“Just as we expect everyone in a school system to plan and prepare for physical risks, we must now also ensure everyone helps plan and prepare for digital risks in our schools and classrooms.” –– Miguel Cardona, Secretary of Education 

Miguel Cardona, Secretary of Education

Cyberattacks against K-12 schools progressively put our children at risk. In September 2022, the Los Angeles Unified School District, the second-largest school system in the country, fell victim to ransomware on its IT systems. Hackers locked up files and demanded a ransom payment. Further investigation showed they posted roughly 2000 student assessment records on the dark web, including their driver’s license numbers, Social Security numbers, and medical and mental health records. 

In a separate incident in March 2023, Minneapolis Public Schools declined to pay a ransom of $1 million, resulting in the online dumping of over 300,000 files. These files contained sensitive information about students’ sexual assaults, mental health crises, child abuse inquiries, and even campus physical security details. 

These troubling incidents highlight the importance of enhancing cybersecurity measures in K-12 schools to ensure their students’ and staff’s safety and security.

Cyberattacks Against K-12 Schools on the Rise 

Cyberattacks are happening more often to businesses, hospitals, and government agencies. Unfortunately, the education sector isn’t exempt. In this digital age, schools are at risk of more than falling victim to ransomware. They’re also the targets of phishing attacks, data breaches, website and social media account takeovers, Zoom hackings, and more. 

During the 2022-2023 academic year, cyberattacks targeted at least eight K-12 school districts. As a result, four schools had to cancel classes or shut down completely. According to a 2022 report, learning time lost after a cyberattack varied from three days to three weeks. Unfortunately, the actual financial cost of these attacks is higher than we think. Schools must pay for incident responders, legal services, forensic analysts, technical controls, network remediation, backup restoration, and more, including higher premiums for cyber insurance. 

In 2022, some school districts suffered financial losses ranging from $50,000 to $1 million due to cyberattacks. However, in 2021, Baltimore County Public Schools faced a ransomware attack that resulted in over $8.1 million in recovery costs, serving as a prime example of a costly cyberattack.

It is essential to acknowledge the vulnerability of schools and its associated risks. Nowadays, children are more tech-savvy than ever and have easy access to the internet. This makes it easier for them to learn how to bypass schools’ technical controls like firewalls and proxy servers. Additionally, they are less likely to practice good cyber hygiene, so they may not be cautious regarding their sensitive information or accessing various websites and apps. And it’s not just the students; at K-12 schools, staff are prime targets for hackers due to their greater access to resources. They often lack proper training and awareness regarding cybersecurity best practices, leaving them vulnerable. 

As we work to ensure that schools’ physical infrastructure is safe and secure, their digital infrastructures and students’ personal data require the same care and attention. With more schools using technology for remote, hybrid, and in-class learning, and rising concerns over how artificial intelligence (AI) will enable more frequent cyberattacks, cybersecurity in education is a top priority. 

Back to School Safely: Cybersecurity Summit for K-12 Schools

Since assuming office, the Biden Administration has focused on improving the country’s cybersecurity. It has  dedicated resources to support corporations, small businesses, individuals, and educational institutions to achieve this goal. In July, Federal Communications Commission (FCC) Chairwoman Jessica Rosenworcel proposed a pilot program that would provide up to $200 million over three years to bolster cyber defenses in K-12 schools and libraries. This program would collaborate with other federal agencies.

At the first-ever Back to School Safely: Cybersecurity Summit for K-12 Schools, First Lady Jill Biden, Secretary of Education Miguel Cardona, Secretary of Homeland Alejandro Mayorkas, educators, school administrators, and education technology (EdTech) providers came together to discuss efforts to strengthen security in K-12 schools. 

They announced strategies to enhance K-12 school cybersecurity, including creating a Government Coordinating Council (GCC) to improve collaboration between the government and school districts. The council will organize training activities, suggest policies, and share cybersecurity best practices. In a written statement, Education Secretary Miguel Cardona said, “Just as we expect everyone in a school system to plan and prepare for physical risks, we must now also ensure everyone helps plan and prepare for digital risks in our schools and classrooms.”

The GCC will be crucial in the Department of Education’s plan to safeguard schools and districts from cybersecurity threats. By promoting consistent and active cooperation between the government and education sectors, this initiative will serve as a vital starting point. Additionally, it will aid in preparing for, responding to, and recovering from cyberattacks against K-12 schools.

Government Resources to Enhance School Cybersecurity 

During the summit, it was announced that this school year, K-12 schools will receive customized cybersecurity assessments and training from the federal Cybersecurity and Infrastructure Security Agency (CISA). The Federal Bureau of Investigation and the National Guard Bureau will also provide updated resource guides to assist state governments and education officials in reporting cybersecurity incidents and accessing the federal government’s cyber defense capabilities.

The Department of Education and CISA have collaborated to release the K-12 Digital Infrastructure Brief: Defensible & Resilient. This is the second in a series of guidance documents designed to help educational leaders establish and maintain essential digital infrastructure for learning.

CISA has committed to customized assessments, conducting exercises, and providing cybersecurity training to 300 new K-12 entities for the upcoming school year. It intends to complete 12 cyber drills for K-12 students this year. Moreover, the FBI and National Guard Bureau will present updated resource manuals to state administration and education authorities, assisting in reporting cybersecurity incidents and using federal cyber defense resources.

