Dive Brief:
- A recent report from the K-12 Cybersecurity Resource Center finds 2020 was a "record-breaking" year for cyberattacks against U.S. schools, with 408 publicized incidents marking an 18% increase over 2019.
- Data breaches and leaks (36%) and ransomware (12%) accounted for close to half of specified K-12 cyber incidents, while another 45% fell into an "other" category encompassing unattributed malware, digital class and meeting invasions, website and social media defacement, and a host of other "related and/or low-frequency incidents."
- With cybersecurity a top concern for K-12 chief technology officers, the Consortium for School Networking and other education policy organizations earlier this year petitioned the Federal Communications Commission to allow for greater coverage of those services under its E-rate program. The groups estimated an annual cost of $2.4 billion for next-gen firewalls and other advanced security features in K-12, Governing reports.
Dive Insight:
Districts' technology adoption and the increasingly digital nature of classrooms have for many years now been outpacing what budgets allow for when it comes to hiring cybersecurity personnel and procuring the resources needed for adequate protection. As a result, K-12 has become a prime target for hackers, due also in part to the amount of high-value data available.
Along with the numbers from last year, the K-12 Cybersecurity Resource Center's data also showed as of December that there had been around 1,110 publicly reported K-12 cybersecurity incidents since 2016. Ransomware has been particularly popular due to the likelihood districts will pay the associated ransoms to have access to student and personnel data restored quickly.
Experts warned last June that despite a perceived downward trend in attacks since the pandemic began, there could be lulls in public reporting or that incidents had occurred and not yet been discovered. They also cautioned devices might not be as well-protected beyond school networks and could be compromised during home use and "waiting" to be reconnected to school networks for malware to activate.
The FBI also issued a warning last summer in regard to remote desktop risks in K-12. And attention to the matter grew in nearly 100 pieces of legislation introduced last year. Early on in the pandemic, reports of "Zoom bombings," or intrusions into virtual classrooms and meetings in which a perpetrator disrupted proceedings with hate speech or obscene imagery or behavior, also brought K-12 cybersecurity concerns into the broader public spotlight.
Aside from adopting more robust cybersecurity resources, additional steps districts can take to mitigate risks include:
- Maintaining a cybersecurity insurance policy.
- Regularly auditing cybersecurity preparedness.
- Regularly changing and strengthening passwords.
- Using two-factor authentication.
- Routinely backing up systems and keeping them offline, or "immutable."
- Evaluating tech inventory to eliminate unneeded internet-facing systems or servers.
- Regularly installing security updates and software patches.