Prior to 2020 it could safely be assumed that many school districts did not recognize the risk of behaviors in which they were engaged. School districts are particularly invested in keeping things secure because of the high level of sensitive information they store and the number of applications they use to share data with state and federal government programs regarding both students and staff. Schools are often using outdated computer systems compounded by staff members who have no training on how to spot infected emails. Yet, districts have a fiduciary duty to safeguard the data they store.
The amount of data that educational organizations deal with has grown exponentially. Conversely, because they are often operating on a shoestring budget, districts rarely have dedicated cyber security experts; they rely on their IT teams to ensure security. However, those IT departments often do not have the investment they require, so holes in their security leave them vulnerable to attacks. The types of attacks can range. Viruses have long plagued school districts, but now there are growing instances of hackers and phishing.
One of the most prevalent types of cyberattack has become ransomware attacks. Ransomware is a type of malicious software that gains access to files or systems and blocks user access to those files or systems. Then, all files, or even entire devices, are held hostage using encryption until the victim pays a ransom in exchange for a decryption key. The key allows the user to access the files or systems encrypted by the program. These attacks often begin with an email with links or attachments that seem benign but give the hacker access to that single system followed by the network. While it is fairly unsophisticated as cybercrimes go, these can shut down servers, expose data, and interact with management systems. School districts of all sizes have been attacked; no one is immune. Again, without a dedicated IT staff and relying on aging infrastructures, many cash-strapped districts are ripe for attack.
There were 408 reported cyberattacks on schools in 2020. While industry experts discourage paying ransoms for fear of encouraging this type of attack, many districts without reliable backup, or whose backups are encrypted as part of the attack, are left with no option but to pay the ransom to resume operations. Identifying attackers is rare, so it is difficult to make someone accountable. Investigators found that one in every six Massachusetts communities had been infected by ransomware. The Massachusetts attacks showed that what once was thought to be a big city problem is leaving every school district vulnerable. And it is on the rise. Traditional schools were most likely to be attacked, and 12% of districts that had an attack were hit a second time. 2019 was called the worst year on record for breaches, and then came 2020.
Low-Hanging Fruit and the Impact of COVID on Security
2020 not only introduced us to the COVID-19 pandemic, but it also brought about what many refer to as a cyber pandemic. The first quarter of 2020 tracked pretty typically, but attacks rose dramatically as the year went on and everyone from administrators to students moved to working online. The forced quarantine in the wake of the COVID-19 pandemic had districts working remotely without access to IT or to security patches and updates, while preparing board agenda materials online, and even having virtual public meetings for the first time in history.
With tens of thousands of small school districts, ransomware, once on the decline, has become low–hanging fruit for cybercriminals. Many school districts are transferring sensitive documents via email. With the threat of cyberattacks, using email to prepare or send meeting materials is not judicious. When board members and staff are accustomed to receiving documents and updates via email, they are less likely to exercise caution when getting infected links or attachments.
The prevalence of portable devices again exacerbates cyber risks. Most board members – and staff members – use their devices for information, but also for entertainment and social media. School districts are now the most likely agencies to suffer a ransom attack, so it is clear that groups that carry out these kinds of attacks have discovered that schools are an easy target.
In the area of cybersecurity, overall, it does not appear that school districts are doing enough to mitigate risks. Using email to communicate and/or to prepare and transmit meeting materials is inviting unnecessary levels of risk. Elected board members are quite likely not aware of the risks or aware of their personal liability. Of breaches that come from inside an organization, 67% are not malicious, but are from errors. Effective defense from cyberattacks ultimately depends on education and overriding the chance of human error whenever possible. Cloud–based software that is recognizable and reliable is one of the best ways to take the guess work – and human error – out of the agenda creation process. When the Newhall School District in California was hit by a ransomware attack, the only two processes that could continue over the course of eight days were pencil and paper and those that used cloud–based software.
- Utilize cloud-based software like BoardDocs for both agenda creation as well as distribution of materials to the board. Logging in to a secure portal eliminates the likelihood of users clicking on a tainted email or attachment.
- Everyone that is involved in agenda creation, delivery or use needs to be updated with training on cybersecurity. Cybersecurity needs to be viewed as a shared responsibility rather than being relegated to IT teams.
- School districts need to develop a plan for cybersecurity. If they already have one, it should be reviewed annually. By now, administrators are becoming aware that they are a target, but this fact needs to be stressed to board members as well.
- Districts need to adopt a digital security mindset, with contingency and disaster plans in place. Working closely with other entities can help minimize threats. Data grids that are interconnected can quickly cause cascading problems. Any device with data or applications on it needs to be remotely wiped in case of loss, theft or other threat. Only approved applications should be opened with devices belonging to the district.
- When possible, it is best to have dedicated hardware. A tablet or laptop that can be updated and fully patched with all security updates easily is a necessity. Using a secure portal to prepare and host agenda materials that is password–protected is the preferred vehicle to transmit board documents.