School records of children present a valuable target for hackers to steal information.

• Cyber attacks pose a threat to schools, and they must take action to protect themselves.
• Nearly double the number of schools in the U.S. experienced cybersecurity attacks in 2022, with 1,981 schools across 45 districts affected.
• Assessments, grades, health records, attendance history, discipline records, special education records, home communications, and more can be accessed by hackers seeking ransom payouts or identity thieves.

The education community, including students, teachers, parents, staff, and others connected to them, are facing an increasing number of threats to their physical safety, in addition to those that don't result in death but still have a significant impact.

According to Charlie Reisinger, chief information officer of Penn Manor School District and a professor at Millersville University of Pennsylvania, the school's digital doors are frequently targeted by well-funded adversaries from around the world.

Nearly double the number of U.S. schools were affected by cybersecurity attacks in 2022, with 1,981 schools across 45 districts experiencing incidents, according to an Emsisoft report based on publicly available data.

According to Josh Heller, supervisor of information security engineering at Digi International, schools are "definitely not adequately funded to support cyber warfare."

Over two million individual data points are generated by the core student management system of Penn Manor School District, which has a student population of 5,500.

Going after a student’s spotless credit

Identifying information, assessments, assignments, grades, homework, health records, attendance history, discipline records, special education records, home communications, and more can be accessed by cybercriminals seeking ransom payouts or identity thieves targeting a student's credit.

The Pennsylvania School Boards Association's representative, Reisinger, testified to the U.S. Senate in October 2022 about the importance of student data privacy and protection. He emphasized the financial and socio-emotional consequences of a stolen identity, which can have a significant impact on a young person's life.

The high number of individuals and gadgets in a typical modern classroom increases the likelihood of human error.

Absolute Software's vice president of education, Warren Young, stated that these devices are frequently lost, either by teachers or students, when they are taken away or essential security features are removed. "You cannot secure what you cannot see," Young emphasized.

Phishing attacks and the exploitation of known vulnerabilities for ransom are the main concerns, according to Heller. The costs of ransomware are multifold, including lost productivity from downtime, recovery efforts, and paid ransoms. Young stated that the largest cost is the impact on students' learning.

While necessary, every extra phishing simulation, MFA step, and password requirement adds to the learning time, even when networks aren't down.

In the education sector, cybersecurity attackers may have the motive, speed, and velocity to maintain an advantage, but the numerous factors at play do not allow for complacency.

The government's role in securing schools from cyber attacks is crucial, as Heller stated. Federal funding and regulations are the most effective tools for combating cyber attacks. Possibilities include increasing funding through programs such as the Department of Homeland Security's State and Local Cybersecurity Grant Program and regulating through measures like California's Age-Appropriate Design Code Act and cybersecurity awareness campaigns.

Bridging the cyber talent gap with partnerships

Reisinger suggests that schools can tackle the cyber talent gap, caused by low wages compared to big tech, by forming partnerships with local university programs. This could involve internships, knowledge exchanges, apprenticeships, and other practical, skills-based initiatives to create a pipeline of talent for both schools and businesses.

It is essential to encrypt the data on devices and verify its security, as Young stated. He further emphasized, "In the event of a device malfunction, can you securely erase the data to prevent unauthorized access?"

We must ensure that vendors do not leave customers vulnerable, and responsible vendor disclosure through the U.S. Cyber & Infrastructure Security Agency can help put government funding to use. The NIST National Vulnerability database is a valuable resource for information teams, but it is crucial to keep this information stealth for those who need it to protect against nefarious purposes.

Understanding indicators of compromise is crucial for school districts. According to the IBM Data Breach Action Guide 2022, it takes businesses an average of 207 days to identify a breach and another 70 days to contain it. By knowing when a disaster has occurred sooner, schools can resolve the issue with less pain.

Immediately launching a disaster recovery plan with an incident response team will safeguard critical assets and the community they affect.

Heller stated, "Without multi-factor authentication, you're at risk."

Young advises against using SMS confirmation for security purposes as it can be intercepted through Bluetooth, and suggests using physical hardware security tokens instead. However, he acknowledges that in cases where children as young as five and six years old have access to technology, lost technology poses a real threat, and the most secure solution may not always be the most practical one. This presents a challenge for school information security teams.

"Cybersecurity in schools is crucial because cyber attacks are inevitable, and we must find ways to mitigate the risks," Heller stated.

The industry is largely non-competitive, and a combination of communal ideation, layered security, and cyber hygiene can benefit schools that shape our world, according to Young.