Many say that it is not a matter of if you will be the victim of a cyber incident but when. Given the prevalence of cyberattacks directed at K-12 schools, including in New Jersey, this is not a bad mindset. No matter the size or location of your district, you are a possible target. This news may be alarming, but now is the time to assess your cybersecurity posture.
Like other aspects of district operations, school board members should not be involved in daily operations. However, as a board member, there is an important role to play when it comes to cyber, including in oversight, ensuring there are adequate resources to increase preparedness and asking the right questions. It’s not essential to be a technical or cyber expert to do this. This article provides an overview of current threats facing districts, key considerations and additional resources.
Threats and Trends Schools can be impacted by cyber incidents because they hold sensitive staff and student data, disruptions and downtime could impact instruction and resources are often limited. In addition, schools and public sector entities are generally less prepared and knowledgeable than private sector entities, so they are seen as easy targets by bad actors. There are multiple barriers to information technology security, but the top ones include budget constraints, competing priorities, complexity of the internal environment and a lack of top-level direction and leadership, according to the SolarWinds Public Sector Cybersecurity Survey Report. Most if not all of these can be impacted by a board of education.
The education services sector has seen 1,241 incidents with 282 breaches over the past year, according to the 2022 Verizon Data Breach Investigations Report. As the report notes, 95% of actors were motivated by financial gain, 75% were external to the organization. The two main attack patterns are system intrusions — like those that leverage stolen credentials and malware — and basic web application attacks — like those that target web servers. The number of incidents is likely even higher because they often go unreported or the data is not complete.
Ransomware usually gets the most attention among threats, but it is only one of many types. This is justified because these attacks cost schools and colleges about $3.56 billion in 2021 and over 1,000 schools were affected. Ransomware attacks can result in data being exposed publicly and/or permanently lost, along with financial expenses in potentially paying to retrieve information.
Recent Examples School districts becoming victims of cyber incidents is not new. New Jersey has seen a number of incidents that received media attention, including cyberattacks that occurred around the time of scheduled state testing using ransomware, employee data being disclosed and hacking by students to change grades.
The most prominent recent example involved Los Angeles Unified School District, the country’s second-largest school district, which was hit by a ransomware attack in September 2022. Hackers claimed to have stolen 500 gigabytes of data, which is roughly the size of 250 to 500 full-length movies. This incident caused operations to be disrupted and data to be released publicly, but the district refused to pay the ransom demanded. This was reportedly carried out by the Vice Society, a hacking group that is disproportionately targeting the education sector. In response, the district set up an IT task force and the school board gave the superintendent emergency power to bypass typical public bidding processes required when contracting with vendors or consultants.
Key Considerations There is no single solution to cyberattacks. Preparedness, response and recovery measures should be tailored to a district in consultation with district professionals, including the board attorney, IT specialists and district leadership. These measures should account for district vulnerabilities and capabilities. Seven general considerations are shared below, but there are many more.
- Cyber response plan. A majority of districts have emergency response plans on a variety of threats, from active shooters to fires, but far fewer have a standalone plan or appendix dedicated to cyber incidents. This is a critical first step so districts have a baseline on what to do should a cyber incident occur and to prevent a strategy being developed in real time. Districts do not need to start from scratch as entities like the National Institute of Standards and Technology offer a framework.
- Internal cyber mechanisms. This topic could be its own series, but districts are largely unaware of what systems they have in place or need to protect themselves from cyber threats. For example, multifactor authentication is one consideration and is part of a broader security concept called “zero trust.” The 2022 K-12 Report by the Center for Internet Security found that 81% of schools have not fully implemented MFA, but the use of multifactor authentication alone can block 99.9% of account compromise attacks, according to Microsoft. Similarly, assessing whether your district uses the cloud to store information is important in contrast to keeping data locally on a server.
- District policies and regulations. Board members should see which cybersecurity policies are in place and determine if additional ones are needed, especially when it comes to practices that help reduce the chances of an incident. For example, a policy may be needed on passwords in terms of their requirements and expiration, and for backups to ensure they are regularly performed or done automatically.
- Cyber insurance. This product helps protect districts financially in the event of cyberattacks and data breaches. While there are variations in coverage, it is important for each district to see if they have one as a starting point. If so, the administration should assess the policy to see exactly what is covered and to ensure the coverage is adequate.
- Relationships. Districts should assess what resources are available and establish relationships before an incident occurs. For example, there are numerous federal agencies involved in cyber incidents like the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency. They both have regional offices and having a contact there prior to an incident is helpful. It is also useful to have professionals in mind or even engaged before an incident, including incident response professionals. After all, many districts have internal professionals that are well versed with technology implementation, but that skillset is much different than security and response.
- Exercises. Like all plans, just having one is not enough. Districts should conduct exercises before an incident to practice what will be done, especially since most individuals are far less familiar with cyber. CISA offers free products to help facilitate a tabletop exercise. Another interesting resource is the Army Cyber Institute’s Jack Voltaic Program, which has worked with major cities to carry out exercises across sectors.
- Training. Board members, staff and administrators should all be aware of cyber threats and best practices to minimize risk. After all, many cyber incidents are furthered by an individual unknowingly, like clicking or viewing a nefarious email. Raising awareness of these risks and concerns is an important step. Board members are not immune as 72% reported keeping board documents in unsecured locations, according to the National School Boards Association.
Resources Fortunately, resources exist to aid school districts.
On the financial side, the federal government launched a $1 billion grant program spanning four years to support cybersecurity projects at the local, tribal and state levels. This will not be enough for every district, but it is a start that is worth exploring. The main areas that states want local governments to spend money on are training, risk assessments and security monitoring.
It’s understood that budgets are a huge barrier and that it might come down to buying new textbooks or implementing a cyber solution. While there is a time and place for hiring professionals and purchasing security products, there are also many free or low-cost solutions. However, spending money on cybersecurity should not be shortchanged.
On the implementation and analysis side, many state and federal agencies have resources outside of those already named. For example, the New Jersey Cybersecurity and Communications Integration Cell is a one-stop-shop for cyber threat analysis, incident reporting and information sharing. Their threat landscape data is worth following. In addition, SchoolSafety.gov is a collaboration between multiple federal agencies and offers an array of security resources.
If you have read this as a board member, it is fair to ask your superintendent where your district is with cybersecurity. The best recommendation is creating an environment that prioritizes the threat, being supportive with resources as appropriate and looking at potential policy options. Conversely, if you have read this as a superintendent or administrator, the best recommendation is to take a deep dive into your plans, processes and specific vulnerabilities.
The threat to K-12 schools is not going away. It is imperative that you protect your students and staff while ensuring your district is prepared for learning to continue in the event of a cyber incident. Now is the time to act.