Untrained staff, students remains K-12's biggest cybersecurity threat
When it comes to cybersecurity, Raytown Quality Schools Director of Institutional Technology Melissa Tebbenkamp tells Education Week that staff and students inadvertently sharing information or clicking on links is what puts districts at the greatest of risk of an attack.
Teachers, faculty and students should be coached on how to avoid unintentionally clicking malicious links or files in phishing emails or sharing information about students or staff, including addresses, social security numbers or school records. An unexpected uptick in viewer traffic could also indicate hackers are staking out a district.
Hackers are particularly interested in school records because they can sell for $250 to $350 on the black market. In addition, hackers might also use the district’s system in "resource-utilization" attacks on a third party to throw off their trail.
When it comes to cybersecurity, schools are soft targets — they store a lot of personal identifiable data, but their security often falls short. In other words, many schools are the equivalent of unguarded banks just waiting to be robbed. The data stored at schools can be sold for thousands of dollars, and chances are hackers will be able to find a window left unlocked somewhere in the system.
Last year, 122 cybersecurity incidents were reported in K-12, and EdTech Strategies President Doug Levin feels up to 20 times as many cybersecurity incidents went unreported. More affluent districts are at the highest risk, likely because of their higher likelihood to have a broader range of data stored digitally.
In September 2018, the FBI released a public service announcement warning that schools are at increasing risk of cybersecurity attacks, and Verizon’s 2016 Data Breach Investigations report ranked the education sector sixth overall in the U.S. for the total number of reported “security incidents.”
Ransomware in particular is becoming more popular among hackers looking to target K-12 public schools. Districts in several states have been affected by this practice. In most cases, districts had to pay the hacker a “ransom” to have the malware taken off the computers.
Cybersecurity is an area where K-12 can learn from counterparts in higher ed, where the transition to digital began several years prior, giving the sector a jump on developing best practices and sometimes learning lessons the hard way.
- Education Week The Best Defense Against Cyberattacks, From a District CTO