Cyber attacks against K-12 and higher education institutions are steadily increasing. From ransomware attacks and Zoom-bombing of remote learning sessions to phishing emails and malware attacks, the cyber landscape for schools is more threatening than ever. Consider these sobering statistics:
-There was a 29% increase in cyber criminals’ targeting of educational entities worldwide in July 2021 over the prior six-month period. (Check Point Software)
-In 2019, the United States experienced multiple ransomware attacks that affected 80 universities, colleges, and school districts with up to 1,233 institutions potentially impacted. (Emisoft Malware Lab)
-Cyber-attacks against K-12 institutions increased at a record-breaking 18% in 2020 compared to 2019. (The K-12 Cybersecurity Resource Center)
On October 8, 2021, a study consistent with these findings prompted President Biden’s signing of The K-12 Cybersecurity Act. The bill requires the Cybersecurity and Infrastructure Security Agency (CISA) to create cybersecurity recommendations and tools that schools can use to protect themselves against cybercriminals.
It is important that K-12 and higher education institution administrators understand these and other cyber-related developments and what measures should be taken to defend against increasing cyber-attacks.
Education’s cyber landscape
While all schools nationwide are vulnerable to cyber attacks, certain regions have been more affected than others. Comparitech found that California was a hot spot for data breaches across both K-12 and college institutions, whereas Wyoming is the only state with no known reported education data breaches. Along with California, other states experiencing larger numbers of data breaches include Texas, New York, Illinois and Ohio; also among the largest U.S. states with the largest number of institutions and students.
The K-12 Cybersecurity Resource Center and K12 Security Information Exchange’s report, The State of K-12 Cybersecurity: 2020 Year in Review, reported this breakdown of cyber threats experienced by K-12 institutions in 2020: phishing (2%), denial of service (5%), ransomware (12%), data breach/leaks (36%) and other cyber threats (45%). For colleges/universities, many cyber breaches have stemmed from social engineering attacks wherein a “victim” is manipulated into giving sensitive information to a third-party cyber-criminal such as in a phishing attack.
Examples of cyber-attacks on colleges and K-12 schools are easy to find. Broward County School District in Fort Lauderdale, Florida experienced a ransomware attack wherein cybercriminals demanded a ransom of $40 million, which the district didn’t pay, resulting in the hackers’ publishing of 26,000 stolen files online. The University of Connecticut’s UConn Health wing’s hacking incident resulted in 326,000 patients’ names, addresses, social security numbers, medical records, and identities being placed at risk and the school facing a potential class-action lawsuit. A malware attack on Washington State University’s portable hard drives containing confidential personal health data and impacting 4.5 million people forced it to settle a class-action lawsuit.
Data protection laws
K-12 and higher education institutions must comply with various state, federal and education industry data protection laws. These include:
– State laws – the California Consumer Privacy Act and the New York SHIELD Act;
– Federal laws – the Health Insurance Portability and Accountability act of 1996 (HIPPA), Gramm Leach Bliley Act, Fair and Accurate Credit Transaction Act of 2003, Privacy Act of 1974, and Federal Information Security Management Act of 2002 (FISMA); and
– Education sector laws -the Family Educational Rights and Privacy Act of 1974 (FERPA)
Compliance with these laws requires an institutionalized approach to cybersecurity encompassing several critical measures.
Steps toward increased cybersecurity
A well-developed and implemented cybersecurity strategy reflects a thorough risk assessment, strong mitigation measures and ongoing best practices. To assess risks, a third-party cybersecurity professional should be contracted to conduct a comprehensive vulnerability assessment and penetration testing. This will ensure the highest level of objectivity which might not exist if the assessment was performed by the school’s internal Information Technology (IT) staff or external Managed Service Provider (MSP). The vulnerability assessment evaluates the schools’ IT systems and assesses risk levels related to system vulnerabilities detected. Penetrating testing (i.e., ethical hacking) determines the ease a cyber-criminal would have in entering a school’s IT system (i.e., network, ports, database, emails, etc.).
Following the risk assessments, mitigation steps to remedy weaknesses found are implemented, and include:
– Deploying new technologies and measures (i.e., firewalls, encryption, endpoint protection, multi-factor authentication, password and SSH key management and solutions to lock down access to proprietary data);
– Implementing best practices (i.e., regular data back-ups and back-up data recovery, software updates, limiting only authorized staff to have access to sensitive data, and instituting “as needed only” access to data);
– Creating and implementing cybersecurity policies which should be documented in a policy manual;
– Conducting cybersecurity awareness staff training;
– Developing a Cyber Incident Management/Reporting Plan; and
– Reviewing the Cyber Insurance Policy to ensure adequate coverage.
By remaining vigilant and following best practices, K-12 and higher education institutions can significantly reduce their risk of a cyber-attack.
Joseph Saracino is president of Cino Security Solutions, Inc.