Tech Companies Step up to the Plate

School districts often face a tough challenge in enhancing their digital defenses while managing their limited budgets and resources. Will Knehr, Senior Manager of Information Security and Data Privacy at I-PRO Americas Inc., knows this all too well. He says, 

“One of the biggest problems I get from educators is that they know that some of these resources exist, but they don’t have the budget, people, or time to use them. Getting the word out about these free and low-cost resources is important.” –– Will Knehr, Senior Manager of Information Security and Data Privacy at I-PRO Americas Inc. & member of the PASS Advisory Council and Technical Committee

Will Knehr, Senior Manager of Information Security and Data Privacy at I-PRO Americas Inc.

It’s good to know that not only government agencies are working hard to fight against cybersecurity threats. Many technology companies have announced free, low-cost resources to help school districts keep their students and staff safe. These initiatives provide schools with more comprehensive cybersecurity options, regardless of budget limitations.

  • Amazon Web Services (AWS) launched a $20 million K-12 cyber grant program to help schools implement cloud-based cybersecurity solutions. They’ll help K-12 IT staff upskill and reskill through the AWS Skill Builder digital learning center at no cost. AWS will also offer no-cost cyber incident response assistance and Well-Architected Framework security reviews to all education technology companies that provide mission-critical applications to the K-12 community.
  • Through Project Cybersafe Schools, Cloudflare will offer free Zero Trust cybersecurity solutions to public school districts under 2,500 students, giving small school districts faster, safer internet browsing and email security to minimize cyber threats.
  • Cloud-based K-12 software provider PowerSchool joined the pledge to provide new free and subsidized “security as a service” courses, training, tools, and resources to all U.S. schools and districts.
  • Google released an updated “K-12 Cybersecurity Guidebook” for schools on steps that education systems can take to ensure their Google hardware and software applications’ security.
  • Learning platform company D2L has committed to collaborating with trusted third parties to provide access to new cybersecurity courses. They will also extend their information security review for their core integration partners and pursue additional third-party validation for D2L compliance with security standards. 

In collaboration with government initiatives, these companies’ programs are valuable in safeguarding schools from outside threats by securing their cyber infrastructures. 

Protecting Schools’ Digital Infrastructures

Prioritizing the safety of our school communities, including our students and staff, is essential. Collaboration and training are key to achieving this goal. That’s why everyone involved must be well-informed about the best practices of using technology, from hiring competent IT staff to educating staff and students about potential cyber threats and the correct deployment of best practices. 

Our PASS School Safety and Security Guidelines for K-12 Schools provide a helpful starting point for districts looking to strengthen their cybersecurity and network infrastructure. Here are a few top priorities that every school should integrate into their cybersecurity programs:

  1. Staff Cybersecurity Training: Equip staff with essential cybersecurity knowledge and best practices to bolster their ability to recognize and address potential threats.
  2. Regular Data Backups: Safeguard your critical data by routinely backing up core servers and storing these backups off-site. This strategy ensures swift data recovery in the event of an attack.
  3. Phishing Defense: Given that “phishing” remains the primary vehicle for ransomware attacks, it’s crucial to implement effective filtering, testing, and simulation training to fortify your employees against such threats.
  4. Multi-Factor Authentication (MFA) and Strong Passwords: Elevate security by enforcing multi-factor authentication or robust password requirements for access to teacher and education networks.
  5. Mobile Device Management (MDM) or Mobile Application Management (MAM): Manage remote devices and applications through policies, enhancing control over security in the mobile sphere.
  6. Software Patching and Vulnerability Remediation: Stay on top of software patches and vulnerability fixes to ensure that security equipment software and firmware are up to date, reducing the risk of exploitation.
  7. Network Monitoring with Security Information and Event Management (SIEM): Implement SIEM systems for early detection and swift response to potential malware threats, strengthening your network’s security posture.
  8. Pre-Approved Applications for School-Issued Electronic Devices: Guarantee that only authorized applications are installed and used on school-issued electronic devices, maintaining control over the digital environment.

By incorporating these priorities into your cybersecurity strategy, your school can create a more resilient and secure network infrastructure, better protecting against cyber threats.

Learn about best practices for creating safer schools by downloading and reviewing our School Safety and Security Guidelines. Also, download SIA’s Guide to School Security Funding for more information on resources to enhance school security.

About PASS

The Partner Alliance for Safer Schools (PASS) is a nonprofit 501(c)(3) bringing together expertise from the education, public safety, and industry communities to develop and support a coordinated approach to making effective and appropriate decisions with respect to safety and security investments. You can download the complete PASS Guidelines or check out our PASS Safety and Security Checklist for quick start tips. These resources—as well as whitepapers on various topics including barricade devices, lockdown drills, and more—are available at no cost.

Share This

Categories

PASS Safety and Security Guidelines Sixth Edition Cover

Ready to get the Guidelines?

The most comprehensive information available on best practices specifically for securing school facilities, vetted extensively by experts across the education, public safety and industry sectors.

Download the Guidelines »

Subscribe to Our Newsletter