Your school's website isn’t just a source of information for families; it’s a platform that, if not secured, could find itself at the front lines of an escalating cyber battleground.
With a wealth of personal information, emails, donor records, and sensitive data within their systems, schools are facing more cybersecurity risks than ever. According to a recent report, in 2022, nearly two thousand schools fell victim to ransomware attacks — a noticeable increase from the prior year. Today, it’s reached a tipping point that requires a collective approach for schools to stand a chance.
No one can do it alone, but with a coordinated effort between federal, state, and schools themselves, everyone can play an active role in ensuring schools become safer digital spaces.
Recent Federal Response to Cyber Threats in Education
The federal government understands the weight of these threats and has proactively addressed rising concerns. The White House Administration and the Education and Homeland Security departments recently announced they would establish support to protect personal information and students' sensitive data.
The proposed program would provide up to $200 million over three years to increase cyber defenses at schools in collaboration with federal agencies and include resources like:
- The creation of a council to provide information about preparing for, responding to, and recovering from cyberattacks.
- Guidance for K-12 leaders to help mitigate threats and provide cybersecurity training.
- Guidance from the FBI on how schools can report cyber incidents and receive support from federal programs.
- Cybersecurity training for 300 K-12 systems next school year.
As U.S. Education Secretary Miguel Cardona pointed out, planning for digital risks isn't a luxury; it's a necessity — and the stats back this up. Between 2018 and 2021, ransomware attacks disrupted the learning of over 1.6 million students nationwide.
States Stepping Up to the Challenge
While the federal government sets broad guidelines, individual states can offer specialized help. Take Minnesota, for instance. They've set up a one-time funding grant of more than $24 million dedicated to cybersecurity.
Because just this year, both the Minneapolis Public Schools and the Minnesota Department of Education were targeted by a ransomware gang and its malicious cyber activities. But they weren’t alone — at least eight districts lost sensitive student data to major attacks in the 2022-23 school year, with four districts having to temporarily close or cancel classes.
Direct funding alone won’t help, but states are slowly starting to fight back. In 2022, 18 states enacted 37 new cybersecurity laws to address these challenges head-on, offering schools software tools to combat threats like distributed denial of service (DDoS) attacks. They're also setting up new requirements, such as the mandatory reporting of cyberattacks to ensure transparency and coordinated response.
Are open-source platforms for schools safe?
Many of these federal and state efforts are in response to the ongoing vulnerabilities posed by open-source solutions, such as Drupal or WordPress, one of the world’s most popular website providers. And while these platforms offer some versatility, they're more vulnerable to security threats and ransomware.
Ninja Forms, a popular form-building WordPress plugin, was recently exposed as having three identified flaws that could allow attackers to steal user data, a serious vulnerability that could let hackers steal the data of hundreds of thousands of users.
If you're using this plugin or a similar open-source solution as your school’s content management system, this isn't just a trivial tech issue; it’s a real-world threat that can jeopardize the safety of your school's information.
Let’s not forget the most crucial player in this framework: your school. IT professionals, staff, and families need to be in sync with the latest challenges and solutions. Your school's marketing and communication teams play a vital role, too — They're the voice that spreads awareness, ensuring that employees, students, and even parents know the digital do's and don'ts.
How can schools prevent ransomware attacks?
Schools are just as susceptible, if not more vulnerable, to ransomware attacks as any other institution. When a ransomware attack hit the Los Angeles Unified School District, the superintendent of the country’s second-largest school system said it had “above average” defenses, including trained staff, assurances about the safety of its student data, and the tools to help prevent vulnerabilities.
While it's essential to recognize that no system can ever be 100% secure, the good news is that your school can take a series of measures to reduce the risk of a ransomware attack. Below are some key steps to support cybersecurity in your school:
Education and Awareness
- The first line of defense against any cyber threat is user awareness, so training staff and students about the dangers of phishing emails, suspicious links, and unfamiliar attachments is critical.
- Regularly update your community on new types of threats and scams.
- Emphasize the importance of not clicking on suspicious attachments, using strong passwords, or downloading files from unknown sources.
- Use email filtering solutions to block potential phishing emails or malicious attachments.
- Ensure all your schools' systems and software, including operating systems, are regularly updated. Cybercriminals often exploit known vulnerabilities in outdated software.
Use a Secure Content Management System (CMS):
- Use a secure CMS for your school and ensure your CMS provider prioritizes security and frequently updates its system to patch vulnerabilities.
Avoid Open-source Solutions
- Open-source solutions may pose potential security risks if not maintained and monitored properly.
- Some open-source platforms might be targeted more frequently because of their wide usage, especially if admins don't update them regularly.
- If using open-source, ensure you have experts who can vet plug-ins and apply security patches promptly.
Keep Reading: The Real Cost of an Open-Source Website Hack
Limit User Access
- Not every employee needs access to all information. Only provide admin access to the website for those who actually need it for updates or contributing content.
Develop an Incident Response Plan
- Have a clear plan in place for how to respond if the worst happens, including steps for isolating infected software, notifying affected parties, and recovering from backups. Early detection can help identify and counter a ransomware attack in its initial stages.
- Conduct regular security audits to help identify and fix potential weak points before they can be exploited.
- Continuously monitor the school's network for any unusual activity.
- Cyber threats are evolving continuously. Stay updated on the latest cybersecurity trends, threats, and best practices.
- Remember, while these measures significantly reduce the risk, no system is completely invulnerable. The goal is to make it as difficult as possible for attackers and to be prepared to respond quickly and effectively if an attack occurs.
Every update, every training session, and every new security measure counts. It's not just about protecting data; it's about ensuring that your students and family’s data remains safe, and a united front is the best approach. The federal government, states, and individual schools must work hand-in-hand, and with the right knowledge and proactive steps, you can ensure that your school stays as protected as it can against cyber threats.
ABOUT THE AUTHOR
Connor has spent the last decade within the field of marketing and communications, working with independent schools and colleges throughout New England. As Finalsite’s Senior Content Marketing Manager, Connor plans and executes marketing strategies and digital content across the web. A former photojournalist, he has a passion for digital media, storytelling, coffee, and creating content that connects.