In March 2022, the country’s largest district reported that the personal records of more than 820,000 students had been exposed.
An ed-tech company that helped more than 5,200 school districts track student data had been hacked, jeopardizing the sensitive information of New York City Public School students. In some cases, students' names, birth dates, class schedules, and even behavioral records were in the hands of hackers.
Unfortunately, stories like this are becoming more and more common as schools and districts find themselves at the center of ransomware and malware attacks from all corners of the web. By some estimates, schools see fifty times more attacks than financial institutions. In just one month, more than eighty percent of all cyberattacks targeted public schools within the U.S., according to Microsoft Security Intelligence.
So why are the sweet and innocent educational systems of America the perfect target for hackers? And more importantly, as more and more hackers turn their attention toward vulnerable school districts around the country, what can schools do to protect themselves?
1. Schools have valuable data
Whether it’s stored locally or in the cloud, schools contain a wealth of important data about their constituents: Student, family, and employee data like addresses and dates of birth; alumni and donor contact information and giving history; and sometimes, sensitive information about financial aid and individualized education plans.
In 2020, Toledo Public Schools in Ohio was hit by a distributed denial of service (DDoS) attack, resulting in a major data breach that exposed social security numbers for both students and staff. After hackers published students’ names and information online, a parent reported that someone had attempted to take out a credit card and a car loan in his elementary school-aged son’s name.
While credit card and social security numbers are usually encrypted with secure vendors in the cloud, mundane personal information can still be extremely useful for hackers hoping to impersonate friends or family members as part of a phishing attack to commit fraud.
2. Limited security protections and training
K-12 schools are popular targets for hackers because so many schools have limited security and proper employee training programs. IT departments are stretched thin as they work on campus or across multiple schools, keeping networks up and running and figuring out why your printer isn’t responding.
And many schools don’t have significant resources or budgets solely focused on cybersecurity. Others may not even have a single staff member devoted to ensuring data security. Among other eye-opening stats recently compiled in The State of EdTech District Leadership, more than half of the IT professionals (52 percent) said their schools lack adequate staffing to support and protect teachers, and 77 percent of districts reported not having a full-time employee dedicated to network security.
Furthermore, one report claims that only 54 percent of educators are even familiar with the concept of ransomware attacks, supporting the idea that a lack of employee awareness and training may make this problem even worse. Teachers and staff — focused on daily operations, classroom management, and lesson planning — are too quick to respond to phishing attempts, suspicious links, or access unsecured networks with school tech, making classrooms the perfect feeding ground for hackers.
3. Vulnerable tech and open-source websites
As the pandemic ushered in a new era for classroom technology to enable remote teaching and learning came a tidal wave of new programs, software, and tech devices. Although well-intended, students, faculty, and staff increasingly downloaded and accessed third-party extensions and resources off-campus outside the limits of their school’s IT operating policies. And as folks downloaded apps and software onto school laptops and tablets, they unknowingly created insecure access points for sketchy networks and dangerous malware.
Keeping these devices secure and updated with the latest anti-virus software and operating systems can be challenging for small teams and districts — one report suggests that 72 percent of end-user devices in educational institutes are running outdated operating systems.
As a growing reliance on tech devices and new ventures into e-learning continue, cybercriminals are hitting schools with the same tools and tactics they’ve found to be effective against larger businesses, according to the FBI. Malware that targets Microsoft Windows machines running on school computers sends stolen data back to hackers’ servers to be held for ransom or sold on the web, and last year alone, 67 ransomware attacks affected over 950 schools and colleges, impacting some 950 thousand students and causing an estimated $3.56 billion in downtime.
Most importantly, schools still using open-source solutions for their school's website content management system, like Drupal and WordPress, for example, are leaving themselves vulnerable to the threat of bugs used to upload malicious files to an affected website. Without proper oversight and support, open-source sites invite unauthorized access to sensitive information — a favorite target for hackers. Again and again, WordPress is frequently at the center of those attacks, despite being one of the most popular website builders.
4. School email addresses are like gold for hackers
Email is one of the common targets for hackers looking to deploy phishing attacks at schools. An attacker sends a message hoping to trick a person into revealing sensitive information or to deploy malicious software on the victim's computer or network, and it’s surprising how often it works.
Cybercriminals *love* to go after .edu or .org addresses because they’re often considered more trustworthy than .com emails — especially within school networks. It makes sense — teachers and employees probably wouldn't second-guess an attachment that was seemingly sent from a colleague or especially, a school administrator.
Current and prospective parents would surely open an email sent from their students’ teachers or an admissions office, especially if it seemed urgent. If hackers had access to these addresses, it would open the door to a slew of issues and potential cases of identity theft.
How can schools protect themselves against cyber security threats?
It’s not all doom and gloom — there are some steps schools can take to mitigate risks against these increasingly frequent cyberattacks, and that starts with partnering with a website provider for secure and reliable hosting and award-winning support around the clock.
At the local level, K-12 leaders, school webmasters and IT professionals need to make cybersecurity a priority and create a team to assess if their school or district is doing enough to prevent attacks. Schools need to educate and train employees, parents, and students alike and create an action plan that promotes awareness before an attack is made.
That also includes an investment in cybersecurity technology like antivirus and password encryption software; malware and phishing alert extensions for browsers; and ensuring school devices are kept up to date with the latest operating systems. Prevention is an important first toward defending against hackers seeking personal data.
As one of the biggest targets for hackers, schools with large amounts of sensitive data, and preoccupied employees who lack proper training must modernize and implement internet security policies to protect their community. There’s an opportunity for qualified IT professionals and school leadership to educate staff, create a cybersecurity team and choose a trusted web provider for secure and reliable hosting to step away from the cybersecurity spotlight and create a more secure data environment.
ABOUT THE AUTHOR
Connor has spent the last decade within the field of marketing and communications, working with independent schools and colleges throughout New England. As Finalsite’s Senior Content Marketing Manager, Connor plans and executes marketing strategies and digital content across the web. A former photojournalist, he has a passion for digital media, storytelling, coffee, and creating content that connects.