These are a few of the cases we know about; many other attacks go unreported. The U.S. Government Accountability Office reports that, in 2021, 647,000 K-12 students were impacted by ransomware attacks.
Ransomware criminals can even double-extort, and seek ransom from parents, students, and employees who have had possibly sensitive personal or financial information stolen. When this happens, the original institutional ransomware victims can end up exposed to liability lawsuits.
There are several tools school administrators can use to counter the threats of ransomware and its potential to interfere with operations, finances, and educational experiences–starting, of course, with education.
A simple attack
Ransomware (and other) hacking attempts often start with simple social engineering. Somebody opens a forged email with a hacked attachment that gives a hacker the entre into a network, and that starts the actual attack. Attacks may occur on user-owned mobile phones or computers and make their way to facility equipment when they connect to school Wi-Fi.
Underfunding makes security gaps wider. In many schools and school districts, a lack of ongoing funding for technology upgrades – and more importantly, for full-time IT personnel with current security training – represents another vulnerability. Attacks that might be blocked by up-to-date hardware or software can be more effective against misconfigured or older systems.
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has specific recommendations for K-12 schools based on their typical vulnerabilities and resource constraints. In addition to practical technology advice such as “deploy multi-factor authentication,” the CISA recommends strong cybersecurity training programs.
Finding (and building) training programs
Training can start with products available from various sources like Infosec IQ, KnowBe4, Proofpoint, and Mimecast.
It also makes sense to create in-house training programs, especially for the users most likely to open corrupt links or emails. Offering blame-free feedback – or swag, incentivizing users to forward suspect hack attempts to the security teams — is a proven way to turn the biggest targets into a trusted defensive line. The goal is to create a friendly dialog and to break down the reluctance users may have to discuss security issues.
Inserting security tidbits into existing community email newsletters can also keep awareness of security issues, and especially emerging threats, on the minds of users. Or it can make sense to reach your community where they live: Putting security tips on Instagram or TikTok might be more effective for some groups than email.
You can also put cybersecurity into the curriculum, as North Dakota is: Its new law, HB 1398, requires that all students are educated in computer science or cybersecurity starting in July 2024. In addition to our administrators, we must educate our students about the reality of living in today’s technological world and the dangers that come with it.
Because the human factor is such a big part of security, it makes sense to focus on it through education and community outreach. However, the most effective security is layered, and humans are only part of the equation. Applying technological gates to technological security issues needs to be done alongside education.
And no matter the solution set you have, it’s important to run trials and drills against it. School officials should practice how to deal with a security incident – from securing backups to informing the community.
Use the funds available
There are funds available for these efforts. Federal Elementary and Secondary School Emergency Relief (ESSER) funds can be used for cybersecurity to meet demands related to COVID-19, such as accommodating hybrid learning. Deadlines to use funds from ESSER II and ESSER III programs are September 2023, and September 2024 respectively.
Now more than ever is the time to look at a cybersecurity budget and weigh the costs against the risk and expenses of a ransomware breach.
There is no single solution to combating technological security attacks. Keeping a school safe from hacking requires expertise, community buy-in, technological solutions, and practice. Fortunately, there’s an industry in place to help, and some of the most important pieces of the solution come free with a positive connection to users.
Related:
North Dakota to require computer science for all K-12 students
Ransomware attacks on schools are only getting worse
- Are substitutes the answer to the teacher shortage? - June 13, 2023
- Preparing for ransomware attacks begins with education - June 13, 2023
- How to use UDL-inspired technology to reengage students - June 12, 2023