Key points:

• Ransomware attacks can be devastating to a school or district, with costly ransoms and leaked sensitive information
• The most effective security is layered; humans are only part of the equation

The biggest threat to K-12 schools’ cybersecurity is, ironically, education. It’s an expensive deficit. But there are funds and tools to help.

Ransomware – where hackers encrypt and lock victims’ data and try to sell the decryption key back to the victim for a ransom – delays education and hurts already-stretched budgets: A GAO report says a ransomware attack can cause K-12 students learning loss up to three weeks and cost from $50,000 to $1 million in expenses.

Or worse. In November 2020, a ransomware attack hit the Clark County School District in Nevada, the fifth-largest school district in the U.S. More than 320,000 students were blocked from accessing assignments and other educational materials. It cost the district more than $4 million to recover from the attack.

Even when schools don’t pay the ransom, as in the Los Angeles Unified School District case in 2022, there are costs. In the LAUSD, some of its platforms were knocked offline and sensitive personal information was released. More recently, the Minneapolis Public School District was attacked by ransomware criminals in March of 2023. District data was held hostage for $1 million. When the district did not pay, the criminals released highly sensitive personnel data.

Key points:

• With cyberattacks on the rise across schools, IBM Education Security Grants have already benefited more than 350,000 students globally
• Now in its third year, grants are expanding to offer students and teachers access to cyber and AI skills through IBM SkillsBuild

In response to the growing threat of ransomware attacks against schools around the world, IBM will provide in-kind grants valued at $5 million to help address cybersecurity resiliency in schools.

Since its creation in 2021, the IBM Education Security Grants program has expanded globally, and this year will also include enhanced offerings from IBM SkillsBuild on topics including AI and cybersecurity. 

Ransomware is unfolding faster than ever, with attackers managing to cut down the time required to deploy ransomware attacks from over two months to just under four days between 2019 and 2021, according to IBM’s X-Force Threat Intelligence Index 2023. In fact, the share of cybersecurity incidents observed in the education sector more than doubled in 2022 compared to the year prior, experiencing the largest increase year over year than any other industry.

“Time and time again attackers go after the education sector, yet many of these institutions remain constrained in their security resources,” said Andy Piazza, Global Head of Threat Intelligence, IBM Security X-Force.  “To date this program has helped more than 350,000 students across schools in the US and abroad, with IBM Service Corps helping them recover from ransomware attacks, strengthen their security posture against future attacks, and prevent further disruption.”

Key points:

• School districts need bigger cybersecurity budgets and support mechanisms
• Cybersecurity threats are not going away, and knowledge is a large factor in protecting networks
• See related article: 4 steps to avoid a ransomware attack

Now more than ever, safeguarding students and staff from targeted cyberattacks is critical to the health of our U.S. education system. Local K-12 schools are a top target for cybercrime. Estimates from the nonprofit organization K12 Security Information Exchange reveal more than 1,300 publicly disclosed cyberattacks against U.S. schools since 2016.

The size and scope of these threats amplified during COVID-era hybrid learning, when schools were forced to rapidly adopt cloud-based collaboration technologies at scale. But even though students have returned to the classroom post-pandemic, just like every other industry, the K-12 threat landscape isn’t slowing down.

It’s understandable why school networks are an opportunistic target. They hold the keys to large quantities of valuable intellectual property and sensitive PII, financial, and healthcare data that can be exploited for ransomware and monetary gain. And with myriad vulnerable access points, limited IT resources, and a continually rotating student body, maintaining a strong security posture is often riddled with complexity. According to reports cited in CISA’s first-ever K-12 security report, nearly 30 percent of K-12 school district members have reported being victims of the following cyber incidents:

1. Data breaches exploiting the personally identifiable information of students, teachers, and school community members
2. Ransomware attacks
3. Business email compromise (BEC) and phishing attacks
4. Denial of service (DDoS) attacks
5. Website and social media defacement
6. Online class and school meeting invasions

Key points:

• More students and educators are connecting personal devices to school networks
• This makes network security–an already underfunded area–even more critical

The pandemic was a massive shift for school districts across the country, and even as we move out of it, we’re still feeling the impact. On the technical side, it prompted quick transformation to enable virtual schooling–and these changes were made as districts were already challenged by legacy technology, reduced budgets and understaffing. Existing problems were exacerbated.

In parallel, we’ve seen a rise in ransomware and other cyberattacks in the education sector. What’s needed is a digital transformation strategy that also prioritizes security.

A challenging landscape

There’s nothing mysterious or shocking about the rise in cyberattacks against the education sector. Today’s 21-century education requires up-to-date technology, but that’s a bigger risk for school IT teams. For instance, educational institutions are witnessing growth in the number of students, professors, and administrators who link personal devices to the network. A school district’s attack surface is expanded by this increased connection, making it more vulnerable to new threats.

