So, your chairs are stacked, desks are empty, and you’ve almost forgotten the taste of cafeteria potatoes. How was your school year? Students aren’t the only ones letting their eyes weld shut in the sun as the last nine or 10 months really sink in.
Yet as we reflect, it’s worth looking past the highs and lows of the classroom – at your cloud security too. 2022 was a landmark period for cyber risks in education. At the start of the school year, Microsoft Security Intelligence revealed that 5.8 million ransomware attacks hit educational targets around the world, an astonishing 63% of all recorded incidents. Forbes also reported on the worrying rise of cybercrime in schools.
Meanwhile, 2021-22 still had to contend with older problems – students sharing passwords, losing devices, and accessing sites they shouldn’t. These issues are a fact of life in K-12 schools. They even affect staff. Yet in some ways, they’ve changed too.
As the final bell rings in your ears for the summer, let’s look at what may have been threatening your cloud security this year. From there, we can think carefully on how to make your information and network safer, improving defenses next term and beyond.
The state of cloud security in K-12 right now
As we’ve said, 2021-22 was a significant school year for cloud risks. Cyber criminals and nefarious organizations are more likely than ever to train their sights on you. Why? Because in the wake of the pandemic, countless schools have immersed themselves in cloud networks.
It’s easy to see why. Cloud connectivity brings students, teachers, and support staff together anywhere, with more reliable web resources. Learning tools stay fresh and responsive to class demands. Documents, slides, and videos are there at a click. Hosting can scale affordably, while bulky textbooks don’t flatten your budget. The cloud just makes sense.
But as adoption has swelled, so has the attack surface – your potential points of invasion. You might want to think of every device (or endpoint) as another expansion of territory. When another endpoint links to the network, it widens the ways in which someone can break in. Groups with names like Dark Overload – yep, really – are terrorizing more and more schools, compromising data before demanding a ransom. These attacks disrupt schools enormously, and sap hundreds of thousands of dollars from local districts.
In fact, the problem’s so bad that the Biden administration couldn’t ignore it. In October 2021, the President signed The K-12 Cybersecurity Act, a major push for federal attention on cybercrime and education. “My administration,” he promised, “is marshaling a whole-of-nation effort to confront cyber threats.” The Department of Homeland Security now has a wealth of advice for schools to stay safe online, helping plan and implement cloud protection that holds up.
However, challenges abound for using cloud computing well without slipping up. Some of the more persistent cracks in the education sector’s cloud security include:
- A lack of trained security staff: Finding and maintaining the right IT resources is hard enough. Hiring experts for your school? Probably way out of bounds. Cyber warfare is a battle of attrition and escalation; it takes highly trained people, on a sizable salary, to even begin to know what you need for decent security measures. Taking on that task is hard enough as it is, let alone with a small, underfunded security team.
- Knowing what’s out there: Malicious behavior is becoming harder to fight online. We’ll get to new cyber threats soon, but generally, they represent a knowledge gap for schools, colleges, and other public institutions. No surprise there – cybersecurity firms often market to corporations; the bigger the better. Maybe that’s why our report in November 2021 found that 30% of K-12 schools don’t have any cloud application protection whatsoever.
- Staying reactive, not proactive: The unfortunate truth is that many schools don’t think ahead for advanced threat detection. A lack of budget and awareness may squeeze that foresight shut. In other cases, responding just seems more important when manpower and technology are limited. But it’s essential to remain proactive. If you aren’t, security risks will grow under your nose.
2021-22’s top threat vectors & incidents
By grading the risks you’re facing, we can begin to understand what matters most for your cloud security. Here’s a top-to-bottom list of progressive threats.
- Phishing: Cybercriminals love to send bogus emails to contacts on your network, fooling them into clicking a link, downloading malware, or handing over sensitive details. Billions of these messages are sent every day. Both staff and students might think critically about their inboxes, but even the sharpest eyes can be tricked. KnowBe4 tells us that some of the most common phishing attempts in 2021 mimic uniform, vacation, and password change requests. But emails are only half the story. Increasingly, social media acts as the hook for dangerous bait. Consider the plague of fake live streaming invitations that swept Indiana and other states in 2022 – links on Twitter and Facebook pretending to show high school sports, but really are after your data, or preparing an attack on your devices.
