Flat networks and small cyber budgets left schools vulnerable, but analysts say there’s help
To respond to the increase in cyberattacks over the last several years, experts say there are steps schools should take to better safeguard student data.
Since the COVID-19 pandemic, which forced most school districts to shift into virtual learning environments by expanding their networks and digital offerings, the risk of ransomware and phishing schemes targeting student data have steadily increased.
Public schools, which are often under-resourced, also often lack the capacity, funds and personnel to bolster their cybersecurity defenses alone. As a result, cyber experts say bad actors have found great success in targeting schools for banks of sensitive data, leading to the theft of students’ personal data, or even their identities.
Cybersecurity analysts told StateScoop that to prevent successful attacks, schools should avoid flat network infrastructures, keep back-ups safeguarded and thoroughly vet their cybersecurity vendors. And even for districts where more funding for additional IT personnel or cyber tools may not be available, there are resources out there to help.
Valuable targets
Education consistently ranks in the top five most targeted sectors for cyberattacks and data theft. Schools possess extensive amounts of personal and financial data about students, teachers and school staff. Between 2016 and 2022, there were 1,619 cybersecurity incidents affecting K-12 public schools, according to the cybersecurity nonprofit K12 Security Information Exchange, also known as K12 SIX.
Many of the most harmful incidents were ransomware attacks. From January 2023 through June 2024, there were at least 83 potential ransomware attacks on K-12 public school districts disclosed, according to K12 SIX.
“A lot of times, they’re flat networks that use a ton of different applications, which are inherently meant to be easy to access and user friendly, which creates a large surface area for any sort of threat actor to get to,” said Jillian Rucker, section chief of state, local, tribal and territorial engagement at the Cybersecurity and Infrastructure Security Agency. “By nature, they’re going to be an attractive target for something like ransomware. It’s a criminal actor who is really looking for the lowest common denominator, or the lowest hanging fruit, or the easiest network to access.”
The prevalence of flat networks, which allow for easy movement without the need of additional credentials, is often a result of a lack of cybersecurity resources in schools. TJ Sayers, the director of intelligence and incident response at the nonprofit Center for Internet Security, said a lack of IT personnel is a large part of why the attacks have increased. He said most K-12 IT departments are under-resourced, and in some cases they only have a handful of personnel to maintain and protect networks with hundreds of thousands of users.
Sayers said another reason for the increase in cyberattacks on schools is because of the large ripple effects they cause, bringing down entire networks for weeks in some cases. And the bigger the ripple, the bigger the chance for bad actors to receive a pay out.
“You’re dealing with thousands and thousands of school-aged kids and children, who are now having to stay home for their parents, which is impacting potentially hundreds, or if not thousands, of businesses that parents can’t go to,” Sayers said. “[That data is] very valuable for future targeting of people. They get to kill two birds with one stone: They get to attack the K-12, which is under-resourced, and they have a lot of urgency to keep operations up. They’re probably going to end up paying quickly right to get things back up. So you get the money quickly, and then you also get all this data that is rife with identity fraud.”
Trust in vendors
While the overall lack of IT resources found in public school districts presents cybersecurity risks, a reliance on vendors for critical network and data protection can present risks, too, Sayers said.
In 2022, a cyberattack on Illuminate Education, a student grading and attendance software company, compromised the personal data of more than a million current and former students across dozens of school districts, including New York City’s large public school system.
Michael Garcia, a manager with the tech company HID Global’s K-12 Safe Schools program said it’s important for schools to vet their cybersecurity vendors. He said that before schools connect anything to their networks, they should ensure the software vendors are supplying has been tested and verified by a certifying cybersecurity agency.
David Waugh, chief revenue officer of K-12 cyber firm ManagedMethods, said he tells customers to test products in offline sandboxes, where vulnerabilities won’t expose their data. Organizations like the CIS’s Multi-State Information Sharing and Analysis Center, the Consortium for School Networking and the International Society for Technology in Education offer resources for both the vetting and testing of cyber products, he added.
“There’s a lot of good organizations out there, like MS-ISAC, CoSN, ISTE that will all publish best practices and guides for how to vet and properly look into it,” Waugh said. “But sometimes it boils down to common sense. … Are they a known brand? Does somebody know them? Do you have other peers, other organizations in the education community, are there other school districts in your state or community that have used them? Is there trustworthiness?”
CISA last year launched a voluntary K-12 Education Technology Secure by Design Pledge that K-12 technology vendors can sign to publicly affirm they’re designing products with greater security built in. It includes standards such as offering single sign-on and security audits at no extra charge to customers, and transparently disclosing any vulnerabilities. Rucker, the CISA section chief, said schools can use this designation as a way to see which vendors are making their products more secure.
Along with vetting vendors, a defensive cybersecurity position for any school district, Garcia said, requires layers of security. In most cases, he said, this requires multiple vendors and an audit to determine what those vendors should protect.
“Your networks are hardened in layers, and those layers are what we need to look at, what we need to concentrate on… First, what they [school districts] should do is an audit on their assets. That’s where you’re going to find that computer you didn’t know about. That’s where you’re going to find that server that you didn’t think was operating anymore. You know, that’s where you’re going to find what you need to protect and how you need to protect it,” Garcia said, adding that following the audit, schools should conduct risk assessments to identify vulnerabilities and to determine which assets are critical to protect.
Garcia said that while the technology piece of cybersecurity is important, training staff and students alike to avoid common cybersecurity threats — like phishing — is essential.
‘Easiest and quickest win’
For schools looking to improve their cybersecurity immediately, CIS’s Sayers said there are free resources available through his organization’s MS-ISAC.
MS-ISAC membership includes free round-the-clock monitoring from its security operations center, cybersecurity webinars, reports and alerts; access to the Nationwide Cybersecurity Review, or NCSR, an anonymous self-assessment tool from CIS that can help a district determine its cybersecurity maturity; and access to secure portals for communication and document sharing.
He also noted the Malicious Domain Blocking and Reporting service provided at no cost to state, local, tribal and territorial government members of the MS-ISAC, which includes schools. It was launched in 2020, and designed by CIS in partnership with CISA and software company Akamai.
“By nature of that service we provide through MDBR, it is also very catered towards that community. So a lot of other services that are out there are effective, but the difference between what CIS provides and some of those other vendors is one, it’s no cost to the K-12 and two, it’s specifically catered for them,” Sayers said. “We really try to work through all the chatter and all the noise that’s out there, and only find the things that are timely, actionable and relevant for K-12. So that would probably be the easiest and quickest win — the other one would be just becoming a member of the MS-ISAC.”
CISA’s Rucker said the MS-ISAC is invaluable for schools, particularly those that are under-resourced. She added that there’s a cultural shift occurring that stands to benefit schools in the years to come, as more software is developed with security in mind.
“I do think that there has been a shift in mindset through many different software and application vendors in this sector — and many other sectors — to start develop things and include that Secure by Design mindset into what they develop, because some things are by nature vulnerable. I think we can do a better job building them to make them less vulnerable,” Rucker said. “I think the shift into thinking that way has been a long time coming, but we have noticed in the past year, kind of a greater adaptation, or just more thinking about it.”
This story was featured in StateScoop Special Report: Cybersecurity 2024
