K-12 needs better planning for cyber incidents
K-12 schools in the US are more likely to suffer cyberattacks today, and criminals are more likely to research and target school districts – all as schools are more dependent on technology than ever before. This according to Doug Levin, president of EdTech Strategies and creator of the K-12 Cyber Incident Map.
We spoke ahead of ahead of his planned keynote at this month's Tech & Learning Leadership Summit in Washington, D.C., which was canceled because of the COVID-19 pandemic.
Levin created and maintains the K-12 Cyber Incident Map, which provides a window into how school districts are being attacked by cybercriminals and, Levin says, offers a focus on K-12 education not often seen in most media coverage. Cybersecurity is often covered broadly, while it really is a sector-by-sector field. Even within education, K-12 is often lumped in with higher education or the US is grouped with other countries' educational systems, Levin says, even though those groupings don't reflect how education works.
Schools today are dependent on technology, and it's not just about classroom use, Levin said. Facilities, security (including cameras), HVAC systems, private student information, financials and more are all areas where schools use technology – and are vulnerable to criminal exploitation.
Levin highlighted a few trends he saw from 2019 K-12 cyber incident data, for which he also prepared a formal 2019 year in review report. One was that data breaches continued to be the leading type of event. These incidents often involve student data, and they can also involve employee and teacher data. Within that dataset, he noted, data breaches in 2019 were frequently the result of issues with education technology vendors, although there remained incidents of employee error or student mischief.
Districts have long been urged to outsource, Levin notes, but this trend suggests that more attention is needed toward understanding vendor policies around data security and privacy – and how well vendors are following their own rules.
Ransomware makes the news
Ransomware attacks are another trend see in many industries, including K-12 education. Ransomware is a productive activity for cybercriminals, Levin notes, and school districts are a tempting target for a couple of reasons. One, they might lack in preparedness or security rigor. Two, school districts provide an essential service, and simply going offline isn't an easy decision or a long-term plan.
The state of Louisiana was a notable 2019 K-12 cyberattack story, as right before the school year multiple districts were hit by ransomware. The state saw a pattern and declared an emergency, which Levin noted as an unusual step. The state forced those districts offline until they worked through a state-provided playbook to fix the problems and lock down their networks, Levin told me. This action plan additionally uncovered other instances where ransomware had infiltrated districts.
Ransomware and other attacks can affect safety systems, HVAC, VOIP communications, cafeteria point-of-sale systems and even online curriculum, Levin said. Schools can be hobbled or even shut down when these systems are compromised.
The negative effects of a successful cyberattack are clear, and they include a loss of student learning, the immediate cost of offsetting an attack (or paying a ransom) and the potential for longer-term mitigation and recovery.
Levin noted that some districts have even paid ransoms -- as much as $100,000 in instances that have been publicly documented.
Financial fraud is a trend worth watching
A smaller but ongoing K-12 cybercrime trend in 2019 was fraud, Levin says. One example is compromising the emails at a district business office, with cybercriminals targeting people who handle large payments. Or, they might target the vendors. This could involve phishing-based attempts that look to change the bank account routing number from the contractor to the criminal's account. These can be the biggest-ticket losses in terms of dollars, Levin says.
Such fraud is difficult to pull off, but the public sector nature of schools provides some opportunity, Levin says. There is an abundance of public information available in terms of staff information, vendor contracts, and so on, as well as many environments that are lax about credentials protection and cybersecurity.
W-2 phishing scam is another example of fraud targeting K-12 systems. A criminal might pretend to be the superintendent, email the business office in an official manner asking for, example, a PDF list of W-2s. If that works, the criminal now has all this information. This can also be perpetrated against individual employees to target their pay checks, Levin says, although hacking the payroll is likely a one-time occurrence.
Get the basics right
It's tough to imagine blocking and preventing all possible threats, Levin says. Business and other government agencies struggle to do so, after all. However, Levin urges districts and local government to take a close look at what they're not doing in terms of basic cyber hygiene. Deficiencies in cyber hygiene include not patching, not training, not having effective backups and lacking two-factor authentication. Those shortcomings can make a cybercriminal's job easier. Regardless, districts must also be for incident response and mitigation, especially against skilled cybercriminals.