And most schools are not equipped to deal with these threats; the Nationwide Cybersecurity Review (NCSR) risk-based assessment rates the cyber maturity score of K-12 schools at 3.55 out of 7. In fact, according to 29 percent of those responding to the K-12 Report, a cyber incident occurred in their district last year. Malware and ransomware were two of the most prevalent occurrences. According to the report, ransomware attacks pose the greatest cybersecurity risk to K-12 schools and districts in terms of overall cost and downtime.

Last September, the Los Angeles Unified School District was hit by a ransomware attack at the start of the new school year. The second-largest educational district in the country, with more than 600,000 students and 25,000 employees, had its email taken offline and other internal systems affected by the cyberattack. When the district chose not to pay the ransom, sensitive employee data was posted online. While this attack may seem extraordinary because of its size and scope, digital security breaches like this are happening at educational institutions across the country. And school districts need to take defensive action against cyberattacks now before it’s too late.

With school districts across the U.S. being targeted by cyberattacks, the need for robust, cost-effective cybersecurity support is not just important–it’s now considered essential. But many local governments and educational institutions remain unprepared for this type of active threat. A recent report by the Cybersecurity and Infrastructure Security Agency on the K-12 school cybersecurity landscape found that close to 50 percent of the school districts in the country have neither the staff nor the budget to adequately protect their IT infrastructure.  

As schools look for solutions to bridge this security gap, one easy and cost-effective method they should consider is the adoption of mobile device management (MDM) platforms. A small number of schools are currently using this solution to their advantage. This includes public schools like the Interboro School District in Prospect Park, PA, which employs MDM to manage a fleet of iPads used to supplement classroom instruction. Interboro uses MDM to ensure the tablets are secure and functioning properly, the students using them are staying safe online, and the costs associated with maintaining the devices are minimized.

IT departments at K-12 schools in the U.S. should follow Interboro’s example. By using MDM platforms, they can keep their technology costs low in a time of economic uncertainty and increase the impact of their existing IT staff by freeing them up to be more proactive in protecting against cyberattacks.

As school districts emerge from the worst of COVID-19, they’re bringing with them new priorities. Many of the changes that districts have made during the pandemic, such as giving employees the flexibility to work remotely, will be carried forward. Other processes are being reevaluated to serve the needs of students and other stakeholders more effectively.

In looking to update everything from teaching and learning processes to school district operations, one of the most basic steps that K-12 leaders can take to position their schools for success is updating their education resource planning (ERP) solution by moving to a cloud-based system.

We can’t really talk about modernizing and streamlining district operations without discussing ERPs. An ERP is the backbone of a district’s operations, helping administrators manage essential financial functions related to payroll, HR, accounting, and more.

Scalability, affordability, and reliability—hallmarks of cloud-based software—make it an ideal solution for any district that is ready to modernize its ERP solution. Migration can come with some up-front costs, but districts will save in the long run thanks to the lower total cost of ownership of cloud solutions.

Just a few years ago, ransomware probably didn’t rank very high on a list of things parents regularly talked about. But the odds are getting higher that if you ask a parent about it now, they’ll have plenty to say.

Fourteen percent of parents of school-age children in the U.S. responded to a recent survey saying that they had experienced a ransomware attack on their kids’ school. That number was just 9 percent a year ago. The rate of attacks appears to be growing, with a higher percentage of parents saying it happened last summer or this school year, compared to those who experienced it the year before.

Criminals attacked school districts in Tucson, Arizona, and Nantucket, Massachusetts, in late January, cancelling classes for one district and sending administrators to work from home at the other. The attacks marked the fourth and fifth publicly-disclosed incidents in January alone, although survey data indicates that schools may be getting targeted at a higher rate than that, and some incidents may simply not be getting disclosed.

A growing number of victimized schools end up paying a ransom to remedy the situation, and those payments look to be getting much higher. But before diving into those numbers, let’s consider some of the unseen damage of these attacks.

Educational institutions have an urgent reason to put data security and backup at the top of their agenda: the rising threat of ransomware. Security firm BlackFog reports that the education sector is now the top target for ransomware attacks, surpassing government and healthcare.

In one recent case, the Los Angeles Unified School District, which has more than 540,000 students and 70,000 employees, suffered a ransomware attack that blocked email, computer systems, and applications. Following the attack, Vice Society, a Russian-speaking group that claimed responsibility for the breach, released a 500GB cache of data that appeared to contain personal information, including passport details, Social Security numbers, and tax forms, according to reports.

A successful cyberattack on a school can have far-reaching and devastating consequences. Not only does it come with a high financial cost, but it also disrupts the core function of education by making resources inaccessible, potentially leading to a loss of sensitive information such as HR and MIS data. Furthermore, it diverts valuable time and resources away from the primary goal of educating students.

