The Rise of Ransomware Attacks on Schools: Why the K-12 Cybersecurity Act is Only the First Step

by | Jun 22, 2022

The shift to remote learning in response to the COVID-19 pandemic accelerated the use of digital learning tools across the globe. While K-12 schools have returned to holding in-person classes once again, many e-learning tools that were adopted to accommodate distance learning are now here to stay, and technology has become foundational to how schools operate. Schools have embraced online tools for assignments, grades, parent-teacher communication, and even organizing bus schedules. 

Unfortunately, the increased dependence on tech in schools—along with the increase in the number of devices used in classrooms—has led to more points of vulnerability to cyberthreats. More students are now equipped with school-issued devices than ever before, and schools with funding challenges require students to use personal devices in the classroom, which increases the potential number of compromised devices connected to school networks. Because school databases contain sensitive personal information about students and teachers, including social security numbers, medical records, and family data, they are very attractive targets for cyberattacks. 

According to the most recent annual report by the K-12 Security Information Exchange, the 2020 calendar year had a record of 408 publicly-disclosed attacks against U.S. schools. Though the 2020 figure represents some temporary inflation as schools dealt with an influx of incidents during the mass transition to online classes, the overall frequency of attacks has been growing rapidly. Since 2016, there has been a five-fold increase in reported cyber incidents against U.S. schools. School districts themselves aren’t the only targets; attacks against educational software services can also threaten student privacy and disrupt learning on a mass scale, like the recent attack on Illuminate Education’s systems that impacted at least one million students in New York City schools.

 

The Plague of Ransomware

Ransomware attacks, which can be highly disruptive to school operations, are now the most frequent type of attack experienced by school districts. Ransomware attacks involve malicious actors extorting schools by targeting computer systems to slow access or even render systems completely inaccessible. Attackers steal and threaten to leak personal identifiable information of students and teachers unless a ransom is paid. These attacks can be so debilitating that school districts have been forced to cancel classes, both in-person and virtual, due to the malware. The recent report from the K-12 Security Information Exchange (K12 SIX) revealed that ransomware accounted for more than a third of the total number of disclosed attacks on K-12 districts in 2021, with 62 documented instances across schools in 24 different states. K12 SIX’s report also points out that many attacks are not disclosed to the public due to a lack of reporting requirements, so the actual number of incidents is likely to be 10-20 times higher.

Management of cyber risks is especially challenging for school districts, as many schools lack adequate dedicated IT staff. Even with qualified technical staff who understand the severity of cybersecurity risks, the biggest obstacle for many districts is convincing school administrators to fund and implement cybersecurity initiatives. Since the techniques used by ransomware attackers are rapidly growing more sophisticated, school leaders should be highly concerned about the safety of their data.

 

The K-12 Cybersecurity Act

Cyberthreats against schools have become such a severe issue that K-12 cybersecurity has garnered attention from the federal government. Last October, President Joe Biden signed the K-12 Cybersecurity Act into law, making it the first federal law focused on the cybersecurity of K-12 institutions. The bipartisan act requires the Department of Homeland Security’s Cybersecurity and Infrastructure and Security Agency (CISA) to conduct a 120-day review of the K-12 threat landscape. Following the investigation, CISA will have 60 days to publish recommendations based on their findings. After publishing their guidelines, CISA will then create an online training toolkit to help school districts protect themselves against threats. The toolkit is expected to contain simple, actionable steps that school administrators can use to train staff to help them extend their capacity to protect their data, even for schools with limited budgets for cybersecurity.

 

What to Expect

We can anticipate the findings of CISA’s investigation and recommendations to be released on the Department of Homeland Security’s website in the coming months. The guidelines could have a huge impact on the way school districts across the U.S. handle cybersecurity. CISA’s findings should also help shed light on the greater systemic issues that make cybersecurity management so difficult for schools—issues such as weak incident reporting requirements, lack of basic security standards, and limited funding.

While federal action is a monumental step to help schools nationwide secure their data, it is only the first step. As the education community awaits CISA’s forthcoming guidelines and toolkit, schools should plan to bolster their security strategies and raise awareness amongst all stakeholders. Based on current trends, it is likely that cyberattacks will continue growing more frequent and sophisticated, and large-scale attacks that affect multiple districts will become more common. 

Since tech has become foundational to the operation of school districts, school leaders should think of cybersecurity as the concern of everyone, not just IT departments. Implementing, improving, and testing cybersecurity measures should become as routine as school safety drills, and securing student data from bad actors should be a top priority. Because student data is now stored more and more on external systems, the need for selecting vendors and application partners who take security seriously has greatly increased. These partners should conduct regular third-party penetration testing as a part of their security plan. Application vendors should perform this testing as a part of their compliance standards and audits. Audits such as SOC 2, which stands for System and Organization Controls, focus on controls and standards related to not only Security, but Availability, Processing Integrity, Confidentiality, and Privacy. 

Sourcetoad has been building custom software for nearly 15 years, and we’ve worked with teachers, coaches, trainers, and learners of all kinds, so we understand the unique challenges our education clients face. In addition to custom software development, we offer code audits and security and penetration testing services to help your organization understand potential vulnerabilities. If you have questions about your digital security, reach out to schedule a 30- or 60-minute call. We’d love to introduce ourselves, learn about your needs, and see how our expertise can help you achieve your goals. 

Recent Posts