Every year is an opportunity to turn over a new leaf and start anew. With the rest of 2023 ahead, many K-12 schools are looking forward to a safe and prosperous year of academic excellence — if only hackers don’t get in the way.
As a school district, you have a responsibility to protect student data from unauthorized access. But with increasingly sophisticated cyber criminals targeting the education sector at an unprecedented rate, cyber security in schools isn’t a walk in the park. You need to know exactly which security threats you’re up against, where your district may be vulnerable, and how you can better manage cyber risk.
Fortunately, that’s why we’re here. To help you prepare for a potential attack, let’s review the state of cyber security in schools and what your district can do to better protect sensitive data and personal information in 2023.
The bad news is that the education sector has a long road ahead of itself when it comes to protecting student data. Why? Because virtually every district in the country is incorporating information technology into the classroom learning experience, further complicating the challenge of securing sensitive data.
During the pandemic, when remote learning became essential, the vast majority of schools migrated away from their on-premise computer information systems in favor of cloud technologies like Google Workspace or Microsoft 365. In fact, Edweek Research indicates that at least 90% of the K-12 school system operates in the cloud using one (or both) of these cloud domains.
Here’s the issue: Most schools didn’t implement cloud security in equal measure. According to Edweek, just 20% of cyber security budgets are allocated to safeguarding cloud-based data.
Sadly, this enormous gap has had its consequences. In fact, if you take a hard look at the American school system, you’ll start to realize that major data loss incidents are happening left and right.
Perhaps the most famous example is the devastating attack on Los Angeles Unified School District (LAUSD) in late 2022. Over Labor Day weekend, a threat actor known as Vice Society launched a sophisticated ransomware attack that breached LAUSD’s computer system. Ultimately, after refusing to pay an enormous ransom, the hackers exposed over 500GB of student data on the dark web.
After the incident, the U.S. government warned the education sector that ransomware attacks and similar security threats may continue throughout the school year — and so far, they were right. Even just a few months into 2023, cyber criminals continue to significantly impact the school system.
Des Moines Public Schools, Iowa’s largest district, canceled all classes in January after hackers infiltrated its school network and forced computer information systems offline. Ultimately, hackers made out like bandits, stealing student data and forcing Des Moines to push back its final school day.
Later that same month, Tucson Unified School District — also the largest in its state — suffered a ransomware attack. The threat not only impacted cyber operations, but also exfiltrated personal information.
These incidents underscore the obvious: Cyber security in schools is a major problem. Recognizing the severity of the issue, the U.S. government ordered the Cybersecurity and Infrastructure Security Agency (CISA) to research the education sector in 2021. Finally, they’ve published their findings.
According to the report, school-related security threats are getting worse. In fact, CISA claims that K-12 cyber crimes tripled over the pandemic. The number of reported incidents skyrocketed from 400 in 2018 to over 1,300 in 2021.
A different study from the Government Accountability Office found that most cyber attacks had enormous consequences during that time span. Monetary damages ranged from $50,000 to over $1 million. The loss of learning following an attack ranged from three days to three weeks. Worse yet, ransomware attacks affected over two million students.
But why? What do hackers have to gain?
Simply put, student data is an enticing target for hackers looking to make a quick penny. A single school system is a treasure trove of sensitive data that could go for big bucks on the dark web. Also, it would be incredibly damaging for a district if that information were leaked on the internet for anyone to access.
According to Doug Levin, co-founder of K12 SIX, many people assume hackers have better ways to spend their time than targeting student data.
“This is among the biggest misconceptions held about school cyber incidents,” Levin told Education Week. “Schools manage more than enough money to capture the attention of cyber criminals, to say nothing of the value of the data they hold. While most cyber criminals couldn’t care less about students’ algebra grades, it turns out that the identity information of minors is especially valuable to criminals interested in perpetrating credit and tax fraud.”
Hackers have many techniques in their arsenal when it comes to breaking down your defenses (or lack thereof). Here are some of the top ways cyber criminals target student data you should look out for in 2023:
According to the K12 SIX, the average school district experiences at least one incident per school day. That said, anecdotal evidence suggests there could be 10 to 20 times more events that go undisclosed every year.
Unfortunately, many school districts are unprepared to keep these daring cyber criminals at bay. There are many factors that limit their ability to manage cyber risk. Here are some of the most important:
Notably, the size of the district doesn’t necessarily mean protecting student data is any easier. According to K12 SIX’s Doug Levin, larger school systems have more money, manage more users, and contain far more devices. All of these factors increase their vulnerability to security threats, as their already limited resources are stretched exceedingly thin.
Don’t worry: There’s plenty you can do to strengthen your school’s cyber security posture. Let’s take a look at some helpful strategies you can use to improve security management:
As mentioned, there isn’t a single standard that school districts follow. Do your research and identify a framework that works best for your school. We recommend starting with the NIST Cybersecurity Framework for K-12 school districts.
Once you’ve decided on a set standard, start implementing it. Create a formal cyber security policy around that framework, including a threat response plan and set of protocols in case of a cyber attack.
Review your list of cloud service providers. Two of the most common are Google Workspace and Microsoft 365. But don’t stop there — take a good hard look at your entire information technology stack. Assess each vendor’s security policy and see whether they have a history of data loss incidents.
They say knowing is half the battle, which is why cyber security education is so important. Teach students and staff best practices when handling personal information, including how to spot scams, malware, and other threats before it’s too late.
Your security team can only do so much at a time. That’s why automation is your best friend. Deploy security technologies that automate risk detection and other important workflows so that you can cover all your bases. That way, your team can operate with the confidence that sensitive data is always under wraps — even when they’re off the clock.
As part of its research, CISA also developed a list of three recommendations for K-12 school districts. One of them is to apply for the State and Local Cyber Security Grant Program: an accessible way to overcome your budgetary limitations. Here’s more information about the program and how you can use it to your advantage.
It’s important to stay abreast of the latest developments in the education sector, especially where data security is concerned. Don’t worry — we’ve got you covered. Here are five things to keep in mind about the future of cyber security:
To that last point, one potential area of focus for cyber security spending is a cloud-based data loss prevention solution.
Data loss prevention (DLP) is the process of detecting and preventing data breaches and leaks in your school district. Therefore, cloud DLP is exactly the same process, except applied specifically to cloud applications like Google Workspace or Microsoft 365.
Cloud DLP uses preconfigured and customizable policies to automate threat detection. When a policy violation occurs, DLP solutions rapidly alert your designated point person with the most relevant information. With key details in hand, they can investigate the incident with speed and ease.
As an extension of your team, you can monitor your entire cloud domain no matter the size of your district. By keeping an eye over your cloud data at all times, cloud DLP tools like ManagedMethods help you cyber smarter, not harder. Not only does it simplify cyber security in schools, but it also empowers you to streamline workflows and better protect your students from digital harm.