K-12 cybersecurity is an issue at the forefront of the education sector. Over time, cyberattacks have increased dramatically for K-12 schools, according to the Government Accountability Office.
Hackers seek to gain Social Security numbers and other personally identifiable information (PII) from both K-12 schools and higher education institutions such as universities and colleges. While teachers and students need to be educated to reduce risk exposure (Rahman et al., 2020), cyber threats continue to evolve too quickly for many schools to manage.
Brad Zearott is a friend and colleague who has worked for schools for many years as a cybersecurity professional. He mentions that while business and schools face many of the same cybersecurity issues, there are some unique aspects to K-12 cybersecurity. “Schools are unique in that our customers are our parents and our students. This presents a challenge as we must educate both groups on safe cyber practices,” he says.
The Top Threats to K-12 Cybersecurity
While schools face many types of cyberattacks, one of the most damaging is a ransomware attack. During a ransomware attack, a hijacker accesses files and locks them away from the owner’s management.
After the attack, a communication usually follows with a financial demand to unlock the files for the original owner. Zearott mentions that while the files are usually unlocked after paying the ransom, hijackers oftentimes install a “back door” that allows them to access the files again after some time has passed.
While ransomware attacks are not the most common threat schools face, Zearott says that they are the most devastating type of cybersecurity attack. Most schools end up paying the ransom because they have no other option.
Most of the time, the ransom is in the tens-of-thousands of dollars range. The money is usually wired to offshore accounts that are difficult to trace as attackers use proxies to hide their location.
Phishing scams and identity impersonation are other threats to K-12 cybersecurity. With this scam, a hacker impersonates someone else via email. Other users receive an email from that user, asking them to make a purchase.
Oftentimes, the person being impersonated is someone in authority, so the victim ends up making the purchase. Zearott notes that getting email information is very simple for scammers as most schools have an email directory available online.
Many Schools Are Underprepared for a Cyberattack
Experts agree that it is no longer of matter of if a school will face a cyberattack, but when (Belastok, 2022). While schools have come a long way, many educational institutions are still underprepared for a cyberattack. Zearott mentions that the COVID-19 pandemic made schools examine their security protocols, but the technology push came with additional challenges.
As schools became more dependent on the internet for instruction, their cybersecurity initiatives increased, along with their exposure to hackers. As Zearott observes, the only secure network is one that does not exist. The more online exposure schools have because of remote learning, the higher the risk of a cyberattack.
As teachers and students transitioned to remote learning, schools were forced to allow access from outside their own secure network. Remote students learn on home networks that may contain their gaming devices, mobile phones and personal computers. Should any one of those devices become infected, the risk of a cyberattack on a school increases because it is not protected by the school’s firewall.
After a cyberattack, schools must do what they can to protect information. Most schools have a Disaster Recovery (DR) plan in place, and those who do not are putting themselves at risk for a major cybersecurity breach.
Under most DR plans, servers are copied at several points throughout the day. Should there be an attack, schools can use the backup of their server to recreate the information as it was prior to the attack.
Alert and Educated School Employees Are the Best Protection Against Threats
When asked about mistakes teachers and other school employees make when it comes to cybersecurity, Zearott reports that most people are either not educated in ways to identify cyberthreats or they are too trusting of communications like emails and texts. “Teachers tend to trust the communications they receive when they believe they are from trusted sources, like a school principal,” Zearott says. In general, school employees need to be trained to recognize emails that seem trustworthy but are from malicious sources.
Various Ways to Ensure K-12 Cybersecurity
There are various technological resources to help prevent threats before they happen, including antivirus software and multi-factor authentication (MFA). With MFA, there are three ways to authenticate an individual’s identity.
One way is to have individuals show what they possess, like a cell phone. Another way is for individuals to show what they know, like a password or personal identification number (PIN). Finally, individuals can prove their identity through what they are physically, such as a fingerprint or retinal scan. MFA requires that a user utilize at least two of these methods for accurate identification.
Schools Must Do More about Protecting K-12 Cybersecurity
In the coming years, K-12 cybersecurity will continue to be a problem. While technology will certainly change over time, there will always be bad actors who wish to exploit schools for financial gain.
The key for teachers and administrators is to continually evolve and learn about cybersecurity attacks and defensive measures. While efforts to reduce threats using MFA and other technology will help to reduce attacks, end users continue to be the most important way to ensure K-12 cybersecurity.
Belastok, E. (2022). Our biggest nightmare is here. Cyberattacks are targeting school districts. How can schools respond to keep data and systems secure? Education Next, 22(2), 44-49.
Rahman, N.A.A., Sairi, I. H., Zizi, N. A. M., & Khalid, F. (2020). The importance of cybersecurity education in school. International Journal of Information and Education Technology, 10(5), 378-382.