As bad as the threat is, it could get worse—the increase in remote learning after the pandemic has expanded the attack surface. Before the pandemic, e-learning was not so widespread. However, with many more people now accessing educational networks from remote locations, cybercriminals can exploit many more entry points, putting added pressure on schools. With the rise of hybrid education models, in which students attend in-person and online classes, the risk of cyberattacks increases, highlighting the need for comprehensive security measures to safeguard educational institutions and their students.

Cyberattacks against K-12 schools continue to climb in both number and scale. Such attacks can have serious repercussions; according to a recent report from the Government Accountability Office, “officials from state and local entities reported that the loss of learning following a cyberattack ranged from three days to three weeks, and recovery time ranged from two to nine months.”

These attacks aren’t just being carried out by disgruntled students or “lone wolf” types. Increasingly, schools are becoming targets of organized cybercrime organizations. The FBI, CISA and the MS-ISAC issued warnings at the start of this school year, anticipating attacks may increase as criminal ransomware groups perceive opportunities for successful attack.

The rise of Ransomware-as-a-Service

Many of the recent prominent attacks against schools have been perpetrated by organized crime – and they’re often using what’s known as Ransomware-as-a-Service (RaaS). This is a subscription-based model that allows partners (affiliates) to use ransomware tools that someone else has already developed. The affiliates earn a percentage of the profits if the attack is successful, so there’s plenty of incentive. RaaS makes it easier to pull off more attacks more quickly, which has made it very popular.

Recent research found that ransomware threats remained at peak levels in the latter half of 2022 – with new variants being enabled by RaaS. In 2022, 82 percent of financially motivated cybercrime involved the employment of ransomware or malicious scripts. And not only are bad actors continuing to introduce new strains of ransomware, but they’re also upgrading, modifying, and reusing old ones. The result: Attacks that are more complex and damaging. RaaS appears to be the driving force behind it all.

RaaS is an indicator of what’s to come

The dark web is starting to host an increasing number of additional attack vectors as a service, and this will significantly increase the availability of what’s known as

Cybercrime-as-a-Service (CaaS). It includes new criminal strategies, such as the sale of access to already-compromised targets, will develop in addition to the sale of ransomware and other malware-as-a-service offers.

By 2025, nearly half of cybersecurity leaders will change jobs, 25 percent for different roles entirely due to multiple work-related stressors, according to new predictions by Gartner, Inc. 

“Cybersecurity professionals are facing unsustainable levels of stress,” said Deepti Gopal, Director Analyst, Gartner. “CISOs are on the defense, with the only possible outcomes that they don’t get hacked or they do. The psychological impact of this directly affects decision quality and the performance of cybersecurity leaders and their teams.”

Given these dynamics as well as the massive market opportunities for cybersecurity professionals, talent churn poses a significant threat for security teams. Gartner research shows that compliance-centric cybersecurity programs, low executive support and subpar industry-level maturity are all indicators of an organization that does not view security risk management as critical to business success.

Organizations of this type are likely to experience higher attrition as talent leaves for roles where their impact is felt and valued.

“Burnout and voluntary attrition are outcomes of poor organizational culture,” said Gopal. “While eliminating stress is an unrealistic goal, people can manage incredibly challenging and stressful jobs in cultures where they’re supported.”

It is undeniable–the education sector is prone to cyberattacks from malicious cybercriminals due to the amount of personal data available across user devices and organization networks. Just this past fall, the FBI, CISA and MS-ISAC issued an alert on Vice Society, whose actors have been known to disproportionately target the education sector with ransomware attacks.

While cybersecurity is certainly a top concern among this sector, tight budgets and resources mean that it is often not addressed until a major incident occurs. Given the imminent nature of today’s threat landscape, now more than ever, the urgency surrounding how best to protect and mitigate such attacks is at an all-time high.

With 40 percent of education devices found to have sensitive data stored, educational institutions must be adequately prepared to proactively prevent and respond to potential cyberattacks before a system breach occurs.

Understanding Complex IT Environments

Despite schools primarily returning to the classrooms, the ramifications from rapid acceleration of remote learning brought about during the pandemic are still being felt today–some of which present new challenges across the industry. With limited resources, visibility and budget, IT and security teams have been forced to address obstacles remotely. On the IT front, this can make it difficult to locate, track, manage and more importantly, reclaim missing devices–regardless of platform–from a single, cloud-based console.

Emerging concerns over the inability to measure student device usage and verify online activity remains a persistent challenge. This, in tandem with failing security controls such as encryption, outdated anti-malware, and vulnerable OS versions, has created a plethora of vulnerabilities and increased risks for cyberattacks.

Boosting Endpoint Visibility

Education organizations were found to have endpoints that were connecting in from nearly three locations per day (2.89). This may not be surprising given the digital nature of most schools today; however, paired with the analysis on sensitive data, it’s evident that corporate endpoints are at an increased risk of compromise.

