In June 2020, the FBI told K-12 districts that schools “represent an opportunistic target as more of them transition to distance learning.”* As if teaching and learning during a pandemic was not hard enough, school administrators also have to deal with a looming concern about security. But this threat was not one that would be immediately obvious; no broken windows in the school and no need for a security guard in this case. Rather, these threats are all cyber related.
The only security in the cyber landscape for which most schools have adopted technology solutions was with cyber bullies – students virtually attacking other students – but what happens when the actual school IT infrastructure is the one under attack? School districts spend years and billions of dollars outfitting their campuses with the best cameras, access controls and other physical security measures they can afford, all while mostly neglecting the security of the network, both from the outside as well as the inside. Many schools do not consider themselves targets, and that is the reason schools are such a great target for hackers. Schools have unbelievably valuable data to steal. Personally Identifiable Information (PII) includes things such as social security numbers and birthdates, as well as other biographical information about a student, staff and potentially parents. This information is invaluable to hackers for the purposes of identity theft. As identity monitoring has become much more popular in recent years, child identity monitoring has not.
Consider these identity theft statistics: **
In other words, if your chances of winning the lottery were 1 in 15, as are the odds of being an ID theft victim, we would all have family, friends and colleagues who are millionaires.
Attacks can happen in a multitude of ways, and most of the time it is extremely hard to detect unless you have the tools and resources to monitor 24/7. Every major data breach that makes it to the news has one thing in common. The breach was not detected as it happened. Sometimes it was weeks, months, or even years after the data was exposed. Schools are not in the business of IT security; they are in the business of teaching kids. School IT should be focused on the learning aspects of technology, not IT Security.
Why is this happening now more than ever?
The most common reason that school security breaches have been happening more frequently is because cybersecurity for many was in the plans for the future, they were not immediate! With the introduction of hybrid learning and remote learning, students and faculty home networks were introduced to the playing field. These networks are less than secure and less frequently maintained than school networks, thus, leaving more areas of vulnerability. Online learning also means schools experienced a proliferation of devices on their networks, which is something unseen before by the vast majority of American schools. These devices are also incredibly complex to manage and control. And given the less than optimal amount of time before students were sent home for months, IT could only do as much as they could before students left and while they were at home.
There are some schools that initiated a 1:1 policy well before the pandemic, but the programs created for the 1:1 program, including IT security and device control, did not extend the bounds of the school building. They worked and operated securely while the student roamed around the school and worked in their classroom, but all bets were off once they got home.
This poses a big inside attack threat, as students will eventually bring these devices back on campus and reconnect to the network. Just like the concern surrounding someone sick coming into the school, they should be concerned about a “sick” computer coming back. A computer with a Trogan, or back door, ready to attack once it is back on the school network. Lastly, as consumers we are all susceptible to free offers, but during the pandemic and still now, hackers are praying on frustrated teachers and administrators still trying to figure out the most effective way to get through hybrid learning. The offers of free software that will revolutionize your digital classroom are not what they promise; in fact, they are downright dangerous. If you are not paying for it, you are not the customer; you are the product being sold.
All these new factors play into a school’s cyber hygiene, making them even more attractive to hackers and ultimately susceptible to an attack. And so, it is important to understand the real risk factors involved in having a less-than-optimal cybersecurity strategy.
What are the risks?
Corruption of School Technology and Security Systems
Interference with school technology interrupts learning, frustrates teachers and makes it nearly impossible for administration to continue their work. Not to mention, if all the school technology is corrupt, it leaves every device and piece of data in that school vulnerable.
Breaches and Hacks That Affect Student and Faculty Data
Schools are rich with varied data. Hackers can use the information they glean from school data to put together a phishing campaign, or they can take advantage of a pool of social security numbers.
Ransomware for the Purposes of Extortion
Once student or faculty data is obtained, it can be used to hold that individual for ransom. This means the hacker will give up the information in return for payment. It is a terrifyingly real scenario that happens everywhere, and school data can be the target.
School security is challenging to say the least, and this past year has escalated its need. IT staff and administrators need to make sure that school infrastructure and anyone engaging with the network are prepared and trained to recognize something “phishy.” When things come back to pre-pandemic living, most school network infrastructures may not be able to handle the onslaught of additional devices. Many of these networks were not built with massive additional capacity to support a large flood of new devices. Vulnerabilities and potential attack vectors can be exploited through the noise of all these new devices and data traversing a schools’ network.
Security is not a one-and-done service; rather it takes planning and proper execution to implement a robust security monitoring and defensive strategy to protect your school from ever-evolving threats. If you are interested in learning more about how our services and solutions can help you develop a security strategy for your school or district, visit our security page for more information.
*https://www.rollcall.com/2020/09/08/schools-online-learning-cyberattacks/
** https://www.identityforce.com/blog/identity-theft-odds-identity-theft-statistics