How to Prepare Your School for a Cyberattack with Limited Resources
- By Kristal Kuykendall
With cyberattacks against K–12 schools across the United States making headlines every week, it isn’t exactly “news” that since the pandemic forced remote and digital learning to the forefront, schools are now a primary target for threat actors.
What’s perhaps surprising is how many attacks are targeting schools every hour of every day: In the last 30 days alone, for example, Microsoft has detected over 3.5 million malicious “encounters” by its devices within education organizations in the United States, according to its Global Threat Activity website.
Ransomware is increasingly targeting K–12 schools, and although many district IT budgets are growing — a Consortium for School Networking survey of K–12 IT professionals found that 56% of respondents had bigger budgets for the 2021-22 school year — cybersecurity remains the “biggest unmet technology need” by a large margin, CoSN said.
The Multi-Million-Dollar Risk Factor
The need for consistent protection and preparation is more urgent than ever, with even Congress and the White House weighing in last fall with the K–12 Cybersecurity Act of 2021 that instructed the federal Cybersecurity Infrastructure and Security Agency to assess risk factors at the K–12 level by this spring, then produce recommendations for schools and, eventually, a “toolkit” for districts to shore up their security practices.
Meanwhile, IT and cybersecurity organizations serving public schools are offering numerous guides and assessment tools — many of them free — to K–12 districts ready to tighten network security sooner than later.
Mike Woodward, cyber threat intelligence analyst at the nonprofit Center for Internet Security, said ransomware attacks against public K–12 schools in the U.S. are “continuously reported” to his organization’s Multi-State Information Sharing & Analysis Center, or MS-ISAC. Last year, 51 districts reported disruptions from ransomware attacks, he said, and every ransomware incident costs the impacted district millions of dollars.
In fact, the total district cost for recovering from a ransomware attack averaged $2.7 million in 2020, the highest across all sectors, according to a Sophos survey of 499 education IT professionals conducted in early 2021.
To make matters worse, ransomware is becoming more sophisticated, said Woodward at CIS.
“There are certain ransomware variants that appear to specifically target K-12 school districts,” he told THE Journal last week. “For example, the Grief ransomware variant was identified in six ransomware attacks against public K-12 school districts. Many ransomware attacks begin with a threat actor exploiting an internet-facing service or vulnerability (e.g. RDP/VPN, vulnerable server) or through a phishing email containing first stage malware.”
Schools Don’t Need to Reinvent the Cybersecurity Wheel
The K–12 IT environment can be overwhelming and short on resources even without a pandemic-driven burst in remote learning and the notable spike in cyber threats targeting schools, noted the CoSN survey of school IT managers.
“In a situation where even well-funded corporations in the private sector struggle to address cybersecurity issues, poorly funded districts are at a disadvantage,” the report summary states. “One respondent called the need for more cybersecurity funding as ‘desperate.’ Another respondent’s comment addressed the inequities inherent in funding cybersecurity at the local level: ‘Cybersecurity needs to be provided as a minimum blanket coverage for schools. Minimum coverage should be considered at a state level so all districts start with an equitable security standard.’”
CoSN’s chief cybersecurity advisor, Amy McLaughlin, helps school districts identify and deploy the security elements they need to secure their infrastructure and school networks as much as possible with limited resources.
“In the world of cybersecurity, there really isn’t any reason to reinvent the wheel; there are some very good frameworks available to districts that make best IT security practices easy to follow,” McLaughlin told THE Journal last week.
A few of those are publicly funded and free, such as the National Institute of Standards in Technology 800-53 Risk Management Framework, but “at 700-plus pages of detail, it can be overwhelming,” she said.
For that reason, McLaughlin said she frequently recommends district IT professionals and administrators to start with the Center for Internet Security’s Top 18 Critical Security Controls guide as the best place to start a check-up or upgrade to network protections. The Top 18 is easier to digest and easier to explain to district decision-makers, who absolutely must be invested in cybersecurity efforts, she emphasized.
“I recommend that schools focus on the first five to seven items on this Top 18 list,” McLaughlin said. “The first five or six will take you a very long way in securing your organization’s networks.”
Those initial steps start with completing a full inventory of hardware, software, and cloud services. “You can’t protect what you don’t know you have,” McLaughlin said. “Knowing what you have, where it, and what it’s connected to is a vital part of any cybersecurity plan.”
Next on the CIS list is “implementing really good controls on data protection — again, knowing what you have and where it’s stored,” she said. “If you store student Social Security numbers, for example, and personnel data and bank account numbers … knowing where that data is stored helps you prioritize where you should focus your resources and in what order.”
These basic steps lead to the most important challenge: how to best secure the data and the assets, which starts with controlling who has access to it.
Begin With Access Control
“Access control starts with basics such as multi-factor authentication — not just usernames and strong passwords,” McLaughlin said. Noting that some efforts to require MFA at schools has resulted in pushback from teacher groups, she tells school IT professionals that “adding MFA is all in how you start.”
