Cyber incidents against K-12 schools expected to rise by 86%

The number of cybersecurity incidents aimed at K-12 school systems could jump by 86% in the coming academic year, the nonprofit Center for Internet Security told EdScoop on Thursday.

The organization, which operates the Multi-State Information Sharing and Analysis Center, a threat intelligence and cybersecurity advisory operation serving state and local governments, expects that increase based on a rising trend of alerts it’s been getting from its members in the academic sector. The projection includes an array of cyberthreats, including phishing schemes that can lead to ransomware, data theft and other criminal activity.

“We continue to see schools be a target of cybercriminals,” said Josh Moulin, CIS’s senior vice president and deputy director of operations and security services. “One reason that is is schools have been a target for criminals to go after and get their ransoms paid.”

Last year was a particularly nasty one for schools facing ransomware, with numerous districts nationwide canceling class days — both in-person and virtual — as criminal actors tied up networks and attempted to extort officials by threatening to leak students’ and teachers’ personal information. Overall, the number of publicly disclosed cyberattacks against K-12 schools last year jumped 18%, according to the K-12 Cybersecurity Resource Center.

The start of a new school year may also bring more cybercriminal activity. As students settled in for an uncertain pandemic year last August and September, ransomware attacks against K-12 districts accounted for 57% of all incidents reported to the MS-ISAC. Numerous industry studies have attributed some of that growth to the fact that widespread remote learning made school systems much more dependent on technology and greatly expanded the number of vulnerable endpoints on their networks.

Yet even with most schools returning to in-person learning, Moulin, a former chief information officer and chief information security officer at the National Nuclear Security Administration, the risks associated with virtual learning are likely to remain.

“School districts for the most part are going back to in-person,” he said. “But we believe hybrid learning is here to stay. As long as those systems are functional and part of the larger IT infrastructure, they need to be protected.”

Quick decisions

Despite the grim outlook for cyberattacks against schools, Moulin said CIS has made headway in helping more school districts defend themselves. The MS-ISAC offers a suite of security services — nearly all of them free — to its members, including reports on indicators of compromise and a malicious domain blocking service. Since the latter service was launched last year, the MS-ISAC has blocked more than 274 million potential threats to K-12 schools, according to CIS.

The Center for Internet Security has also been getting more aggressive in getting schools to join the MS-ISAC, with K-12 districts now accounting for more than one-quarter of its roughly 11,000 members. Moulin said much of that growth came from outreach to associations of superintendents and other school officials, especially as the COVID-19 pandemic kicked up.

“Schools across the country really have gone through heroics to get kids learning through home, almost overnight,” he said. “That introduced new risks and new ways for attackers to exploit those.”

The pandemic, he continued, forced schools to make quick decisions about technology that ordinarily would go through more scrutiny and planning.

“In the best of circumstances, those would’ve gone through a governance committee with controls implemented,” he said. “No one had time. Now what we are focused are in going back through those decisions.”

With thousands of K-12 districts — many of them small and lacking mature internal cybersecurity resources — having joined the MS-ISAC, Moulin said the organization is promoting a “back-to-school checklist.” That list includes implementation of CIS’s 18 cybersecurity controls, with an added focus on the first five controls, which focus on IT asset inventory, data protections, secure configurations and account management.

The MS-ISAC has also formed a dedicated K-12 working group that includes the revival of a mentorship program that CIS dropped a few years ago.

“We see smaller school districts that have perhaps an IT person, but that person doesn’t have cyber experience,” he said. “We had so many requests to bring it back, we just brought it back this year.”