The State of Education Cybersecurity: 3 Lessons for Protecting the Post-Covid Classroom
By Matthew Delman
November 06, 2021
As Covid variants make the current school year for both K-12 and higher education a continued balance of hybrid and in-person learning, education institutions are staying firmly in the crosshairs of cyber attackers. Just recently, Stonington Public Schools in Connecticut was forced to bring in a wave of the third-party breach investigation, mitigation, and response experts — and even seek assistance from the FBI — after it fell victim to a ransomware attack. And before that, an attack on Howard University that compromised its network and rendered WiFi unusable forced the school to cancel all its online and hybrid undergraduate classes.
Indeed, when vulnerable schools fall into the hands of crafty cyberattackers, the fallout is often dismal from both a monetary and reputational standpoint, but also because of the severe inconvenience caused too. A concerning reality for teachers, administrators, and IT teams across the country as they seek to protect the post-Covid classroom, where distance learning will undoubtedly remain in some capacity for the foreseeable future.
And while the Biden Administration’s recently signed K-12 Cybersecurity Act is a positive step forward for schools preparing for the future, the state of cybersecurity in education is one with a lot of room for improvement. Because the reality is that every educational institution is under more pressure than ever before to protect its endpoints against attackers who are becoming harder and harder to detect. The number of U.S. educators who say hackers targeted their school or institution is multiplying year-over-year is evidence of this, with the number of K-12 schools attacked jumping from just 9% in 2020 to 21% in 2021.
Unfortunately, there are warning signs that this is only going to get worse post-pandemic. Here are three lessons to help school districts and universities reverse this, and strengthen their classroom cybersecurity.
School Boards Need to Speak Up on the Cyber Threats Endangering Classrooms
The cybersecurity crisis has dominated headlines almost as long as Covid has. Yet, it seems like school boards have been relatively lax when pulling together a strategy to thwart attack attempts — or even talk to their teachers about the severity of the crisis. According to Morphisec’s 2021 Education Cybersecurity Threat Index, which surveyed 500 U.S. educators to gauge how increasing cyberattacks have impacted them, just 17% of superintendents or chancellors and 15% of school boards have expressed concern about the threat of ransomware to their institution.
This silence is placing students’ and teachers’ data at even greater risk, as school boards’ delay in educating their staff about the escalating consequences of cyberattacks means some educators are probably not aware of how damaging they have become. This silence also leaves their school or institution more susceptible to attack. Cybercriminals will likely have more vulnerabilities to exploit within a district or organization that doesn’t treat cybersecurity with the sense of urgency it deserves.
In the post-Covid classroom, where hybrid learning will be a long-term reality, superintendents, chancellors, and school boards must become more vocal on the cybersecurity issues threatening continuous learning and the safety of their most sensitive data. Failure to do so will undoubtedly have negative consequences, something the laxest districts and institutions shouldn’t wait to find out after they become a victim of a cyber attack.
IT Teams Must Call into Question Their Vendors’ Security Hygiene
This year’s supply chain attacks like the devastating SolarWinds and Kaseya breaches will go down in history as among the largest cyber attacks. They’re also becoming increasingly popular, due to how they allow attackers to target hundreds or even thousands of organizations by infiltrating just one. Data from the Identity Theft Resource Center (ITRC) shows that supply chain attacks increased 42% in the first quarter of 2021 and impacted about 7 million people in the U.S. This is why it’s unsurprising that 40% of U.S. educators believe third-party vendors pose the biggest cybersecurity risk to their school or institution, more dangerous, they say than students (31%), faculty (24%), and parents (5%).
These concerns are certainly substantiated, with a March attack on Austin ISD proving that schools remain vulnerable to their third-party vendors’ security flaws. Austin ISD was breached when one of its technology providers, PCS Revenue Control Systems, was hacked. Even the SolarWinds attack, which prompted a probe from the U.S. Securities and Exchange Commission, affected several colleges and universities, including Kent State University, The University of Texas at San Antonio, and Iowa State University. Meanwhile, Kaseya’s breach disrupted learning and forced 11 schools in New Zealand offline.
With the frequency of these types of attacks likely to increase — alongside the damage, they have the potential to inflict — IT teams and education decision-makers need to put more pressure on their third-party vendors to boost their cybersecurity protocols.
Decision-Makers Need to Allocate More Cybersecurity Resources to IT
Schools and education institutions across the country have been trying for too long to fend off attackers with few resources. A reality that has disproportionately impacted public schools and state colleges, whose funding sources are far less prominent than larger, private institutions. As mentioned prior, this is something the current Administration is addressing through the K-12 Cybersecurity Act and also within its $1 Trillion Infrastructure Bill, which has set aside money for state and local governments and school districts to protect themselves from worsening threats. Yet the question remains as to whether or not these districts and institutions will leverage this funding. As it turns out, some don’t have the best track record.
According to Morphisec, just 18% of U.S. educators say they’re aware of their educational institution or school inquiring about government grant programs and initiatives designed to assist them with implementing strong cybersecurity standards and protocols. This is despite 44% stating that they believe providing their IT department with more resources would be most valuable to their school to handle cybersecurity. The current cybersecurity landscape is far too dangerous for it not to be a top budget priority. And in truth, investing in an effective security strategy is a lot less costly than falling victim to ransomware, with the average victim spending more than $2 million on remediation costs alone.
However, tackling this crisis is most definitely a collaborative effort between school boards, administrators, educators, and students. They must all educate themselves on the specific threats targeting their counterparts across the country. There must be pressure from parents too, who have demanded little of their children’s educators until now. (Only 18% of K-12 and higher-ed educators say that more parents have inquired about their institutions’ cybersecurity policies over the past year-and-a-half of remote-first learning versus the prior 18 months). As these learning institutions prepare for the post-Covid classroom, reducing their attack surface within in-person and remote learning environments must be prioritized.
Featured Image: Sigmund, Unsplash