Related:
4 key ways schools can strengthen and advance cybersecurity strategies
Ransomware attacks show continued rise in K-12 schools

IT leadership is an essential component of school and district operations, and in today’s post-pandemic landscape, K-12 IT security is critical in combatting increasing cybersecurity attacks that can cripple even the largest districts in a matter of moments.

It’s important to establish the right K-12 IT practices and policies that support teaching and learning–and it’s even better to share those best practices in the event that other K-12 IT leaders are seeking to establish the same kind of policies.

Here is K-12 IT advice from a handful of IT leaders:

1. The alarming disparity between prioritization and preparedness is indicative of the cybersecurity challenges school districts are facing. As the Director of Technology at Maconaquah School Corporation located in north-central Indiana, I know firsthand that implementing a proactive cybersecurity posture is a difficult and time-consuming–yet necessary–process. School districts are prime targets for hackers; therefore, we must be prepared.

In our own school corporation, we have adopted four key practices that enable us to continuously strengthen and advance our cybersecurity mitigation and prevention strategies. One of those strategies includes continuously identifying and addressing vulnerabilities. As with training, school districts should never remain idle when it comes to evaluating and addressing their vulnerabilities. We have spent the last few years identifying and fixing gaps in our cybersecurity posture and defenses. Conducting regular audits and evaluations has put our district in a stronger position, but the work is never complete. To be diligent, we must proactively assess our cybersecurity weaknesses and defenses regularly. [Read more]
–Chris Percival, Director of Technology, Maconaquah School Corporation

2. There is no doubt that cybersecurity is essential for all organizations in our modern world. However, security cannot be valued more than usability. The sad fact is that the only entirely secure computer system is one that have been unplugged and shut off. Cyberattacks will continue, and it will be important to ensure that every organization has strong backup and recovery plans in place. However, end user usability is just as important as security.

IT leaders need to ensure that usability is still the primary consideration in building IT systems. IT systems are of little value if they are not able to be used effectively by end users. Considerations of what level of additional steps end users are willing to take is essential. This is particularly important as many organizations still have a high number of remote workers. Make sure the warnings provided to end users are significant as well. Too many warnings can numb end users into assuming the IT department is crying wolf and they may stop paying attention to warnings. [Read more]
–Steven M. Baule, Ed.D., Ph.D., Faculty Member, Winona State University

In a 2022 survey, 72 percent of the participating school administrators responded that cybersecurity was either a priority or high priority for their district leadership and local school boards. However, only 14 percent of the respondents said their district was very prepared for a cyberattack event.

This alarming disparity between prioritization and preparedness is indicative of the challenges school districts are facing pertaining to cybersecurity. As the Director of Technology at Maconaquah School Corporation located in north-central Indiana, I know firsthand that implementing a proactive cybersecurity posture is a difficult and time-consuming–yet necessary–process. School districts are prime targets for hackers; therefore, we must be prepared.

In our own school corporation, we have adopted four key practices that enable us to continuously strengthen and advance our cybersecurity mitigation and prevention strategies.

1. Get Creative With Your Budget

Like many school districts, our IT budget has not increased to address the growing number and variety of cyber threats; in fact, it has stayed the same for the past five years. That can make it challenging to add new defenses, but we have found ways to strengthen our posture through strategic and creative financial planning.

One shift we have made is leveraging hosted and/or managed services to fill staffing gaps and eliminate expensive and unpredictable capital expenses. For example, we previously had an on-prem firewall solution that was managed by a former staff member. When they left, I made the decision to switch to ENA by Zayo’s hosted firewall so that I did not have to spend the time and money hiring and training a new employee who would likely leave after six months for a higher paying job in the private sector.

To attain leadership buy-in for this new direction, I broke down the monthly costs of buying a new on-prem firewall solution and included estimated hiring, training, and repair fees over the lifecycle of the equipment. This enabled district leaders to see a side-by-side cost comparison of using a hosted, cloud-based firewall service versus an on-prem solution. Once they saw those numbers and realized the hosting service also included access to ENA’s team of security experts, they supported the decision to transition to cloud-hosted firewall.

Additionally, evaluating tech and app user usage is another way we are freeing up funds to support cybersecurity. With so much money being invested in educational software, it is critical to monitor if teachers and students are using our paid learning tools. We regularly survey teachers and review usage data to assess and adjust our licensing. This enables us to free up budget dollars and reinvest these funds in proactive cybersecurity tools like DDoS mitigation. We adopt the same approach with infrastructure and network solutions, seeking out bundling and other cost-savings opportunities to free up funds we can use to support our cybersecurity strategies.

