With a large attack surface to target between students, parents, faculty and staff, it’s no wonder school districts have become a ripe target for threat actors. As remote learning grew over the last several years so did the opportunity for cyberattacks on school districts with more students using devices to learn and teachers using them to teach. According to the K-12 Security Information Exchange, 2021 saw a total of 166 school incidents affecting schools in 162 school districts across 38 states.Now that the new school year is gearing up, school districts need to stay on top of their cybersecurity practices to avoid exposing the data of their systems and, more importantly, their students. Prioritizing this can be a bit of a challenge, especially with public schools, as they are at the mercy of their funding and can’t necessarily push school budget dollars into cybersecurity. SecurityInfoWatch.com’s (SIW) editorial director, Steve Lasky, recently discussed what actions school districts can take to mitigate these looming threats with Randy Watkins, CTO at Critical Start. As a member of the company’s leadership team, Randy is responsible for designing and executing the company’s strategic technology initiatives, which include defining the strategy and direction of Critical Start’s Managed Detection and Response (MDR) services. He is well-versed in applying security technologies, in practical and meaningful ways, to improve risk management and security infrastructure for customers, including school districts.
SecurityInfoWatch: What is unique about school districts that make them a more valuable and vulnerable target to cyberattacks?
Randy Watkins: Attackers identify targets where risk, reward and effort are in their favor. School districts hold a significant amount of valuable personally identifiable information (PII) on students, parents and faculty, contain multiple vectors of entry; and have historically and notoriously underfunded cybersecurity programs, making them prime targets. Not to mention when it comes to ransomware, school districts may be more likely to pay to avoid being down for an extensive period of time, which can potentially impact their funding.
Mix those components in with increased use of technology by students, making them more susceptible targets and you have the ideal conditions for a cyberattack.
Schools can also be targeted because of the inherent trust of parents. A compromised school email account can be used to send a malicious attachment or URL and would likely have a high rate of success because it comes from a trusted source to those receiving it.
SIW: What did school districts learn from the past two years of hybrid learning and remote classrooms when it comes to securing devices and the networks students and staff use?
Watkins: As a result of the past year, schools have become more aware of cybersecurity and how it impacts their district and community, but unfortunately, they aren’t able to implement the necessary controls to mitigate risk due to a lack of funding. Additionally, school districts are also feeling the cybersecurity talent shortage pain, making it even more difficult to manage the considerable number of devices and user accounts. Even with cybersecurity becoming a focal point of school board meetings, the lack of resource availability hinders the progress of approved cybersecurity initiatives. To augment security staff, we’ve noticed a growing number of districts look to outsource what they can to improve their security posture while working around funding and talent shortages.
SIW: How can schools prepare and stay ahead this academic year to ensure their students, staff and systems are safe?Watkins: To make the most of their budgets, districts should focus on investing in preventative and foundational controls. When it comes to protecting the most dangerous cohort of users, the students, user-oriented controls like web filtering and multi-factor authentication are essential to prevent not just inappropriate content but also compromise of credentials or systems.
Wireless security should be another focus area. Because devices are often interconnected through a single network, attackers can easily move laterally through the environment, expanding the scope of the breach.
Now, this may seem obvious, but another key component of cybersecurity is what schools do best, education! The best part about cybersecurity education is that much can be done for free, ranging in mediums from posters around the school to free awareness training from sites like Cyber.org. Districts can inform their students and staff of best practices and provide user awareness training to help students and faculty know how to identify and avoid suspicious links, attachments and websites to avoid compromise. Having a Cybersecurity Day in place is a great way to drive awareness and education on cybersecurity.
Another inexpensive way to prepare and limit opportunities for an attack is to purge outdated systems and technologies. Legacy systems and tools can degrade a district’s cybersecurity posture as threat actors exploit vulnerabilities in these systems to launch attacks.
SIW: Can cybersecurity professionals monitor social media to help school districts with proactive physical security preparation related to potential school violence and active shooter events?
Watkins: This isn’t a function I’ve seen performed by cybersecurity. Cybersecurity teams don’t typically ingest signal from social media, and if they do, they typically aren’t trained to identify behavioral characteristics of potentially violent attacks. While physical security can sometimes be in the scope of cybersecurity, proactive identification of a physical threat to a school via social media is a different use case altogether. With no documented correlation between cyber and physical attacks, cybersecurity teams are best utilized focusing on cyber-attacks.
SIW: What else should school districts be mindful of when it comes to cybersecurity this school year?
Watkins: Cybersecurity is different for each school district – there isn’t a one-size-fits-all approach. The reputation and size of the district, both school count and student count, can significantly impact the amount of risk they face. With a lack of budget and resources, education around cybersecurity can reduce elementarily alerts, freeing time to investigate and respond to more targeted attacks. Where resource shortages still exist, outsourcing some security functions is a wonderful way to inject necessary expertise. Continued awareness of the current threat landscape, efficient resource allocation and following recommendations from CISA and other governing bodies can help make this school year safe.