The education space has become a major target for cybercriminals. In fact, CISA and the FBI recently issued a joint statement warning K-12 schools of worsening dangers in 2021 after a recent 57% spike ransomware attacks in the sector. So, how can teachers and students stay safe? Here, we speak with Kelvin Coleman, Executive Director, National Cyber Security Alliance (NCSA) about how educators and K-12 cybersecurity leaders can better protect students’ privacy during distance learning sessions. 

Security: Why has the education space become a major target for cybercriminals? How profitable is the data obtained from K-12/University data breaches?

Coleman: The education sector is a particularly target rich environment to cybercriminals for a number of reasons. Schools are usually underfunded (and faculty undertrained) when it comes to having the resources to identify and mitigate risks revolving around cyberattacks. The shift to remote learning has particularly exacerbated existing vulnerabilities since most schools and workplaces emphasized operability during the transition, rather than security and safety of access for students and teachers. The vulnerabilities the sector experienced were made worse because IT teams within schools (if they exist -- many schools don’t even have full time staffing for IT issues) were never tasked with creating sufficient cyber policies and educating teachers about methods for keeping their data and that of their students safe. And because of a universal lack of cyber policy, training and funding, bad actors have historically seen schools as easy targets for ransomware attacks, now even more so. 

I don’t think that the data obtained from K-12 or University breaches is that inherently valuable on its own (unless the latter is mined for data about sensitive or groundbreaking government subsidized R&D), but rather that bad actors are counting on school districts to automatically invoke cyber insurance coverage to facilitate payoffs to bad actors. And in situations where a school is covered, it’s less of a headache and less time consuming to pay ransomware demands via an insurance policy rather than resist or risk sensitive personal data being up for grabs in undesirable online marketplaces.

Security: What is the importance of educating faculty on data privacy measures and how can K-12 IT/Cybersecurity leaders minimize the risk of student data theft due to remote learning vulnerabilities?

Coleman: The importance of educating faculty can’t be overstated. The education space at large needs to make awareness and training a higher priority for school and students. And while it seems like a low-tech approach to data security and privacy measures, a comprehensive internal training program can often be the last line of defense that keeps a school (and its data) from becoming the victim of a major phishing or ransomware attack. As the education space continues to embrace technology into its framework, cybersecurity awareness needs to become more inherent. Teaching the following practices alone can help faculty and students greatly minimize their cyber risk:

• How to identify malicious links

• Effective password management practices, 

• Ensuring network access is secure

• Multi-factor authentication is used on connected devices

• Encrypting data at rest and in transit

By ensuring that cybersecurity awareness initiatives are a part of company or faculty culture, schools can better mitigate the vulnerabilities of the “human element” when sufficient funding and technology can’t be the stop gap they rely on.

Security: What are the most common types of cyberattacks schools and remote learners will experience in 2021?

Coleman: According to recent reports, the majority of cyber incidents that occurred in 2020 were a result of data breaches within school systems. The reliance on remote network access, coupled with a lack of training for identifying malicious emails and phishing attempts likely exacerbated these problems, reinforcing the need for better training among faculty (to also be imparted to students) surrounding the dangers of clicking suspect links and divulging sensitive data, especially while connected to school networks.

Security:  What existing student data privacy laws (e.g., FERPA, CIPA, COPPA) lack in protection measures in the current climate and what needs to change?

Coleman: The major problem with these data privacy laws is that they haven’t been updated to take into account a massive shift to remote learning. There’s no uniformity in school districts when it comes to which platforms different districts are using for remote learning. Throw in the fragmented and outdated nature of these laws and you have a recipe for blurred lines. Video conferencing platforms, for example, are essential to remote learning because they enable students and teachers to collaborate and communicate from home - but they also pose privacy and security risks. Some platforms may not be able to ensure that data collected from student-teacher interaction (visual or chat-based) won’t be shared, stolen or sold to 3rd parties and others may not be sufficiently encrypted or protected from access by bad actors to commandeer a screen and share inappropriate content (e.g. Zoombombing). 

So, these laws and the precedents that enforce them need to be refreshed to consider the current environment and ultimately be positioned to hold third party remote learning platforms accountable (or force them to overhaul platforms, protection measures and data sharing policies to take teacher-student use cases into account - especially for younger learners).