Cybersecurity experts at K12 Security Information Exchange, or K12SIX, also advise that enacting MFA requirements should be the first step to protecting networks at school districts; K–12 schools are the sole focus for the nonprofit, which is based in the Washington, D.C. metro area.
K12SIX also offers free guides for school IT professionals and decision-makers to follow as they assess their district cybersecurity risks and decide how to reduce those risks. Those guides — including an easy-to-digest, three-page K12SIX Essential Cybersecurity Protections explainer, ideal for sharing with board members and district leaders — are available for download at the K12SIX website along with a free self-assessment tool for school districts.
“Studies from Microsoft and Google show that enabling MFA immediately stops 90% or more of specific intrusions,” K12SIX Regional Director Eric Lankford told THE Journal recently. “MFA is the No. 1 thing schools should implement to reduce their risk of cyberattacks. Implementation should start at the top, for all IT staff, directors, board members, and administrators.”
McLaughlin agreed, adding that IT staff and district personnel with purchasing power should be the first groups required to use MFA to access school networks. “This demonstrates model behavior and quickly reduces risk because those people are more likely to be targeted by cyberattacks,” she said.
Before requiring teachers to use MFA, McLaughlin advises talking to teacher unions first. “IT people I’ve worked with who started conversations with unions early on in this process of enacting MFA requirements have been very successful,” she said. “Everyone wants to get paid and get paid on time, and they want their paycheck to go to their actual bank account. Bad things can happen (much more easily) without MFA as a base-level protection.”
Lankford said one of the K12SIX member schools he worked with on enacting MFA requirements had “10 or 15 different unions” representing district personnel. “The IT leaders had those conversations with all the unions early on and invited them to be part of the process, making sure they understood how important MFA is in their cybersecurity efforts,” he explained. “In the corporate world, they say ‘this is what you will do, and if you don’t like it, too bad.’ But you can’t do that in schools. Unions have to be part of the conversation and decisions.”
For districts facing pushback from those who do not wish to use their personal cellphones to receive MFA text messages, there are “many other options” now, McLaughlin said, including MFA apps (desktop and mobile), MFA keychain fobs that generate authentication codes, hardware-based passwordless authentication, and public/private security keys, explained more fully in this Microsoft-sponsored whitepaper on new ways to authenticate.
Another major part of access control is restricting administrative access on machines, Lankford said.
“There are tons of organizations and schools where everybody has administrative rights to every machine,” and that’s dangerous, he said. “There is no reason for anyone except IT administrators to have administrative rights on a machine. Most staff and even front office don’t need computer administrative permissions. It is not the same kind of ‘administration’ … even IT staff don’t need to be logged in as an admin if they are not working on network security and maintenance functions.”
It’s an Everybody Issue
Convincing district administrators to lead by example in practicing “good cyber hygiene” — starting with restricted computer permissions and MFA requirements — is part of the core challenge for all IT staff, Lankford said.
“A large portion of K–12 still looks at cybersecurity as an IT issue, but that’s wrong. It’s an everybody issue,” he said. “School leaders just do not understand that it’s everyone’s responsibility. When we created our Essential Cybersecurity Protections guide, I said ‘we have got to have a single page for district administrators, superintendents, CFOs, board members and the like that they can look at and understand these items and requirements.’ Leadership has to start taking a bigger role in trying to understand cybersecurity and why it’s important.”
Federal cybersecurity officials have also been emphasizing this, and the National Institute of Standards and Technology published an entire guide entitled “Cybersecurity is Everyone’s Job” with sections for every department of an organization listing specific steps they should take to protect their workplace, based on the type of work they perform.
“Contrary to the common misunderstanding that cyber threats are a technology problem looking for a technology solution,” the report says, “the data clearly and consistently shows that employees are the greatest vulnerability of any organization. This means that no matter how robust the technology is, or how many cybersecurity policies … have been introduced, the organization cannot be secure without all individuals doing their part, across all business functions, technical and non-technical.”
McLaughlin recommends that “cybersafety” become the basis for ongoing awareness and training campaigns, adding that the term “cybersafety” seems more accessible and less daunting than “cybersecurity,” to people who don’t work in IT.
“Give district staff the information they need to help protect themselves, and do it in small bites,” she advised. “It doesn’t just have to be focused solely on work systems habits; it can also include personal IT security habits. Having a strategy for how you communicate to staff, teachers, parents, and students on cybersafety is key — for example, maybe you have a cybersafety tip of the week, or tip of the month.”
Consistency and repetition in any cybersecurity communication strategy is important, McLaughlin said, “because otherwise, people don’t pay attention. You have to build cybersafety as a habitual consideration into people’s thought processes; cybersafety tips are not things people hear once and then they remember to do consistently.”
Lankford said he preaches to schools that “communication and training is just as important in cybersecurity as it is in every other area of operations.”
“Cybersecurity needs to become part of the culture, part of everyone’s thought processes. Nowadays it’s hard to find any device at a school that is not connected to the internet. It reminds me of the Domino’s Pizza CEO saying, ‘We are a technology company that makes pizza.’ Everyone is a tech company now, if our devices are connected to anything, and we all have to realize this.”