, plenty more attacks went undisclosed.
“I would not be surprised if the numbers of incidents that schools are experiencing are far, far greater than what is ever disclosed publicly — maybe even as much as 10 times more happening than we do know about publicly,” Levin said.
Like many organizations, schools rely on a variety of back-office software — all of which could be compromised by hackers. Plus, educational entities have the added risks of holding plenty of valuable student and faculty data while having only limited resources to use in its defense.
Public education entities face off against everything from ransomware extortionists to distributed denial of service (DDoS) attacks wielded by students, and attacks come quickly.
Robert Hackworth, security program manager and CISO of the Kentucky Department of Education, said his department alone can see domestic perpetrators rack up as many as 5,000 malicious login attempts within just four days. Foreign-based attacks come even more frequently.
“It takes even just three hours to accumulate 5,000 malicious login attempts from overseas, directed towards just the department of education — that doesn’t even include the 171 other [school] districts,” Hackworth said.
Schools also face the challenge of needing to provide digital services to students of all ages, while recognizing that younger users can only be expected to follow so many safety best practices.
“We have children in our school district that are 3 years old,” said Jennifer Lotze, instructional technology coordinator of Wisconsin’s Hudson School District. “Well, I’m sorry, but I’m not going to put MFA [multifactor authentication] on a 3-year-old’s account, even though they have a Hudson Raiders account.”
HOW MUCH CAN INSURANCE HELP?
As schools consider available supports, cyber insurance presents a mixed picture. Insurers have been responding to the growing threats and damages of cyber attacks by raising premium prices, reducing coverage and demanding would-be customers meet more cybersecurity best practices if they wish to be considered.
While these trends are playing out across sectors, they may be especially felt in the education sector, which has been deemed a high-risk industry, said Dave Hinchman, acting director of the Government Accountability Office’s (GAO) Information Technology and Cybersecurity team. What’s more, some school districts simply cannot afford to adopt the cybersecurity practices insurers require.
Insurance also is only so helpful: it provides funds for recovery after a cyber attack strikes, but doesn’t prevent damage in the first place, Hinchman reminded.
“We found one example where a school district was reinfected several days after the ... initial attack because their insurance company wasn’t providing sufficient recovery response,” he said.
Still, insurers’ cybersecurity requests can also give schools ideas for how to improve, and the lure of more affordable policies can be motivating.
“On the positive side, insurance has been, frankly, probably the single greatest forcing function right now in the K-12 sector to get school districts to uplift their cybersecurity practices,” Levin said. “At the end of the day, what the insurance companies are asking for at a high level are really sort of basic cyber hygiene practices that we would expect, frankly, from most any organization.”
PRIORITY ACTIONS
Schools’ limited resources make it impossible to tackle everything, but certain high-priority steps can go far, said Michael Klein, digital infrastructure impact fellow in the U.S. Department of Education’s Office of Education Technology.
“The vast majority of ransomware is coming through three things, right? It’s coming through phishing; it’s coming through password reuse and compromise; and it’s coming through on unpatched software,” Klein said.
Schools can reduce cyber risks by taking steps like adopting malicious domain blocking; requiring strong, randomly generated, unique passwords; implementing phishing-resistant MFA; and patching and updating, he said.
There are an “overwhelming” number of vulnerabilities out there that could theoretically be patched, Klein noted. But the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerability Catalog makes this work manageable by identifying the vulnerabilities actively seen being exploited — and thus the ones that organizations should prioritize.
Klein also urged schools to engage in information sharing, such as by turning to fusion centers and joining the Multi-State ISAC (MS-ISAC) for free. Tabletop exercises — available from CISA and MS-ISAC — can also help schools engage leadership in walking through a hypothetical cyber incident, and creating cyber incident response plans prepares schools to act in an emergency.
Schools looking to better understand their needs can also turn to CISA for free assessments of their cyber resilience postures and defenses against ransomware.
“I can’t speak highly enough of the CISA resources,” said Lotze, whose district participated in both. “They will come on-site and support you and go through a full-day audit. You feel very exposed, but very thankful to know what’s happening on your network, what’s happening in your infrastructure.”
FAR-REACHING TOOLS
Schools with limited IT teams can also get around-the-clock defense by adopting automations and outsourcing services, Levin said.
“Better tools that require expert staff to tune and monitor them is something that is maybe not well suited, except for some of the largest school districts in the country that have the ability to run their own teams,” Levin said.
Instead, offerings like managed security operations centers (SOCs) and security orchestration, automation and response (SOAR) tools can provide support without demanding as much from school staff.
It’s not all about buying products, either. Schools can make use of free resources and often will find that already-purchased tools have security features that IT staff can enable, Levin said.
These questions also come as states wait to hear back on their State and Local Cybersecurity Grant Program applications, whose funds could be directed to support school cyber defenses, panelists noted.
STATE & FEDERAL SUPPORTS
K-12 districts can also call upon state resources for help.
Wisconsin, for example, is among those that offer volunteer teams of cyber experts to help public agencies.
When the Hudson School District discovered an incident, “at the same time as calling my cyber insurance, [I] called the Wisconsin Cyber Response Team,” Lotze said. “They had us on a call with about 25 different people within about a half hour, all working to help us find out where the bleeding was and start to triage.”
Kentucky, meanwhile, hopes one of its fusion centers can help schools intervene with students who launch DDoS attacks, and steer them to more acceptable behaviors, Hackworth said.
“This fusion center … is still trying to kind of find its way just a little bit, but they’re very interested in trying to help us provide resources to students who need a little extra help. And to keep them from kind of turning … towards the dark side,” he said.
After a cyber attack shut down the Los Angeles Unified School District (LAUSD), the federal government pulled together its various cyber resources into one spot for schools to find: https://tech.ed.gov/cyberhelp/. Schools that have suffered a cyber attack can also contact the Privacy Technical Assistance Center for help with navigating remediation, Klein said, and other resources related to student privacy are available at https://studentprivacy.ed.gov/