- Ransomware: It’s still one of the most shocking things you can find on screen: compromised controls, missing data, and a note demanding cash. You either pay or sacrifice your database (names, addresses, contact information, financial records, medical issues, etc.) and functioning network. Ransomware continues to chip away at cybersecurity across the U.S, but the past year has witnessed those stakes rise significantly for schools. Just look at some of the highest-profile ransoms. In August 2021, Judson Independent School District paid $547,000 in taxpayer dollars to recover phones, emails, and Wi-Fi. Cybersecurity review Compritech estimates that the average ransom for 2021 was almost $240,000 per attack, with requests varying from $5,000 to $40 million, so the Judson case isn’t even that extreme.
- Third-party vendor breaches: As more schools join the cloud, they’re becoming greatly interconnected, whether they know it or not. Pioneers in cloud software are in charge of data protection, which leaves you exposed to hackers intensifying their efforts on these large, white-whale targets. Software provider Finalsite, for example, suffered an extraordinary ransomware breach in January. This shut down 5,000 school websites. And in that same month, Illuminate Education was viciously compromised, leaking student records throughout New York, California, Colorado, and other states.
- Student & staff mistakes: As much as you’d like to trust your users and assume they’re super savvy with digital vigilance, they can make the wrong moves online. Students and staff alike are especially prone to clicking a dangerous link, responding to a phishing message, or leaving their devices unlocked for anyone to use. K-12 is a difficult proposition for cybersecurity. You have to make students and staff aware of their responsibility at school and home – which magnifies as they connect to personal networks with their own security threats. One leak can spread into yours via a single device. Before hybrid learning, this was less of a problem, but cloud technology is now so entrenched within so many curricula that you have more corners to cover.
3 Lessons learned in 2021-22
That’s enough studying for now. What insights can we take from everything that’s happened in the last academic year?
1. Attack surfaces will keep growing
As large as the terrain for cyberassaults might be, it will continue to expand. More devices, users, and applications are joining the cloud. Your own school isn’t likely to be an exception.
Students and staff will want to work on several devices, check background material on their phone, connect with tutors if they’re sick, and tap into resources for exam periods – all part of the cloud habit.
We should celebrate this trend, even as we admit that cybersecurity programs are struggling to keep up with wider attack surfaces. Your security should be a step ahead of the amount of endpoints it’s meant to protect. Plan for a larger network than you have, instead of scaling reactively.
2. Sophisticated phishing is your key concern
Whether it’s masquerading as attachments, file extensions, streaming links or password alerts, phishing and malware are becoming tougher to spot. Even more so than ransomware, it can worm past security checks, appearing as something your students and staff should trust.
Phishing education has never been more important. Neither has advanced cloud threat detection, which wheedles legitimate messages from those that seek to do you harm. You may want to explore spoof intelligence, reviewing internal and external domains, or implicit authentication techniques. These bring up as much information as possible about who, where, and what is tied to an incoming message.
3. Funding can hold you back, over and over again
EdWeek has already reported on the funding disparities between American schools in 2021-22. Simply paying for good facilities, teachers, and extra-curricular tools is hard enough.
Cybersecurity investment isn’t matching the real danger every school faces, because they are more concerned with balancing the books elsewhere. Yet a compromise or breach can undo all of that good work.
The question remains: How do you reach for first-class security that doesn’t burn a hole in your finances? Stay with us. We’re about to show you.
Looking ahead – your plan for the fresh term
With so many threats just beyond the digital equivalent of your school gates, it’s tempting to spend the summer in crisis. The task ahead may seem huge. But cloud security doesn’t have to keep you up at night. We’re ready to safeguard your network with threat intelligence and detection – specifically for Google Workspace and Microsoft 365.
ManagedMethods is your automated cloud security lock.
We’ve designed it specially for K-12 institutions, so you’re never in the dark for network oversight. On a single dashboard, you’ll see every real-time risk to cloud sharing, remote access, applications, chat features, and school emails. There’s automated risk protection against malware and phishing schemes. As soon as something’s flagged as a threat, it’s stamped out, with zero delays to your network.
Microsoft and Google Workspace are the crux of cloud learning support. Thanks to ManagedMethods, you can switch between them, guarding breaches at every level. We’ve made sure it’s affordable too.
As the new term approaches, give your cloud the silver lining of protection it deserves. Let’s make 2022-23 the year where schools fight back.