- Schools are using more edtech than ever–but they’re also more vulnerable to cyberattacks
- Account monitoring, strong passwords, and strict access controls are just a few of the strategies schools can use to protect their networks
- See related article: 4 key ways schools can strengthen and advance cybersecurity strategies
K-12 schools are facing an increased risk of cyberattacks due to a combination of competing factors. School districts have sprawling networks where availability often takes precedence over security, but are constrained in managing those networks by limited resources and overstretched IT teams.
Meanwhile, the increased use of cloud-based email and remote learning technologies, along with inadequately managed virtual private networks (VPNs), have made schools an attractive target for the types of basic attacks that larger organizations are better prepared to defend against.
A recent Government Accountability Office (GAO) report on K-12 cybersecurity found that attacks have been on the rise since the COVID-19 pandemic forced schools to adopt more remote learning. It also discovered that the damage from those attacks is growing. In total, the GAO found that the range of impacts from cybersecurity attacks includes:
- Loss of instructional time for students, ranging from a couple days to over three weeks.
- Slow recovery time that often took between two and nine months.
- Large financial impact, ranging from $50,000 to over $1 million, with costs including replacement of computer hardware and enhancing cybersecurity to prevent future attacks.
That combination of contributing factors may put schools at a disadvantage against malicious actors, but there are several steps schools can take to help them deter the most common attack vectors.
Common cyberattacks targeting schools
Lax management of email and online learning systems is one example of how schools can become vulnerable. With schools making extensive use of Gmail, Google Classroom, or other cloud-based applications, over-extended IT staff can overlook the need to retire the email accounts of graduated students. In our work with schools, we routinely see expired accounts that go back decades and number in the hundreds of thousands, presenting a ripe target for attackers.
Attackers who glean stolen usernames and passwords from the dark web can, using automated tools, easily try those credentials on school accounts. If one of them works, they gain access to the network.
Credential theft is not only a common attack vector but is also among the most dangerous. Malicious actors will use tactics such as phishing, social engineering, or software vulnerabilities to steal credentials and then use them to bypass traditional security measures and gain access to the email system. From there, they can use compromised accounts to escalate privileges and conduct a variety of malicious activities such as spear-phishing, spreading malware and exfiltrating data. A cloud email system like that in Microsoft 365, for instance, uses Azure Active Directory, which is tightly connected with systems throughout an enterprise. Access via email could allow access to practically all of an organization’s systems.
VPNs are another common attack path for targeting schools where hackers frequently use credential compromise. However, exploiting the vulnerabilities of VPNs that haven’t been updated or patched is another common tactic. Man-in-the-middle attacks, which properly managed VPNs would prevent, can occur when an attacker intercepts and alters communication between the user and VPN server, possibly because of a lack of certificate validation. Attackers could eavesdrop, manipulate data or impersonate legitimate servers.
Essential steps to better security
Successful cyberattacks on schools are usually not the result of overly sophisticated tactics. In fact, we’ve detected and prevented several breaches on school districts, and every single one of them was the result of compromised credentials. This is why it’s important to remember some of the basic security practices that can get overlooked by IT teams that are stretched too thin. Those practices include:
- Comprehensive account management. Regularly reviewing and updating user permissions, ensuring that current users have access only to the systems and applications they need, and keeping tight control of permissions can limit an attacker’s ability to escalate privileges once inside the network. It can also ensure that email and online learning accounts are disabled after students graduate, rather than remaining active and available to attackers. Effective account management of services such as Active Directory can help IT personnel implement robust security controls, reducing the risk of unauthorized access, shrinking the overall attack surface, and enabling early detection and response to threats.
- Strong password and access management. Implementing strong password policies and access controls is essential for network security. IT personnel should enforce basic password complexity requirements—minimum length, including numerals and special characters, and requiring regular password changes—but should also implement multi-factor authentication (MFA), which has proved to be effective against credential-based attacks. MFA adds an extra layer of protection by requiring an additional verification step, such as a code sent to a mobile device.
- Regular patch management. Some of the most serious security breaches have occurred when attackers exploited a vulnerability for which a patch was available but not applied. IT teams should establish a robust patch management process that includes regularly checking for new patches, testing them in a controlled environment and promptly deploying them across the network.
- Employee training and awareness. The prevalence of credential-based cyberattacks makes it more important than ever to educate users, who are often seen as the weakest link of security programs. Employees should be educated about common threats such as phishing, social engineering, and malware. They should also be educated on best practices for email security, safe browsing, and handling sensitive information. Building a culture of cybersecurity awareness can help employees recognize and properly respond to potential risks, reducing the likelihood of human error contributing to security incidents.
In meeting the demand for remote access and online learning, schools have—unavoidably—increased their attack surfaces. However, IT personnel can improve security through effective account monitoring, the use of strong passwords, practicing regular patch management and implementing strict access controls. In addition, employee training and security awareness programs are incredibly valuable.
Taken together, those steps will help protect sensitive data, critical systems, and valuable resources from the growing number of sophisticated threats targeted at educational institutions.
- In 2024, education will move to adopt AI—but slowly - December 8, 2023
- Mitigating data breaches with live patch management - December 8, 2023
- How video coaching helps us support teacher growth and retention - December 7, 2023