Related:
How K-12 IT leaders can protect schools from ransomware
Simplified K-12 cybersecurity streamlines student data access

More parents report experiencing ransomware attacks on their children’s schools, according to new data from Kaspersky. This year, 14 percent of American parents experienced ransomware attacks on their children’s K-12 schools while their child was a student, an increase from 9 percent last year.

Among schools that paid a ransom to their attackers, parents reported an average ransom of $887,360. In 2021, the average was just $375,311. The Ransomware Attacks on K-12 Schools report revealed a number of other findings related to parents’ experiences with these incidents.

In October 2022, Kaspersky surveyed 2,000 parents of school-age children in the United States to find out about their experiences with ransomware attacks on schools. The results are compared to a previous report that posed the same questions to a similar group of parents in October 2021, as well as to an earlier report in June 2021 asking parents more generally about cyberattacks on schools.

According to the survey results, a growing number of schools are opting to pay a ransom to their attackers, in order to restore their systems. In October 2021, 71% of parents who had experienced an attack said their school paid a ransom. This time, that figure rose to 76%, although 14% said their school didn’t pay, which was about the same as last time, while a shrinking percentage didn’t know. Ten percent of parents reporting an attack said the district paid a ransom of more than $1 million; up from 3.7% in 2021.

The rate of attacks on schools may still be rising. Forty-four percent of parents who have experienced an attack said it happened either last summer (2022) or during this school year – which is only partway over – compared to 42% who said it happened last school year (2021-2022) or the previous summer (2021). Fifteen percent said it happened during the 2020-2021 school year or earlier.

Despite the alarming rise of ransomware incidents in 2022, many education institutions still fail to address gaps in their protection protocols. A Sophos survey found that 64 percent of higher education and 56 percent of lower education institutions were hit by ransomware over the past year.

These statistics should raise some red flags as the education sector continues to lag behind in cyber defense practices, making them one of the most vulnerable industries. If an educational institution is attacked, administrators often don’t have the resources to respond, due in no small part to staffing shortages.

Administrators and IT leaders across the education sector need to leverage modern innovations like AI and machine learning (ML) to ensure data protection for faculty, staff, students and the institution as a whole. Let’s take a closer look at why education is so vulnerable and how school administrators can implement preventative and restorative measures to curb long-term effects.

The walls of protection continue to crumble in education

From 2020 to 2021, ransomware attacks on educational institutions jumped by 44 percent. These institutions are already–and will increasingly become–a target for ransomware. It’s no longer about if; it’s when, and various districts are learning from unfortunate experiences.

For example, the L.A. United School District (LAUSD) suffered a ransomware attack in September 2022. While the more than 400,000 K-12 students could continue attending class, the attack crippled several critical infrastructure capabilities like staff and student email. The Cybersecurity and Infrastructure Security Agency (CISA) eventually uncovered that the hacking group Vice Society was responsible for the attack, but not until they had already leaked thousands of sensitive and confidential documents, representing a significant security threat for students, employees, alums and parents. While this is the second large-scale ransomware attack against LAUSD, it is still unclear if the school district has taken steps to bolster cybersecurity moving forward.

Remember when moving from one end of a state to another often meant changing phone numbers because the new residence would be in a different area code? And, after cell phones were born, remember when relocating across the country meant ditching a cell phone company, along with the number, because the new area of the country didn’t include the same coverage?

Chances are, if you are as old as I am, these scenarios do sound familiar. For most cell phone users, however, changing cell numbers just because you relocate is a foreign concept. A cell phone number becomes part of who we are, part of our contact identity, and, if we don’t want to, we never have to change cell numbers again. 

Now, let’s apply this scenario to today’s school environment and student data. Huh? I know you’re thinking this analogy might be a stretch, but stay with me, and I promise this will all make sense.

In today’s schools, nearly all aspects of student data reside on IT systems in the K-12 ecosystem. From birthdates to medical records, from assessment scores to classroom assignments and everything in between, student data are housed on some type of electronic system. And the seamless use of that data through various technologies is paramount in ensuring a stellar educational experience for students and teachers. 

When teachers and administrators need to bring in student data, protect that data, and adapt to unique needs among various stakeholders who need access to the data, often the amount of time between data entry and usage is so lengthy that end-user experiences only lead to frustration. IT staff are challenged with managing data for new enrollments, teachers, substitute teachers, and administrators, including automated tasks that span both cloud-based and on-premise systems, and the end result of the entire process often trickles down to provide a negative experience to the most important cogs in this wheel: our students. 

I know I’m an idealist, but I envision a scenario in which students and employees who move between schools in the same state lose no data, lose no documents, no video projects, no graded assignments. And, they are not expected to download everything from their previous school’s cloud domain before they move to their new school. Wouldn’t that be a perfect world? Students log out of one network on Friday and safely log into a different network on Monday in their new school, and all of their records are visible and secure, immediately, without additional effort on the teacher’s part to “turn on” access to new materials. 

