Classrooms have never been more connected. Many students are issued laptops or tablets instead of textbooks, while teachers and administrators rely on dozens of apps and connected devices like Smartboards to provide instruction, track grades, manage bus schedules, create budgets, and orchestrate countless other school-related activities.
While this use of technology and data has helped digitally transform the educational experience and improve the way students learn, it has also significantly increased the attack surface for school districts. Just look at Minneapolis Public Schools, where a data breach in the spring of 2023 exposed personal data of over 100,000 students, parents, and community members. The breach was ransomware, claimed by notorious group Medusa, who demanded a $1 million USD ransom, later releasing sensitive student files.
The State of Cybersecurity in Schools
It’s not a surprise that Medusa targeted an organization like Minneapolis Public Schools. K-12 institutions contain treasure troves of personally identifiable information (PII), including student and parents’ social security numbers, medical records, addresses, and more. This kind of information can earn threat actors a major ransom and can also fetch them a pretty penny on the dark web if the data is exfiltrated.
Additionally, web-based applications are the new textbooks, and a plethora of users logging on to learn equals a plethora of credentials threat actors could compromise, steal, and then repurpose elsewhere to launch future cyber attacks.
These kinds of attacks are not hypothetical, either. Over the past six years, there has been, on average, one cyber incident per day across K-12 schools. If we look at Arctic Wolf’s own research, education and non-profit sectors combined were the second most represented industry in ransomware engagements with Arctic Wolf® Incident Response, and the third-most represented in business email compromise (BEC) engagements.
But the state of cybersecurity is about more than just the effects, there are causes as well.
The reason that K-12 schools have found themselves on the radar of so many threat actors come down to a few main reasons:
- The high volume of data these organizations store
- The lack of budget many K-12 organizations, particularly public schools, have for new cybersecurity technology or resources
- The vast number of users and applications within the environments
- The need to monitor and protect the environment 24×7, since threat actors don’t stick to office hours
- Lack of effective security awareness training for teachers, staff, and students who are utilizing web-based applications, emails, and endpoints
A gap between concern and implementation can create major risk, and several threat actors are working to turn those risks into active threats, and hopefully, successful attacks.
Top K-12 Cybersecurity Threats
According to K12Six, the most common cyber threats facing education are:
1. Data breaches, including PII exfiltration. While K-12 schools exist to educate, a byproduct of that is the storage of students’, parents’, and community members’ PII . Due to the monetary value of PII, threat actors are increasingly targeting schools to exfiltrate that data.
2. Ransomware attacks. Individual actors and ransomware-as-a-service (RaaS) gangs tend to target organizations that both lack initial defenses and struggle to handle the downtime, and operational and financial consequences, that come with the attack. For schools, a ransomware attack doesn’t only mean a hefty ransom and possibly exfiltrated data, it means learning loss, students who suddenly have nowhere to go during the day, school lunches that may be missed, major trust damage among the community, and more.
3. Phishing attacks. Grades, lessons, and school correspondence are now conducted via email, which creates the perfect avenue for threat actors looking to launch phishing attacks . These attacks can be used to steal credentials, gain network access, or launch malware, and considering the vast user base all logging on to email, the odds are in the threat actors’ favor.
4. Denial-of-service (DDoS) attacks. While DDoS attacks on schools are not as common as other kinds of cyber threats, with many classrooms now operating online – where even in-classroom students and teachers may be utilizing laptops and tablets – an interruption to applications and sites can cause massive downtime and damage.
5. BEC Scams. Like phishing, BEC can be a lucrative avenue for threat actors to go down when attacking an organization that relies heavily on email for operations. K-12 organizations, from administrators to teachers, may be dealing with financial transactions, tax documents, and more, all of which can be exploited by threat actors during a BEC attack.
K-12 Schools and Third-Party Attacks
Schools do not exist in a vacuum. They are working with educational and technology providers, government partners, and more. This inclusion of third parties also introduces new risk, and according to K12Six , most data breaches experienced by schools originate from a third party. According to the report, “During 2021, school districts reported significant breaches of personal information by: ACT, PCS Revenue, Student Transportation of America, Independent Health, and the Public School and Education Employee Retirement Systems of Missouri.”
While individual schools can’t be fully responsible for the security of their partners, by implementing holistic security measures, particularly 24×7 monitoring of sources, they can both reduce the risk and stop incidents earlier before they escalate.
Cybersecurity Legislation to Protect Schools
Because many schools are publicly funded, local, state, and federal government can play a role in mitigating these cyber threats.
This includes federal compliance regulations, set forth by the U.S Department of Education, and state and local bills to combat cybercrime.
One notable bill is Senate Bill 820 in Texas, which now requires school districts to designate a security coordinator, adopt a cybersecurity policy, and report any breach of student personally identifiable data to the Texas Education Agency. By ensuring that each school district has a dedicated staff member responsible for security, a policy for securing infrastructure against attacks, and a means for determining risk and implementing mitigation planning, Texas leaders hope to make their school districts more secure and more responsive in the face of an attack.
Other states like Massachusetts (SD 2327) and New York (AB 4567) are establishing school district cybercrime prevention programs to provide school districts with information on strategies, best practices, and programs offering training and assistance. Meanwhile, Maryland (HB 425) created new penalties for committing cyber attacks specifically against schools.
Like Texas, Tennessee passed legislation (HB 925) that requires a state-level safety team to include cybersecurity policies and procedures in its template safety plan, which local school districts must adopt as part of their comprehensive district-wide and building-level school safety plans.
Additional K-12 cybersecurity legislation includes:
- Idaho’s Student Data Privacy and Security Policy
- Nebraska’s Title 92, Nebraska Administrative Code, Chapter 6
- Senate Bill 2110 in North Dakota (provides unified cybersecurity approach)
- Michigan’s Essential Cybersecurity Practices for K12
- Missouri’s House Bill 1606
- Illinois’ Student Online Personal Protection Act (SOPPA)
On a federal level, in 2023 CISA released “Protecting Our Future: Partnering to Safeguard K–12 organizations from Cybersecurity Threats,” which offers K-12 school recommendations and resources for cyber resilience. There are also federal grants available to these schools.
How To Improve Your Education Cybersecurity
While the risks for K-12 schools are ever present, it doesn’t mean that there aren’t actionable steps organizations can take to reduce their cyber risk and put themselves in a better position to stop the threats of today and tomorrow.
These actions include:
1. Implement strong email security and monitor email sources
2. With a wide user base, it’s important to utilize security awareness training that uses micro-learning as well as industry-tailored phishing simulations
3. Use 24×7 monitoring, detection, and response tooling that can offer comprehensive visibility across the environment, including cloud and identity sources.
4. Partner with a third-party, like Arctic Wolf, that can help your school improve your security posture from multiple angles while responding to and mitigating urgent threats
5. Invest in incident response (IR) or an IR retainer to help reduce the impact of incidents and reduce downtime and financial costs
Learn more about how your school can improve their cybersecurity with our K-12 Cybersecurity Checklist.
Explore how Arctic Wolf keeps Eden Prairie Schools’ valuable data secure in an evolving environment.
