Cyberattacks on U.S. schools are on the rise, but basic security measures are relatively simple and inexpensive to take, says a school cybersecurity expert.
Cyber criminals are increasingly targeting schools, according to a Jan. 2022 report from U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).
Yet many cyberattacks are relatively simple to guard against, said Charlie Sander, CEO of ManagedMethods, a firm specializing in cybersecurity for K-12 schools.
The main thing is to take the threat seriously and take action on the most obvious vulnerabilities, Sander told The Epoch Times.
Prime Targets
“The hacking community is basically an organized crime organization at a high level, and they’re always looking for the soft underbelly,” Sander said.Phishing, ransomware, denial of service attacks, and video conference disruptions hit at least 45 U.S. school districts that operate 1,981 schools during 2022, according to Emsisoft, a maker of cybersecurity software.
Schools typically devote their few IT resources to organizational and educational needs, making security a lower priority.
“They do the best they can with the funding they have,” said Sander. “But if you look at their priorities, number one is to give the best learning experience they can for the students. If there’s money left over, that’s for cybersecurity.”
Hackers may also target schools for attack because students generally don’t monitor their credit score. That makes them ripe targets for the theft of personal information, which can be used for identity fraud.
“It’s often years later that they find out they’ve been impersonated, and their credit destroyed,” Sander said.
The Los Angeles Unified School District, second-largest in the country, was targeted in September 2022, resulting in the release of personal information on teachers.
Indiana’s Duneland Schools district was the target of a 2021 attack focused on employee data that included birthdates, Social Security numbers, driver’s license numbers, and benefits information.
Cyberattacks can cost a great deal of money, even if the school district refuses to pay a ransom for the return of their information. The cost of inspecting and removing malware from all devices that were potentially affected by the attack can run into the millions.
An attack on Baltimore County Public Schools in 2020 shut down the school system’s website and remote learning programs for several days. Maryland’s Government Accounting Office for Education reported that the event cost taxpayers nearly $10 million in recovery expenses and system upgrades.
Simple First Steps
“The most significant point of vulnerability for schools are the end users,” Sander said. Phishing attacks and the theft of login credentials can allow hackers to enter the computer system under the guise of an actual user, making the trespass much harder to detect.“It’s not so much the students because they are usually further down the privilege ladder and don’t have access to information that teachers and administrators do,” Sander said. “The end users are what it’s all about.”
Closing that door is a matter of implementing simple, inexpensive measures that make it harder for hackers to gain and use login credentials, according to Sander.
Using unique passwords costs nothing and prevents a hacker who may have stolen a user’s login to another application or device from using it to enter the school’s system.
Two-factor identification, which requires the user to verify their identity through a text message or authentication app in addition to entering login credentials, is a low-cost solution that many schools don’t use.
“A lot of schools are talking to each other about how to implement multifactor authentication, so we’re starting to see some real progress there,” Sander said.
Limiting user’s access to data is another inexpensive solution. This involves setting users’ permissions to sensitive data on a need-to-know basis. That reduces the risk by reducing the pool of potential users who could be targeted for attack.
In addition, schools should be monitoring the use of their systems, according to Sander.
“You need to have tools that let you monitor what’s going on inside your systems,” he said. “There are tools that don’t cost a lot of money and allow tech teams to have insight into what’s happening and stop it if needed.”
Sander cited the example of a small school system in Vermont, which had just two IT personnel. When one of the techs noticed a login by a teacher at an unusual time, he checked the geographical location of the login and found that the user was in China.
The tech immediately shut down access to the account, and no data was stolen.
“It was a very small school district and a small tech team, but they were able to stop a hacker from China from getting into their system and wreaking havoc,” Sander said. “That’s the way it’s supposed to work.”
“There’s there’s definitely some meat there. They said step one is to invest in what you see as the most impactful security majors, then build toward a mature plan. Take an inventory of where you are from a security point of view, and where you would like to be. Then make progress toward that goal.”