Student data privacy has been at the forefront of district leaders’ minds well before the pandemic. However, since COVID-19 shifted schools and classrooms online, it’s not surprising that tech usage has reached an all-time high. Districts are accessing 1,400 edtech tools per month on average, and cybersecurity attacks in our nation’s schools are also increasing.

As an Education Technology Specialist at one of Colorado’s fastest-growing districts, District 49, I was tasked 5 years ago with the responsibility to ensure our district complied with federal and student data privacy laws. Both state and federal laws require vendors and school districts to facilitate safe online learning experiences. However, when the pandemic hit, our district was forced to rethink our approach beyond compliance to further vet our edtech tools and make protecting student data privacy a regular practice of our edtech ecosystem.

For the process to work, I knew we would have to work collaboratively, across departments and buildings, to confirm that our teachers and students were using digital tools that delivered value without exposing student data to risk.

Our district serves 13,000 students across four distinct zones, spanning 133 square miles of suburban and rural areas. Our school leadership has the autonomy and authority to choose whether or not one-to-one learning makes sense for their students and teachers based on their specific student population. Once the pandemic hit, this autonomy became one of our biggest hurdles. Some schools could seamlessly pivot to online learning, while others scrambled to put together folders of materials every week. We quickly found ourselves overwhelmed by the variation in tools used across our district and inundated by options. 

We knew we needed help to encourage consistent practices across school buildings, ensure compliance with Colorado’s student data privacy requirements, reduce frustration and confusion among stakeholders (including parents students, and staff), and begin to evaluate the impact of edtech on student outcomes. At the same time, we wanted to maintain local decision-making. For us, it was all about balance.

Districts like D49 can, and already are, doing this work. And like most things, while it may not be perfect, it’s getting better–that’s what the focus should be for all K-12 stakeholders.

Here are five best practices for other administrators and education leaders  to consider when reigning in their districts’ edtech ecosystem:

1. Audit what is currently in use, not just what’s being purchased. To better understand our district’s edtech usage, our tech team set up a free Inventory Dashboard. Within days, we realized that students and teachers were using a lot more technology tools than we expected–2,000 edtech tools systemwide! Taking stock of the education technology tools being accessed in a district is an essential first step for identifying immediate opportunities for improvement, spotting and eliminating any redundancies, uncovering potential savings, and creating and prioritizing improvement plans aligned to systemwide goals.

2. Understand K-12 laws both at the federal and state levels. Selecting technology platforms and apps needs to address a district’s unique challenges and also comply with state and federal law. For example, in Colorado, the state law requires the ability to “request and evaluate remote learning technology,” while the U.S. Department of Education says “when possible.” District leaders should understand the laws and ensure vendors comply as mandated by their state when applicable, as it may differ from federal guidelines.

3. Work with partners to streamline edtech processes. Being able to sit down with principals and point to the effectiveness of technology choices they made last year, last month, or at the beginning of the school year is an essential part of streamlining the selection and procurement process. We partner with LearnPlatform to gather, comply, share, and communicate our district’s edtech evidence-building protocol to continuously improve teaching and learning.

4. Establish professional development to inform teachers and principals of new edtech policies and ask for their feedback. When districts engage in edtech evaluations and potential change, educators may need to change how they integrate technology in their classrooms. Getting that buy-in is critical and this requires clear communication and built-in feedback opportunities. Leaders should take a hands-on approach, reach out and request feedback at the start of the process. New edtech policies and expectations must be communicated on an ongoing basis. Teachers must also be supported with valuable professional development opportunities that illuminate best practices to enhance technology usage for both teachers and students to optimize learning.

5. Be transparent with parents and local communities. Change can be hard, especially for parents and caregivers who have struggled with the multitude of ever-changing technology platforms that their children have accessed throughout the pandemic. District leaders need to recognize and respect the vital role that families play in successfully educating children to safely navigate the digital tools necessary for quality education. Giving them a consistent place to see what edtech tools are being used with their students goes a long way.

Tech-enabled learning is here to stay. Districts are responsible for taking a hard look at their edtech offerings and must collaborate with solution providers that comply with the law and embrace evidence-building and sharing to support effective and equitable learning.

Related:
How to maintain secure access and data privacy
5 tips to build community-wide support for IT transformation

Cyberattacks on public schools are becoming more common and more severe every year. Between 2020 and 2021, more than 56 percent of K-12 education organizations suffered ransomware attacks with an average cost of $268,000.

Most recently, an attack on the LA Unified School District in September 2022 conducted by the Russian hacking group Vice Society shut down access to emails, computer systems, and applications for more than half a million users. Before that, a ransomware attack on the school system in Buffalo, NY cost the state more than $10 million in damages.

