Dive Brief:

• As a high school student, Bill Demirkapi hacked into his Massachusetts school district’s communications systems, accessing millions of student records, including grades, immunization records and lunch orders, according to a recent episode of the EdSurge On Air podcast.
• The systems, Blackboard and Follet, are widely used in schools across the country. The student reported the security deficits to both companies, which downplayed the incidents. The story serves as a lesson for district leaders on prioritizing security when considering vendors.
• K-12 cybersecurity researcher Doug Levin tells EdSurge there have been nearly 600 incidents in public schools since 2016 ⁠— and likely many more that aren’t publicly reported.

Dive Insight:

Research ⁠— and experience ⁠—has shown schools are notoriously easy targets for hackers because they are a goldmine of data that does well on the black market. Already this school year, there has been a spike in ransomware attacks in the K-12 sector,  which is ranked last in cybersecurity when compared with other industries, according to District Administration. 

On the heels of multiple school cyberattack incidents in Louisiana, just last week, the Flagstaff Unified School District in Arizona closed schools for two days after a hacker installed ransomware on district computers and demanded payment in Bitcoin. 

Steven Miller, director of Cyber Security for the Digital District, a project under the Consortium for School Networking, said in an article by AASA, The School Superintendents Association that one reason for schools’ vulnerability is that most districts tend not to invest in specialized IT staff. But if that keeps up, they’re soon going to find themselves without functioning systems.

“Most superintendents probably wish someone else would deal with the whole subject,” he said. “The best superintendents understand that technology is now just one more thing on their plate, that they need to pull together a leadership team that can deal with it.”

“Do the studies. Hire the staff. Make security a priority,” he continued.

Experts also warn against putting too much trust in third-party vendors, which have a mixed track record of security and do not always sufficiently protect school data. To keep them accountable, Levin recommends on his website, The K-12 Cybersecurity Resource Center, that school districts set minimum standards for vendor security practices, hold vendors publicly accountable to taxpayers for lax security practices and data breaches through regular audits, for example, and assign legal liability for not meeting security standards.

But ultimately, it’s up to school leaders to turn things around. "The hard truth is that we won’t see fewer data breaches, fewer successful phishing attacks, and fewer ransomware incidents in schools until superintendents and school board members jointly embrace their cybersecurity governance responsibilities,” he said.