Every year is an opportunity to turn over a new leaf and start anew. With the rest of 2023 ahead, many K-12 schools are looking forward to a safe and prosperous year of academic excellence — if only hackers don’t get in the way.
As a school district, you have a responsibility to protect student data from unauthorized access. But with increasingly sophisticated cyber criminals targeting the education sector at an unprecedented rate, cyber security in schools isn’t a walk in the park. You need to know exactly which security threats you’re up against, where your district may be vulnerable, and how you can better manage cyber risk.
Fortunately, that’s why we’re here. To help you prepare for a potential attack, let’s review the state of cyber security in schools and what your district can do to better protect sensitive data and personal information in 2023.
Why do schools need cyber security?
The bad news is that the education sector has a long road ahead of itself when it comes to protecting student data. Why? Because virtually every district in the country is incorporating information technology into the classroom learning experience, further complicating the challenge of securing sensitive data.
During the pandemic, when remote learning became essential, the vast majority of schools migrated away from their on-premise computer information systems in favor of cloud technologies like Google Workspace or Microsoft 365. In fact, Edweek Research indicates that at least 90% of the K-12 school system operates in the cloud using one (or both) of these cloud domains.
Here’s the issue: Most schools didn’t implement cloud security in equal measure. According to Edweek, just 20% of cyber security budgets are allocated to safeguarding cloud-based data.
Recent K-12 cyber attack examples
Sadly, this enormous gap has had its consequences. In fact, if you take a hard look at the American school system, you’ll start to realize that major data loss incidents are happening left and right.
Perhaps the most famous example is the devastating attack on Los Angeles Unified School District (LAUSD) in late 2022. Over Labor Day weekend, a threat actor known as Vice Society launched a sophisticated ransomware attack that breached LAUSD’s computer system. Ultimately, after refusing to pay an enormous ransom, the hackers exposed over 500GB of student data on the dark web.
After the incident, the U.S. government warned the education sector that ransomware attacks and similar security threats may continue throughout the school year — and so far, they were right. Even just a few months into 2023, cyber criminals continue to significantly impact the school system.
Des Moines Public Schools, Iowa’s largest district, canceled all classes in January after hackers infiltrated its school network and forced computer information systems offline. Ultimately, hackers made out like bandits, stealing student data and forcing Des Moines to push back its final school day.
Later that same month, Tucson Unified School District — also the largest in its state — suffered a ransomware attack. The threat not only impacted cyber operations, but also exfiltrated personal information.
Security threats are on the rise — but why?
These incidents underscore the obvious: Cyber security in schools is a major problem. Recognizing the severity of the issue, the U.S. government ordered the Cybersecurity and Infrastructure Security Agency (CISA) to research the education sector in 2021. Finally, they’ve published their findings.
According to the report, school-related security threats are getting worse. In fact, CISA claims that K-12 cyber crimes tripled over the pandemic. The number of reported incidents skyrocketed from 400 in 2018 to over 1,300 in 2021.
A different study from the Government Accountability Office found that most cyber attacks had enormous consequences during that time span. Monetary damages ranged from $50,000 to over $1 million. The loss of learning following an attack ranged from three days to three weeks. Worse yet, ransomware attacks affected over two million students.
But why? What do hackers have to gain?
Simply put, student data is an enticing target for hackers looking to make a quick penny. A single school system is a treasure trove of sensitive data that could go for big bucks on the dark web. Also, it would be incredibly damaging for a district if that information were leaked on the internet for anyone to access.
According to Doug Levin, co-founder of K12 SIX, many people assume hackers have better ways to spend their time than targeting student data.
“This is among the biggest misconceptions held about school cyber incidents,” Levin told Education Week. “Schools manage more than enough money to capture the attention of cyber criminals, to say nothing of the value of the data they hold. While most cyber criminals couldn’t care less about students’ algebra grades, it turns out that the identity information of minors is especially valuable to criminals interested in perpetrating credit and tax fraud.”
Top cyber security threats in 2023
Hackers have many techniques in their arsenal when it comes to breaking down your defenses (or lack thereof). Here are some of the top ways cyber criminals target student data you should look out for in 2023:
- Ransomware: Ransomware attacks involve cyber criminals accessing personal information and holding it hostage in exchange for payment. Globally, ransomware attacks are expected to cost $265 billion annually by 2031.
- DDoS: A Distributed-Denial-of-Service attack is when a threat actor makes a resource temporarily inaccessible, such as the school network or certain computer information systems.
- Phishing: Hackers often attempt to fool their targets into providing login credentials or personal information that could lead to more sensitive data. Scammers may send seemingly safe emails to school accounts or entice users to click a link in a text message or on a website under the guise of a name they recognize.
- Invasions: Also known as Zoombombing or Zoom-raiding, this technique involves a threat actor cracking into a video conference, interrupting the class, and causing mayhem.
