Cybersecurity lapses: a continuing problem in schools
(Va.) More than 120 cybersecurity threats targeting schools or entire districts were reported last year, according to a report released last week by the K-12 Cybersecurity Resource Center.
The attacks affected large, medium and small districts, and in every region–from the Florida Keys to Anchorage, Alaska.
And while nearly 40 percent of all incidents affecting school districts last year were located in suburban communities, significant numbers of districts impacted by cybersecurity incidents were in urban and rural communities, researchers found.
“Public schools are increasingly relying on technology for teaching, learning, and school operations,” Douglas Levin, president of EdTech Strategies and author of the report, said in a statement. “It should hardly be surprising, therefore, that they are experiencing the same types of data breaches and cybersecurity incidents that have plagued even the most advanced and well-resourced corporations and government agencies.”
Schools have increasingly become targets of cyber-attacks in recent years due in part to the amount of sensitive information they keep–including social security numbers and home addresses–and also because more technology is entering every school building.
According to the new study, the number of K-12 students nationally that have access to the broadband required for ‘digital learning’ ballooned from 4 million in 2013 to nearly 45 million in 2018.
Also a target are the many web-based communication devices that schools use outside of the classroom. Researchers noted that school telephone systems are migrating to voice-over-IP, or VoIP, services; point-of-sale systems are deployed in school cafeterias; district human resource offices manage hiring, payroll, and benefits via online portals; internet-connected surveillance cameras are being installed at an increasing pace; HVAC and lighting controls are centrally managed via IP networks; and student information systems offer real-time insights to administrators, teachers, and parents online.
With so many potential access points, it is perhaps unsurprising that cyber threats have also become increasingly common. During calendar year 2018, researchers found that 122 publicly-disclosed cybersecurity incidents affected 119 public education agencies across 38 states. In fact, two school districts were reported to have experienced more than one cybersecurity incident.
That equates to a rate of about one publicly-reported incident every three days – although researchers said that many incidents go unreported, and in some cases, districts don’t even know that they’ve been compromised.
The most common incidents were tied to human error. Nearly 47 percent of breakdowns in cybersecurity were due to unauthorized disclosures of data by current and former K-12 staff, unauthorized disclosures of K-12 data held by vendors partnering with districts, unauthorized access to data by K-12 students, often out of curiosity or a desire to modify school records such as grades, or unauthorized access to data by unknown external actors, often for malicious purposes.
Close to 16 percent of the incidents reported were the result of phishing–typically defined as malicious third-parties using emails disguised as being from legitimate sources to gain access to sensitive data systems or deliver and spread malware on school networks.
About 9 percent were linked to ransomware, which frequently involved significant costs and lost time in restoring IT systems, lost data, communications services, and mobile devices. Researchers found that in the most extreme cases, school districts were not able to restore their systems from backups and instead made the controversial choice to pay the extortion demands of criminals to regain access to their systems.
One of the biggest incidents last year was a data breach of the Pennsylvania Department of Education's Teacher Information Management System resulting from human error, which potentially compromised the personal information of 330,000 school staff across the state.
Another was the result of a targeted phishing attack in Texas which led to identity theft and tax fraud. District officials said an employee responded to a sophisticated phishing email from a scammer pretending to be the superintendent, requesting–and receiving–copies of W-2 tax forms for all district employees.
Levin concluded that it is vital that policymakers take a serious look at the use of technology in schools in order to craft policies that can help protect student and employee data. At the same time, he stressed, the need for flexibility as technology quickly advances.
“Keeping K-12 schools ‘cyber secure’ is a wicked problem–one that is assured to get worse until we take meaningful steps to address it,” Levin said. “It won’t be solved solely by an infusion of money, new technologies, new policies and regulations, or a cybersecurity awareness campaign. All are likely necessary, but how they are implemented and evolve over time to meet the specific and idiosyncratic needs and constraints facing public K-12 schools will matter most of all.”