How can these K-12 school districts defend themselves from these ransomware attacks? And why are they being targeted so frequently?

The Problem

Part of the reason attackers target school districts is simply size–K-12 public schools are a $760 billion sector serving more than 50 million students at more than 100,000 schools across the United States, making them an available and tempting target. The other part of the reason is that public school districts have unique security challenges. With limited budgets and the continued use of legacy security systems, school districts are often unprepared for incoming ransomware attacks.

Other factors that contribute to this lack of preparation include:

• Reduced Budgets & Lack of Hiring: School districts have limited IT and security resources due to constricted budgets. This lack of investment in security resources requires small teams to protect very large, complex environments. School districts also often can’t compete with salaries offered by the companies in the private sector, so hiring experienced professionals can be difficult for districts that don’t have large budgets.
• Open environments and ever-changing users. School districts must keep their environments relatively open so students and teachers can access the system resources, applications, tools, and research from any type of device. Corporations can enforce stricter access rules, which makes security easier.
• Overly complicated tools: With limited resources and teams, more complicated security tools and manual legwork make life especially difficult for school districts. They need usability and simplicity.

The Solution

All of these issues mean that school districts must do more with the few resources they are given. To compensate for this, they need security technology that fills in these gaps. It must be good at catching ransomware while also reducing the workload on IT teams. Many security products are designed to be used by a team of experts, and would actually create more work for a school district IT team.

Related:
Risk assessments are awful, but necessary
Ransomware attackers head back to school

To work well in a school district use case, security technology should be capable of the following:

• Automatic Analysis: The system should be able to automate the collection, correlation and analyzing of infrastructure-wide data sources for indicators of compromise and reducing alerts. This reduces the workload of small, overburdened teams and allows them to be more efficient at their jobs.
• Real Time Threat Detection: Advanced real-time threat detection based on a large set of included and constantly updated threat models and content is critical and provides faster identification of a ransomware, because they know they’ll be targeted.
• Ability to Adapt: By using a security system that leverages machine learning technology, school districts can adapt to variants of attacks. Having the ability to detect and adapt to new attacks and variants by hacking groups targeting K-12 specifically ensures further security across school districts.
• Delivery of Context: Delivery of simple, direct, and accurate context for validating the attack and eliminating false positives. Security teams won’t have the time or expertise for manual investigation
• Generating Risk Scores: Generated risk-driven and scored responses with supported workflows and case management for prioritizing and accelerating remediation efforts. Speed is essential for protecting against ransomware.

There’s no doubt that school districts have become a large target for ransomware attacks in recent years because of their limited security infrastructure and the amount of data, systems, and information they hold. Technology can help keep them safe, but only if it doesn’t create too much extra work for teams that are already stretched thin.

To better defend against ransomware, K-12 school districts should look for security technology that’s capable of protecting their systems, reducing the workload of limited security teams, and continuously adapting to new and incoming threats.

Cybersecurity is at the forefront of IT issues to be addressed over the next year. Nearly every list of major IT or educational technology issues for 2023 includes the need to further harden educational systems and infrastructure.

More than 20 educational organizations–including AASA, the American Association of School Administrators (the primary superintendents’ association)–have asked the Federal Communications Commission (FCC) to expand E-rate to cover advanced firewall technology to support protection from denial of service (DOS), improve virtual private network (VLN) access, and similar upgrades. The FCC is currently soliciting public input on the potential change here until February 13, 2023.

It is easy to understand the need for increased cybersecurity safeguards. In the first half of 2022, at least 34 major cyberattacks were made against schools. Cybercrime cost more than $6.9 billion in 2021. The evening news commonly reports on cyberattacks against pipelines, government systems, and other vital services. Due diligence in considering ways to harden cyber targets and protect student and institutional data is essential and to not do so in today’s environment would probably be willfully negligent. However, there is a need for balancing security with usability.

IT leaders need to ensure that usability is still the primary consideration in building IT systems. IT systems are of little value if they are not able to be used effectively by end users. Considerations of what level of additional steps end users are willing to take is essential. This is particularly important as many organizations still have a high number of remote workers. Make sure the warnings provided to end users are significant as well. Too many warnings can numb end users into assuming the IT department is crying wolf and they may stop paying attention to warnings.

For instance, if a user is given a warning that the vast majority of links in the email system are dangerous, how long will it take until the user starts to ignore those warnings. This is particularly true when even links sent by the organization are flagged as unsafe. Most systems allow enough granularity to ensure that commonly used systems, trade newsletters or professional journals, etc. are not flagged. This would be a good first step in building effective trust between the end users and the IT staff.

