Preparing for ransomware attacks begins with education

Key points:

• Ransomware attacks can be devastating to a school or district, with costly ransoms and leaked sensitive information
• The most effective security is layered; humans are only part of the equation

The biggest threat to K-12 schools’ cybersecurity is, ironically, education. It’s an expensive deficit. But there are funds and tools to help.

Ransomware – where hackers encrypt and lock victims’ data and try to sell the decryption key back to the victim for a ransom – delays education and hurts already-stretched budgets: A GAO report says a ransomware attack can cause K-12 students learning loss up to three weeks and cost from $50,000 to $1 million in expenses.

Or worse. In November 2020, a ransomware attack hit the Clark County School District in Nevada, the fifth-largest school district in the U.S. More than 320,000 students were blocked from accessing assignments and other educational materials. It cost the district more than $4 million to recover from the attack.

Even when schools don’t pay the ransom, as in the Los Angeles Unified School District case in 2022, there are costs. In the LAUSD, some of its platforms were knocked offline and sensitive personal information was released. More recently, the Minneapolis Public School District was attacked by ransomware criminals in March of 2023. District data was held hostage for $1 million. When the district did not pay, the criminals released highly sensitive personnel data.

These are a few of the cases we know about; many other attacks go unreported. The U.S. Government Accountability Office reports that, in 2021, 647,000 K-12 students were impacted by ransomware attacks.

Ransomware criminals can even double-extort, and seek ransom from parents, students, and employees who have had possibly sensitive personal or financial information stolen. When this happens, the original institutional ransomware victims can end up exposed to liability lawsuits.

There are several tools school administrators can use to counter the threats of ransomware and its potential to interfere with operations, finances, and educational experiences–starting, of course, with education.

A simple attack

Ransomware (and other) hacking attempts often start with simple social engineering. Somebody opens a forged email with a hacked attachment that gives a hacker the entre into a network, and that starts the actual attack. Attacks may occur on user-owned mobile phones or computers and make their way to facility equipment when they connect to school Wi-Fi.

Underfunding makes security gaps wider. In many schools and school districts, a lack of ongoing funding for technology upgrades – and more importantly, for full-time IT personnel with current security training – represents another vulnerability. Attacks that might be blocked by up-to-date hardware or software can be more effective against misconfigured or older systems.

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has specific recommendations for K-12 schools based on their typical vulnerabilities and resource constraints. In addition to practical technology advice such as “deploy multi-factor authentication,” the CISA recommends strong cybersecurity training programs.

Finding (and building) training programs

Training can start with products available from various sources like Infosec IQ, KnowBe4, Proofpoint, and Mimecast.

It also makes sense to create in-house training programs, especially for the users most likely to open corrupt links or emails. Offering blame-free feedback – or swag, incentivizing users to forward suspect hack attempts to the security teams — is a proven way to turn the biggest targets into a trusted defensive line. The goal is to create a friendly dialog and to break down the reluctance users may have to discuss security issues.

Inserting security tidbits into existing community email newsletters can also keep awareness of security issues, and especially emerging threats, on the minds of users. Or it can make sense to reach your community where they live: Putting security tips on Instagram or TikTok might be more effective for some groups than email.

You can also put cybersecurity into the curriculum, as North Dakota is: Its new law, HB 1398, requires that all students are educated in computer science or cybersecurity starting in July 2024. In addition to our administrators, we must educate our students about the reality of living in today’s technological world and the dangers that come with it. 

Because the human factor is such a big part of security, it makes sense to focus on it through education and community outreach. However, the most effective security is layered, and humans are only part of the equation. Applying technological gates to technological security issues needs to be done alongside education.

And no matter the solution set you have, it’s important to run trials and drills against it. School officials should practice how to deal with a security incident – from securing backups to informing the community.

Use the funds available

There are funds available for these efforts. Federal Elementary and Secondary School Emergency Relief (ESSER) funds can be used for cybersecurity to meet demands related to COVID-19, such as accommodating hybrid learning. Deadlines to use funds from ESSER II and ESSER III programs are September 2023, and September 2024 respectively.

Now more than ever is the time to look at a cybersecurity budget and weigh the costs against the risk and expenses of a ransomware breach.

There is no single solution to combating technological security attacks. Keeping a school safe from hacking requires expertise, community buy-in, technological solutions, and practice. Fortunately, there’s an industry in place to help, and some of the most important pieces of the solution come free with a positive connection to users.

Related:
North Dakota to require computer science for all K-12 students
Ransomware attacks on schools are only getting worse