Classrooms have never been more connected. Many students are issued laptops or tablets instead of textbooks, while teachers and administrators rely on dozens of apps to provide instruction, track grades, manage bus schedules, create budgets, and orchestrate countless other school-related activities.
While this use of technology and data has helped digitally transform the educational experience and improve the way students learn, it has also significantly increased the attack surface for school districts. This becomes an even bigger problem when you consider how much of the data that schools collect relates to their students, making it imperative that this personally identifiable data be protected.
The State of K-12 Cybersecurity
It's an unfortunate reality, but schools rarely have the funding for everything they need. In an era where even the largest corporations struggle to manage the expansive needs of cybersecurity, school districts typically lack budgets to train IT staff, hire security experts, or instruct users on how to avoid cyberattacks like ransomware or phishing.
So, what do you get when you have valuable personal records for students that are lightly protected? A failing grade for cybersecurity.
According to a 2020 study by Comparitech.com
, K–12 school districts—along with colleges and universities across the U.S.—suffered more than 1,300 data breaches since 2005, impacting more than 24.5 million records.
And that was before the pandemic. In March 2020, almost every school in the country shut down in-person learning to reduce the spread of COVID-19. Literally overnight, schools and teachers had to switch to a completely remote learning model without any training, preparation, or resources.
Many school districts continued to practice remote learning exclusively in the 2020-2021 school year, while others used a hybrid approach of remote and in-person learning. In every case, schools had to quickly increase their reliance on technology for teaching and learning under tight deadlines that didn't allow adequate vetting, training, or securing.
Perhaps not surprisingly, this significant increase in remote learning resulted in an equally significant rise in cybersecurity incidents. According to the nonprofit K-12 Cybersecurity Resource Center and the K12 Security Information Exchange (K12 Six)
, there were 408 publicly disclosed school incidents in 2020, including student and staff data breaches, ransomware outbreaks, phishing attacks, denial-of-service attacks, and other incidents. With roughly two incidents per school day, this represents an 18% increase in incidents over the previous year.
Attacks can happen to any school district, no matter how big or small. Recent examples in 2020 include:
- An attack that took place two days before Thanksgiving shut down the Baltimore County Public School System, disrupting online class for 115,000 students.
- An attack forced Hartford's school district to delay the first day of school for more than 18,000 students.
- An attack on the Huntsville School District in December exposed student and staff Social Security numbers.
The Biggest Cybersecurity Threats Schools Face
According to K12 Six
, the most frequently experienced cybersecurity threats K-12 schools faced in 2020 include:
Data Breaches and Leaks
Schools documented 145 data breach incidents, representing 36% of all incidents in 2020. These breaches involved unauthorized access to personal student, teacher, and staff data that can include everything from Social Security numbers to grades, behavior reports, or medical information that schools keep on file. Hackers can use the data for extortion purposes, or they may sell it to other criminals to use for identity theft, credit fraud, and account takeovers.
Schools reported 50 incidents of ransomware in 2020, representing 12% of attacks. In recognition of ransomware’s growing threat to schools during the pandemic, the FBI
issued an alert stating that “cyberactors are likely to increase targeting of K-12 schools during the COVID-19 pandemic [with ransomware] because they represent an opportunistic target as more of these institutions transition to distance learning."
While representing only 2% of attacks, phishing attacks can be incredibly costly if an administrator is tricked into authorizing a large financial transaction. In 2020, K12 Six found four such incidents reported, ranging from $206,000 in losses when a school official inadvertently entered school board banking credentials into a malicious website to $9.8 million lost due to a communication compromise with a district's investment advisor and bank.
Denial of Service
While DoS attacks only represented 5% of attacks, they are extremely disruptive to education in a 100% remote learning environment. When students and teachers can't access their apps or data, it effectively cancels school, and becomes the cyber equivalent of a snow day. In addition, hackers also invade unsecured class sessions held over video chat services (known as Zoombombing
) to interrupt class with everything from hate speech to pornography.
K-12 Cybersecurity Legislation
The governmental entities responsible for overseeing school districts aren't ignoring the problem. In addition to investing in cybersecurity as a part of the overall digital transformation of the public sector, legislatures are passing new laws to help their school districts better prepare for cyberattacks.
