Schools across the country struggle to prioritize cybersecurity, as budget constraints hinder action. At the root of the problem lies a mismatch between finite resources, the demands of today’s threat landscape and the primary goal of educating children.
The Los Angeles Unified School District is the most recent and high-profile example of the threat schools face from ransomware. The Sept. 3 attack prompted the district to initiate a systemwide reset of more than 600,000 passwords and a ransom demand remains outstanding.
Education institutions, especially K-12 schools, have been a frequent target of ransomware attacks due to the sensitive student data they hold, federal authorities said in a joint Cybersecurity Advisory after LAUSD was hit.
The attack surface is broad, spanning 14,000 school districts nationwide. At least 26 school districts, representing a combined 1,727 schools have been hit with ransomware this year, and 14 of the districts had data stolen, according to Brett Callow, threat analyst at Emsisoft.
While that’s fewer school districts than were hit last year, “the number of incidents remains unacceptably high,” Callow said.
The need for more robust and effective cybersecurity in schools remains unmet at many levels.
“School districts with limited cybersecurity capabilities and constrained resources are often the most vulnerable," the FBI and CISA wrote in the advisory. "However, the opportunistic targeting often seen with cybercriminals can still put school districts with robust cybersecurity programs at risk.”
Many schools lack the staff, proper tools and support security teams need to create a strong cybersecurity structure, Rick McElroy, principal cybersecurity strategist at VMware Carbon Black, said via email.
The capabilities that schools need are no different than those needed by organizations confronting ransomware at large.
Multifactor authentication, backup and recovery, and endpoint detection and response were consistently mentioned by CISOs and cybersecurity professionals as must-haves for schools.
A prevention layer is the minimum standard, but tools and strategies that aid an effective detection and response can help schools mitigate and contain cyberattacks before they become a bigger problem, said Tony Velleca, founder and CEO at CyberProof and CISO at parent company UST.
Schools also contend with risk born of constant user shifts in the student population. This puts schools in an unusual and unenviable position, Kayne McGladrey, field CISO at Hyperproof, said via email.
“Being able to apply real-time policies based on user and device behavior via zero-trust networking becomes critical in this environment,” McGladrey said.
Absent these tools, strategies and adequate staff, schools will remain a frequent target for cybercriminals. They could also, at the very least, give schools the confidence needed to refuse ransom demands.