When school districts have discussed security measures in recent years, much of the focus has understandably been about fortifying the buildings themselves. Whether the strategies involve a camera system, restricting entry, adding security guards or even installing metal detectors, plans are often centered on an unthinkable threat like what we just saw at Oxford High School in Michigan, where a student shot and killed four classmates.
As school districts navigate the balance between enhanced building security and an open and free school environment, another far-away threat has been growing bigger and coming closer.
School districts across the nation have been targets of cyberattacks, a threat that grew even more prominent during the pandemic as schools relied more on technology for remote learning. The Riverhead Central School District is the latest Long Island school to be targeted, the victim of an attack that officials said left staff data compromised.
Districts across Suffolk County — including Montauk, Sag Harbor, Miller Place, Bay Shore and Port Jefferson — have also been the targets of recent attacks.
Protecting computer infrastructure must become a high priority for school districts — not only to ensure that day-to-day learning continues uninterrupted, but also to protect the vast amount of stored data that could be held for ransom by hackers. It’s a situation in which no district wants to find itself.
In August, the K12 Security Information Exchange, a national nonprofit dedicated to protecting U.S. kindergarten through grade12 districts from cybersecurity threats, released its first series of guidance and best practices resources “designed to establish baseline cybersecurity standards for U.S. school districts, charter schools and private school institutions.”
There are a dozen recommended protective measures that it says every district should implement at a minimum.
“School districts face an enormous challenge right now,” said the organization’s national director, Doug Levin, said in the August announcement. “They have undergone a digital transformation on shoestring budgets.”
Districts can receive the full guidance online at www.k12six.org.
The trove of data stored by school districts can be immense: Social Security numbers and birthdates for students and staff, immunization records, credit card numbers, addresses, test scores, telephone numbers and emails, according to a 2020 research paper entitled “Planning for Cyber Security in Schools: The Human Factor.” The paper outlines ways in which human error can lead to cyberattacks and data breaches and notes that as much as 95% of all cyber incidents are human-enabled.
“The research results show that the greatest security vulnerability is the lack of the awareness of employees. While tools and technology are important, people are the most important element of a cybersecurity strategy,” the paper says.
The paper argues that employees are the first line of defense for a school’s cybersecurity system.
“School leaders cannot expect personnel and students to behave responsibly without providing them with the knowledge and resources to be effective,” the authors wrote.
The threat posed by cybercriminals is ever-evolving as technology rapidly advances. Districts must come up with response plans that continue to evolve as well. And those plans must include not only the IT department, but extend all across the district by educating staff and students about how they might unknowingly grant a hacker access to the network.
In a 2020 Year in Review report, K12 SIX tracked 408 incidents that involved denial-of-service, ransomware attacks and data breaches. It noted an 18% increase in such incidents compared to 2019 and noted that their severity had increased. In some instances, ransom demands rose to over $1 million. That’s serious money.
“Additionally, with the added impact of COVID-19, ransomware incidents causing school closures tripled from the prior year,” the report noted.
The threat became all too real this past week in Riverhead.