- Typosquatting: Another increasingly dangerous cyber threat impacting the education sector is typosquatting. Also called URL hijacking, this social engineering tactic relies on users making typos when typing in a URL or clicking on a link. They pose as legitimate school domains but are actually malicious websites that collect personal information.
- Third-party vendors: Information technology vendors, such as cloud service providers, normally have access to school data. If their own cyber security posture is weak, they may be breached or leak information private to the district.
According to the K12 SIX, the average school district experiences at least one incident per school day. That said, anecdotal evidence suggests there could be 10 to 20 times more events that go undisclosed every year.
School cyber security challenges
Unfortunately, many school districts are unprepared to keep these daring cyber criminals at bay. There are many factors that limit their ability to manage cyber risk. Here are some of the most important:
- Lack of staffing: Many schools lack the numbers to effectively monitor student data at scale. CISA’s report claims many interviewed school officials say they don’t employ full-time cyber security professionals. Even worse, some schools don’t have any cloud security whatsoever.
- Lack of budget: K-12 schools – especially those that are public — have tight budgets. IT departments often have a hard time communicating with school administrators regarding the need for cyber security resources.
- Absence of policy: Cyber security in schools is highly variable from district to district. In other words, there isn’t a single framework for educators to follow, which makes it difficult to implement best practices at scale.
Notably, the size of the district doesn’t necessarily mean protecting student data is any easier. According to K12 SIX’s Doug Levin, larger school systems have more money, manage more users, and contain far more devices. All of these factors increase their vulnerability to security threats, as their already limited resources are stretched exceedingly thin.
Cyber security tips for the education sector
Don’t worry: There’s plenty you can do to strengthen your school’s cyber security posture. Let’s take a look at some helpful strategies you can use to improve security management:
Choose a framework to focus your effort
As mentioned, there isn’t a single standard that school districts follow. Do your research and identify a framework that works best for your school. We recommend starting with the NIST Cybersecurity Framework for K-12 school districts.
Once you’ve decided on a set standard, start implementing it. Create a formal cyber security policy around that framework, including a threat response plan and set of protocols in case of a cyber attack.
Vet your third-party vendors
Review your list of cloud service providers. Two of the most common are Google Workspace and Microsoft 365. But don’t stop there — take a good hard look at your entire information technology stack. Assess each vendor’s security policy and see whether they have a history of data loss incidents.
Teach cyber security awareness
They say knowing is half the battle, which is why cyber security education is so important. Teach students and staff best practices when handling personal information, including how to spot scams, malware, and other threats before it’s too late.
Automate monitoring and workflows
Your security team can only do so much at a time. That’s why automation is your best friend. Deploy security technologies that automate risk detection and other important workflows so that you can cover all your bases. That way, your team can operate with the confidence that sensitive data is always under wraps — even when they’re off the clock.
Apply for federal funding
As part of its research, CISA also developed a list of three recommendations for K-12 school districts. One of them is to apply for the State and Local Cyber Security Grant Program: an accessible way to overcome your budgetary limitations. Here’s more information about the program and how you can use it to your advantage.
Looking ahead: The future of K-12 cyber security
It’s important to stay abreast of the latest developments in the education sector, especially where data security is concerned. Don’t worry — we’ve got you covered. Here are five things to keep in mind about the future of cyber security:
- Cyber crime likely to increase: Hackers are showing no signs of slowing down. So far, student data has been easy pickins for cyber criminals, with little to no resistance in their path.
- Attacks to become more sophisticated: With more schools focusing on protecting data, threat actors are drawing up new strategies to snatch up personal information. As they do, hackers are sure to introduce complex new techniques in the future.
- State laws on the horizon: Legislators in 36 states introduced 232 K-12 cyber security bills in 2022, enacting 37. If momentum continues, more regulations are likely to come.
- Security spending increasing: 75% of districts say they’ll increase spending on data security and privacy in the next two to three years, with 90% choosing to continue using the digital tools they adopted during the pandemic.
To that last point, one potential area of focus for cyber security spending is a cloud-based data loss prevention solution.
The advantages of data loss prevention
Data loss prevention (DLP) is the process of detecting and preventing data breaches and leaks in your school district. Therefore, cloud DLP is exactly the same process, except applied specifically to cloud applications like Google Workspace or Microsoft 365.
Cloud DLP uses preconfigured and customizable policies to automate threat detection. When a policy violation occurs, DLP solutions rapidly alert your designated point person with the most relevant information. With key details in hand, they can investigate the incident with speed and ease.
As an extension of your team, you can monitor your entire cloud domain no matter the size of your district. By keeping an eye over your cloud data at all times, cloud DLP tools like ManagedMethods help you cyber smarter, not harder. Not only does it simplify cyber security in schools, but it also empowers you to streamline workflows and better protect your students from digital harm.