K-12 Schools Need to Take Cyberattacks More Seriously

Weak Security
Compared with most organizations and workplaces, public schools are less prepared to defend themselves against cyberattacks.

For instance, in Baltimore County, a state government report indicated that the school system’s network lacked adequate security and had failed to properly safeguard sensitive personal information.

Typically, public schools have small IT teams. Some have technology leaders with no formal training in technology.

Public schools also lack proper data backup and recovery systems and procedures.

Given the large number of users, school networks have many vulnerable points of entry and face higher risks of malware infection and transmission. Students might also use devices with outdated software, and their home networks might be insecure. If one student’s device is attacked, that may be used as an entry point to attack the entire school network.

For instance, the criminals may send malicious email attachments to other users of the network using the student’s credential. Most K-12 students lack cybersecurity training, which includes how to spot malicious links or infectious attachments.

Extortion Tactics
Public schools are under pressure to ensure that students have access to online learning opportunities during the COVID-19 pandemic. The pressure to quickly restore networks is especially acute after the school year starts. Cybercriminals are taking advantage of this situation

After penetrating a school network, the perpetrators seek to gain privileged access and identify critical systems. They then gather large numbers of account credentials, such as usernames, passwords and other items used to validate identity for authentication. They may also steal other sensitive data, try to destroy backups and disable security processes.

According to the antivirus company Emsisoft, after ransomware perpetrators compromise a network, they stay in the network for an average of 56 days before they deploy ransomware.

Ransomware attacks against K-12 schools dramatically increased when the 2020 school year started. The number of universities, colleges and school districts facing ransomware attacks increased from eight during the second quarter of 2020 to 31 during the third quarter.

Sensitive personal data is also involved in such attacks. In nine of the 31 ransomware incidents victimizing U.S. schools in the third quarter of 2020, the perpetrators had stolen personal data. The five most active ransomware groups targeting K-12 schools – Ryuk, Maze, Nefilim, AKO and Sodinokibi/REvil – run leak sites to “dump” personal data if victim schools refuse to pay.

In September, ransomware gang Maze attacked Ohio’s Toledo Public Schools and published personal data of faculty, staff and students online. Personal data posted on the dark web included students’ and employees’ Social Security numbers and dates of birth. The criminals also disclosed information related to students’ exam grades, disciplinary action and disability status. The identities of an eighth grader whom the school had listed as emotionally disturbed and a ninth grader suspended for sexual activity were revealed. A list of foster children was also published.

Children’s Data Are Highly Valuable
Among the most serious concerns in ransomware attacks against schools is that leaked children’s data is likely to be sold in the dark web. Even before ransomware attacks started, children were 51 times more likely  to be targeted for identity theft than adults.

Some identity thieves specifically target children because the children may not find out that they were victimized until decades later after applying for credit.

The unique value of children’s Social Security numbers also stems from the fact that they lack a credit history and can be combined with any name and birth date.

What Can Schools Do?
School leaders should develop clear guidelines and policies to strengthen cybersecurity. Regular updates about phishing and other threats, as well as strategies and instructions to mitigate and manage such threats, must be provided to students and staff.

Schools can also use free services to enhance cyberdefense. Of the 13,000 school districts in the U.S., only 2,000 are taking advantage of free membership in the Multi-State Information Sharing & Analysis Center. The center offers network vulnerability assessments, cyberthreat alerts and other services, such as Malicious Domain Blocking and Reporting, which prevents computer systems from connecting to malicious websites. Only about 120 schools use the blocking service.

Many school districts rely on outdated equipment and software, which are easy to hack. It is important to patch operating systems and software when manufacturers release new updates. It also helps to constantly back up important data. By frequently backing up data and keeping it secure, schools can ensure the access to networks without disruption.

Schools may also want to purchase cyberinsurance to defend against ransomware and other cyberthreats. Insurance not only helps pay ransom, but it also helps to defend against attacks, because schools need to strengthen their security to get a lower premium. When online education company K12 Inc., which creates online learning curricula for over 1 million students, faced ransomware attacks in November, the company worked with its cyberinsurer to make the ransom payment.

Nir Kshetri is Professor of Management, University of North Carolina – Greensboro. This article is published courtesy of The Conversation.