Meeting 'Invasions' and Rise in Malware Characterize K–12 Cybersecurity in 2020
- By Dian Schaffhauser
suffered 408 information security attacks in 2020, according to the
public disclosures they made. That was 18% higher than districts
experienced in 2019. While denial-of-service attacks were the most
reported type of cybersecurity incident (reported in 45% of cases),
data breaches and leaks hit more than a third of schools (36%),
followed by ransomware (12%) and phishing (2%). The remaining 5%
consisted of every other type of incident.
That data was
released today in a new report, "The
State of K-12 Cybersecurity: 2020 Year in Review,"
issued by the K-12
Cybersecurity Resource Center and the K12
Security Information Exchange (K12 SIX).
According to Doug
Levin, author of the report, the type of security events striking
schools through the first quarter of 2020 followed the same pattern
as set in the previous year. However, the second quarter, when most
schools stopped in-person operations and adopted video conferencing
tools for classes and school meetings, introduced what Levin referred
to as "a new class of school cyber threats that plagued
districts almost the complete exclusion of other incident types."
The 67 cyber incidents reported in Q2 were made up primarily of class
and meeting "invasions" and student data breaches. Those
continued throughout the rest of the year, alongside the addition of
ransomware and other malware and denial-of-service attacks, which had
characterized the previous year.
The K-12 Cyber
Incident Map, which Levin maintains, documented 50 cases of
ransomware among public schools. Another eight reported malware
outbreaks that could have been ransomware but were never named as
such by school officials. While the total was less than the count for
2019, the report stated that the ransomware events that happened were
more severe, leading the Federal Bureau of Investigation to issue an
alert specifically about K-12 schools and co-author an
advisory on the topic. As the report noted, not only
did criminals try to extort money from the districts but they
threatened to begin releasing data in "criminal forums" if
payment didn't come by the deadlines set.
Levin stated that
while no districts officially admitted to paying "extortion
fees" to criminals during 2020, anecdotal evidence suggested
otherwise — "in some cases exceeding $1 million per incident."
Beyond extortion demands, districts that were hit also faced closure,
in some cases for as long as a week, or even longer, while they
resurrected their computing systems and data.
The report offered
several recommendations for districts, starting with "investing
in greater IT security capacity dedicated to the unique needs of
schools." Another suggestion: doing a better job of "vetting
the security policies and practices of all their vendors at the time
of procurement and periodically over the life of a contractual
Levin also advised
districts to be ready to launch disaster recovery and business
continuity plans in case their computing systems were brought down,
"with a focus on IT systems used in teaching and learning and
2020 offered a profound stress test of the resiliency and security of
the K-12 educational technology ecosystem," Levin wrote. "The
evidence suggests that in rapidly shifting to remote learning school
districts not only exposed themselves to greater cybersecurity risks
but were also less able to mitigate the impact of the cyber incidents
As Levin noted,
"While no one can predict whether another global pandemic will
close schools to in-person learning, important lessons can and should
be drawn from this experience to ensure that if such an event (or
something like it) occurs again in the future, districts are better
The report is openly
the K12 SIX website. Levin also spoke at the recent
THE IT Leadership Summit about the report. An on-demand version of
that session is
available with registration.
Dian Schaffhauser is a senior contributing editor for 1105 Media's education publications THE Journal, Campus Technology and Spaces4Learning. She can be reached at [email protected] or on Twitter @schaffhauser.