Another common concern is to ensure that security strictures put into place do not so restrict users that the systems are not fully functional. Testing needs to occur with outside systems and partner organizations. It is particularly common for struggles between organizations that utilize the Google Suite verse those that use a Microsoft Suite. This is often a common struggle for K-12 educators, who are mostly Google users, when they want to interact with higher education institutions or other government agencies, many of which are Microsoft environments. IT staff need to make sure that interagency collaboration is encouraged and supported by the installed technology base. Most of us have had a situation where a Zoom, Teams, or Google call was complicated or failed due to one or both institutions involved having too tight of security.

When the security, as well intended as it may be, gets to the point of being burdensome to the end users, they will get creative. Their creativity will often create an even more insecure situation than the burdensome security measures were trying to address. For instance, when security measures create too many hurdles, users might find other users with more direct access and then just get them to send the sensitive data in a less secure email format, or even use a personal email to avoid the institutional system all together.

Similar rules against forwarding emails are well intended, but when staff or students have multiple emails, insisting that they do not forward them to their primary account is a set up for missed information. When multiple emails exist in the same system, as is common in higher education for staff who are also students, those emails should be merged. One student I was aware of missed his final comprehensive exam for his master’s degree because the notice was only sent to his student email and not to his staff address, which he used exclusively.

There is no doubt that cybersecurity is essential for all organizations in our modern world. However, security cannot be valued more than usability. The sad fact is that the only entirely secure computer system is one that have been unplugged and shut off. Cyberattacks will continue, and it will be important to ensure that every organization has strong backup and recovery plans in place. However, end user usability is just as important as security.

Related:
Exposing the realities and myths of K-12 cybersecurity
Ransomware attackers head back to school

As school districts emerge from the worst of COVID-19, they’re bringing with them new priorities. Many of the changes that districts have made during the pandemic, such as giving employees the flexibility to work remotely, will be carried forward. Other processes are being reevaluated to serve the needs of students and other stakeholders more effectively.

In looking to update everything from teaching and learning processes to school district operations, one of the most basic steps that K-12 leaders can take to position their schools for success is updating their education resource planning (ERP) solution by moving to a cloud-based system.

We can’t really talk about modernizing and streamlining district operations without discussing ERPs. An ERP is the backbone of a district’s operations, helping administrators manage essential financial functions related to payroll, HR, accounting, and more.

Scalability, affordability, and reliability—hallmarks of cloud-based software—make it an ideal solution for any district that is ready to modernize its ERP solution. Migration can come with some up-front costs, but districts will save in the long run thanks to the lower total cost of ownership of cloud solutions.

While an ERP is a critical solution, many commercial ERP platforms are aimed at businesses. They aren’t tailored to the needs of education, and they could require costly customization to meet a school district’s needs. An ERP designed specifically for K-12 education would meet the needs of all district staff more effectively and improve operational efficiency.

Here are three reasons to choose an ERP designed specifically for K-12 education:

1. You’ll have better compliance.

Reliable reporting is paramount, and an ERP designed for K-12 ensures the data you need for state and federal reporting is captured and stored in a central system. This leads to fewer errors and more accurate reporting.

2. You’ll see improved collaboration and integration.

An education-specific ERP solution aligns district team members so that everyone is on the same page. Having a single source of data eliminates confusion and ensures quick communication.

3. You’ll benefit from a partner with educational expertise.

Migrating to a cloud-based ERP or upgrading your existing solution is a big investment. However, forming the right partnership with a company that has extensive experience in K-12 education will ensure a successful rollout.

Looking to the cloud

A cloud-based ERP allows for remote and secure data storage, enabling district employees to access all the information they need—including paperwork, applications, and services—in one place from any device, at any time. What’s more, it can be customized to fit a district’s unique needs. Districts that turn to a cloud-based ERP solution can manage and access the resources they need entirely online.

School districts are constantly changing and innovating to meet the needs of teachers and students. As districts change, their ERP needs evolve as well. For instance, you might see a greater demand on district operations when you renew contracts or begin a new fiscal year. A cloud-based ERP can shift with these needs, easily scaling up or down depending on your priorities.

Shifting to the cloud is also a cost-conscious move. New hardware implementations and upgrades can be costly, but cloud-based ERPs give districts the ability to implement new capabilities without upfront investments in servers and installation. Piloting the launch of a new application and then scaling it district-wide is less expensive with the capabilities of cloud-based software, because you only pay for what you actually need and use.

Security is of utmost concern, particularly as K-12 education has become an increasingly attractive target for cyberattacks. Cloud management systems use data encryption and other measures to keep sensitive information secure. Storing data in the cloud also ensures that your district’s information is safe in the event of a natural disaster, because it’s all stored offsite in multiple locations.

When you’re looking to modernize your district’s operations to keep pace with the needs of students, teachers, and staff, it’s essential that you choose systems that give you the flexibility to grow and innovate. With a cloud-based ERP, you get all that—and more.

Related:
5 ways to make your IT department more efficient
How to build community-wide support for IT transformation