The start of the school year was anything but smooth for the Los Angeles Unified School District (LAUSD), the nation’s second-largest school district, as cyberattacks all but caused a virtual snow day for students. It's no surprise though, as remote and hybrid learning environments have been widely implemented, putting the cyber security teams of these learning institutions on high alert.
During the heart of the pandemic, school districts, eager to lay an equal playing field for students regardless of their means, handed out tablets, laptops and Wi-Fi hotspots so every child could participate in remote learning. While quite necessary in the effort that no child gets left behind, each of these devices was potentially a back door into a district’s IT networks.
Once online, K-12 networks became attractive to hackers and cybercriminals because they contain large volumes of personally identifiable information (PII) on students, teachers, administrators, staff and parents. Everything from digital grade books to direct deposit pay instructions, vendor accounts and more — all attractive targets for a bad actor — are stored on networks and accessed by users with limited understandings of cybersecurity. Hackers also know that schools are more likely to pay a ransom than enterprise institutions due to their funding and the need to stay online.
Several factors have led to this shaky security infrastructure, the biggest of which is chronic underfunding for most school districts. Research conducted by Morning Consult for IBM in October 2020 found that 54% of educators and administrators said that budget was a large or medium barrier in strengthening their institution’s cybersecurity position.
The lack of resources to invest in cybersecurity manifests itself across all levels:
- Students are often assigned older devices that are easier targets for hackers.
- Educators are subject matter and child development experts; they are not IT professionals
- Administrators, while stating they felt it was their responsibility to prevent an attack, were only 20% more likely to have received any cybersecurity training than educators, according to the Morning Consult/IBM research.
- District IT professionals are stretched thin, which makes it challenging for districts to attract the best IT talent with their limited budgets.
In addition, 59% of teachers and administrators told Morning Consult/IBM they were using their personal devices for remote learning, which leaves district IT teams with little visibility into the security of those devices or other networks they connected to.
While districts across the country are supporting in-person learning for the 2022-23 school year, cybersecurity should remain a priority. Even in the wake of limited funds, there are effective and cost-efficient steps district IT professionals, administrators and teachers can take.
Teach and enforce cyber hygiene
Personal hygiene is part of many middle and high school programs, and in this digital age knowing how to keep school devices and networks clean and safe is just as important. All students need to understand why the data stored on the school network is important and should be protected. They also need to be taught cybersecurity policies and how to adhere to them.
For older children, cybersecurity education should include the types of attacks such as malware, ransomware, phishing, etc. and how to identify them. For younger children, who could be more likely to fall victim to phishing or deceptive scams, user-based controls can limit the applications and sites that students can access.
When possible, districts should invest the limited resources they have in controls that will prevent attacks. With many attackers targeting users to compromise their credentials, implementing multi-factor authentication (MFA) for all users with access to PII will limit an attacker’s ability to steal data. Additionally, schools should build out their vulnerability management and patching programs to prevent attackers from using exploits that have already been identified and patched by manufacturers. Lastly, with email still being a chief attack vector, investments in an email protection tool that identifies and prevents targeted attacks beyond spam may make a difference in the outbreak of opportunistic attacks and spear phishing emails.
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has several resources that can advise on areas like training, best (and bad) practices and services that districts can tap into. Another excellent resource for administrators and IT professionals is SchoolSafety.gov, a joint effort between several U.S. agencies, including the Department of Education and the Department of Homeland Security.
Monitor the network
While the first two recommendations are a starting point, monitoring network endpoints for suspicious activity, malware and other threats is crucial. The volume of these alerts, however, can be overwhelming, and it can be difficult for small IT teams to triage which ones are vital to address. Some districts have found it helpful to automate monitoring or outsource it to a third party that offers managed detection and response (MDR) services.
With the expanded attack surface and a treasure trove of valuable information, it’s likely school districts and higher education will remain targets of interest for adversaries. Investments in cybersecurity will be necessary to stave off attacks, but implementing cybersecurity education and training across students and faculty can also play a preventative role in safeguarding the education of future generations.