How did K-12 cybersecurity fair in 2019?
Are you concerned about cybersecurity? Most K-12 leaders are. You’re gathering an incredible amount of sensitive data about students, and you need to protect your district’s business systems. But, are you doing enough?
It was widely reported that K-12 wasn’t doing enough in 2018. For example, according to a 2018 analysis from SecurityScorecard, an IT security company in New York City, the education industry ranked last in cybersecurity as compared to 17 major industries.
Today, the question is whether 2019 K-12 cybersecurity has improved.
2018 K-12 Cybersecurity Year in Review
A review of the information gathered by the K-12 Cybersecurity Resource Center for 2018 will provide a frame of reference for understanding how things changed in 2019 K-12 cybersecurity.
Schools are increasingly dependent on technology
In 2018, statistics proved that K-12 schools continued an increased reliance on technology for teaching, learning, and school operations. Here are just some examples.
- In 2013, 4 million students had access to broadband, and that number rose to 44.7 million in 2018.
- More than 50% of teachers and students use mobile devices.
- Schools can access real-time information from information systems containing student information.
- Human resource departments manage payroll and benefits programs online.
The Top 10 Incidents in 2018
2018 saw an alarming number of cybersecurity attacks. The K-12 Cybersecurity Resource Center ranked the Top 10 K-12 Cybersecurity Incidents:
- February 2018 in Pennsylvania: An unintentional action put the Pennsylvania Department of Education’s Teacher Information Management System (TIMS) at risk, affecting 330,000 staff.
- March 2018 in Texas: A lateral phishing email campaign led to the unauthorized distribution of a district’s W-2 tax forms for all employees.
- March 2018 in Florida: A Florida Virtual School inadvertently published confidential student and teacher data on the internet. Hackers put the data up for sale on the dark web.
- April 2018 in Massachusetts: A district experienced a ransomware attack. The district was unable to recover and paid $10,000 to the hackers to regain control of critical systems.
- May 2018 in California: A student used a phishing email attack to gain access to his school’s grading system, an attack the student described as beginner level.
- September 2018, Nationwide: In an unprecedented action, the FBI issued a statement warning school leaders and parents of the privacy and safety issues related to the explosion of EdTech applications and the extensive collection of sensitive student data.
- October 2018 in New York: A U.S. Senator asked for Federal aid to combat ongoing distributed denial-of-service (DDoS) attacks that disrupted dozens of New York school districts.
- November 2018 in Chicago: An employee left her job at Chicago Public Schools (CPS) and took the personal information for approximately 70,000 people from a database.
- November 2018 in Texas: A hacker gained access to a district’s business system and redirected $2 million intended to pay a school construction vendor to a fraudulent account.
- December 2018 in California: A hacker used email phishing to collect login credentials for the district’s systems. The resulting data breach included information on over 500,000 individuals.
The 2018 incidents cover a range of attacks including data breaches (46.34%), phishing emails (15.45%), ransomware (9.76%), and denial of service (9.76%). These incidents closed down schools, cost school districts millions of dollars, and put sensitive student and employee data at risk. They affected district operations and the personal lives of students, parents, and employees.
In 2018, Doug Levin at the K-12 Cybersecurity Resource Center had advice for the K-12 industry to consider for 2019. He urged K-12 stakeholders to set a goal to reduce and manage the cybersecurity risks technology-dependent schools face and to take significant steps to reach that goal.
He also recognized that reaching that goal will require money and new policies and regulations. However, Levin also urged school leaders to share information and to develop and communicate best practices for combatting today’s cybersecurity attacks.
2019 K-12 cybersecurity trends: how did we do?
According to the K-12 Cybersecurity Resource Center, school districts reported a 62% increase in cybersecurity incidents as of December 1, 2019 over 2018. This increase is likely due to a number of factors.
- There was a 256% increase in data breach incidents.
- K-12 districts became the second most targeted institutions among attacks on schools, municipalities, law enforcement agencies, and healthcare organizations.
- Schools are getting better at detecting data breaches, and more open about reporting them.
- Schools are increasing their use of digital data systems, which makes them more likely to experience accidental exposure.
K-12 cybersecurity is becoming increasingly complex
Another problem is that providing IT for the K-12 sector is becoming more complex, which is straining school districts’ cybersecurity infrastructure and expertise.
K-12 IT teams are responsible for securing 11 different types of devices. Those devices use 258 different operating system versions, and over 6,400 different Chrome extensions. The increase in device usage, known as Bring Your Own Device (BYOD), is increasing the number of endpoints that IT staff must monitor astronomically. While managing access to school systems on school PCs is a challenge, it’s much more complicated when a large number of mobile and other devices are in use.
Schools are using more cloud computing. As a result, sensitive information such as student social security numbers and employee W-2 forms are more at risk now than ever before.
Schools are also using a growing number of classroom management and other EdTech applications, which increase the type of EdTech risks schools must address. In addition, OAuth risks rise with the increase in EdTech usage.
Where do we go from here?
As you probably know, an understanding that there is a K-12 cybersecurity crisis exploded in 2019. School districts and state governments are working hard to make their systems more resistant, and to manage cybersecurity attacks more effectively when they happen.
But, more needs to be done. The challenges faced by K-12 IT staff are unique and evolving. K-12 stakeholders must get serious about prevention by focusing on technology such as cloud security, and by sharing strategies and tactics that work within the K-12 community.