Meeting 'Invasions' and Rise in Malware Characterize K–12 Cybersecurity in 2020

• By Dian Schaffhauser
• 03/10/21

American schools suffered 408 information security attacks in 2020, according to the public disclosures they made. That was 18% higher than districts experienced in 2019. While denial-of-service attacks were the most reported type of cybersecurity incident (reported in 45% of cases), data breaches and leaks hit more than a third of schools (36%), followed by ransomware (12%) and phishing (2%). The remaining 5% consisted of every other type of incident.

That data was released today in a new report, "The State of K-12 Cybersecurity: 2020 Year in Review," issued by the K-12 Cybersecurity Resource Center and the K12 Security Information Exchange (K12 SIX).

According to Doug Levin, author of the report, the type of security events striking schools through the first quarter of 2020 followed the same pattern as set in the previous year. However, the second quarter, when most schools stopped in-person operations and adopted video conferencing tools for classes and school meetings, introduced what Levin referred to as "a new class of school cyber threats that plagued districts almost the complete exclusion of other incident types." The 67 cyber incidents reported in Q2 were made up primarily of class and meeting "invasions" and student data breaches. Those continued throughout the rest of the year, alongside the addition of ransomware and other malware and denial-of-service attacks, which had characterized the previous year.

The K-12 Cyber Incident Map, which Levin maintains, documented 50 cases of ransomware among public schools. Another eight reported malware outbreaks that could have been ransomware but were never named as such by school officials. While the total was less than the count for 2019, the report stated that the ransomware events that happened were more severe, leading the Federal Bureau of Investigation to issue an alert specifically about K-12 schools and co-author an advisory on the topic. As the report noted, not only did criminals try to extort money from the districts but they threatened to begin releasing data in "criminal forums" if payment didn't come by the deadlines set.

Levin stated that while no districts officially admitted to paying "extortion fees" to criminals during 2020, anecdotal evidence suggested otherwise — "in some cases exceeding $1 million per incident." Beyond extortion demands, districts that were hit also faced closure, in some cases for as long as a week, or even longer, while they resurrected their computing systems and data.

The report offered several recommendations for districts, starting with "investing in greater IT security capacity dedicated to the unique needs of schools." Another suggestion: doing a better job of "vetting the security policies and practices of all their vendors at the time of procurement and periodically over the life of a contractual relationship."

Levin also advised districts to be ready to launch disaster recovery and business continuity plans in case their computing systems were brought down, "with a focus on IT systems used in teaching and learning and district operations."

"Calendar year 2020 offered a profound stress test of the resiliency and security of the K-12 educational technology ecosystem," Levin wrote. "The evidence suggests that in rapidly shifting to remote learning school districts not only exposed themselves to greater cybersecurity risks but were also less able to mitigate the impact of the cyber incidents they experienced."

As Levin noted, "While no one can predict whether another global pandemic will close schools to in-person learning, important lessons can and should be drawn from this experience to ensure that if such an event (or something like it) occurs again in the future, districts are better prepared."

The report is openly available on the K12 SIX website. Levin also spoke at the recent THE IT Leadership Summit about the report. An on-demand version of that session is available with registration.