One notable bill is Senate Bill 820
, which now requires school districts to designate a security coordinator, adopt a cybersecurity policy, and report any breach of student personally identifiable data to the Texas Education Agency. By ensuring that each school district has a dedicated staff member responsible for security, a policy for securing infrastructure against attacks, and a means for determining risk and implementing mitigation planning, Texas leaders hope to make their school districts more secure and more responsive in the face of an attack.
Other states like Massachusetts
) and New York
) are establishing school district cybercrime prevention programs to provide school districts with information on strategies, best practices, and programs offering training and assistance. Meanwhile, Maryland (HB 425) created new penalties for committing cyberattacks specifically against schools.
Similar to Texas, Tennessee passed legislation (HB 925) that requires a state-level safety team to include cybersecurity policies and procedures in its template safety plan, which local school districts must adopt as part of their comprehensive district-wide and building-level school safety plans.
Additional State Legislation
Idaho’s Student Data Privacy and Security Policy was established to ensure school districts and public charter schools shall have in place administrative security, physical security, and logical security controls to protect from a data breach or unauthorized data disclosure, such as timely notification to parents and students.
Similarly, Montana’s House Bill 745 was written to better protect student data by implementing a data privacy agreement between K-12 Schools and their associated vendors. It ensures controls are in place to protect against unauthorized access, destruction, use, modification, or disclosure of school district data, including student’s personal identifiable information.
In its Title 92, Nebraska Administrative Code, Chapter 6, the state of Nebraska details the required regulations and standards for uniform sharing of student data, records, and other information. It states that information exchanged between all parties shall be maintained and supported through secure transfer methods, and that every effort and process should be ensured to protect the integrity and confidentiality of any related data records.
With Senate Bill 2110, North Dakota gave the North Dakota Information Technology Department (NDIT) authority on cybersecurity matters for the state’s 400 public entities, including schools. Through the bill, the department helps K-12 schools implement a cybersecurity protocol, as well as cybersecurity awareness training. On Jan. 19, 2021, the department installed anti-malware software on 45,000 Chromebooks used by students throughout the state.
Michigan, through the Michigan Education Technology Leaders (METL) organization, created a guide called Essential Cybersecurity Practices for K12. It details essential cybersecurity practices for K12 schools within the state. In terms of cybersecurity training, Massachusetts has really ramped it up. The state had more than 44,000 local government and school employees sign up for trainings this spring, which were paid for by the Executive Office of Technology Services and Security through a $250,000 grant.
Missouri has established protections as well. The state’s House Bill 1606, passed in 2018, requires schools to notify parents in the event their student’s personal information is stolen or compromised. Schools must also notify the Department of Elementary and Secondary Education and the State Auditor. In Louisiana, the Data Governance and Student Privacy Guidebook, created by the Louisiana Department of Education, explains how to set up a successful system of data governance. It covers best practices, actions steps, and responsibilities regarding data governance and student privacy.
Another law aimed at securing student data is the Illinois Student Online Personal Protection Act (SOPPA). The law seeks to ensure the security of student data collected by third-party educational technology companies. SOPPA prohibits third-party operators to engage in targeted advertising using student data they collect. The law also requires schools to “implement and maintain reasonable security procedures and practices that otherwise meet or exceed industry standards designed to protect covered information from unauthorized access, destruction, use, modification, or disclosure.”
How to Ensure K-12 Cybersecurity
The increased use of remote learning technology is here to stay—along with an increased risk of attacks. It's critical to continuously analyze, prioritize, and manage vulnerabilities to ensure students and their data stay safe. This requires 24x7, real-time cybersecurity operations that can help you monitor, detect, and respond to threats not only during the school day, but on weekends, holidays, and summer vacation. For most schools, this isn't something that can be easily managed in-house.
That's where Arctic Wolf comes in.
Using the cloud-native Arctic Wolf® Platform, we provide security operations as a concierge service. Our highly trained Concierge Security®
experts work as an extension of your team to provide 24x7 monitoring, detection, and response, as well as ongoing risk management to proactively protect systems and data while continually strengthening the security posture of your school district.
To help you enhance your security posture, we've created a comprehensive K-12 Cybersecurity Checklist
. Download the checklist to develop a step-by-step cybersecurity strategy and learn more about:
- Why you need to continuously analyze, prioritize, and manage vulnerabilities
- How to make distance learning more safe and secure for students
- The importance of audit logs and the dangers of not reviewing them regularly
- Why 24x7, real-time security operations is the only way K-12 schools can truly be secure