Cyberattacks targeting our educational institutions impact all of society. They may force schools to close and parents to take time off work for days or weeks at a time. But more insidiously, they cause further disruption to learning, which has already been severely impacted by the pandemic. That means children fail to achieve their potential, which can impact lifetime earnings and gross domestic product (GDP).
Unfortunately, the surge in cyberattacks we witnessed during the pandemic has not slowed since. As our new To the Point interview with Tanium education architect Doug Thompson reveals, it’s time to make cybersecurity risk management a priority for K-12 leaders.
How bad is it?
As schools have grown increasingly reliant on digital technologies to support class-based and remote learning, their cyberattack surface has also expanded. By one estimate, 89 education sector organizations were hit by ransomware in 2022, impacting nearly 2,000 schools. They ranged from small rural districts to the Los Angeles Unified School District, which is the second largest in the US, with over 1,300 schools and 500,000 students.
Ransomware increasingly means stolen data, with the associated compliance and legal risks that raises, as well as disruption to teaching. A recent Government Accountability Office (GAO) report claims “significant educational impact” has resulted:
“Cyberattacks can cause monetary losses for targeted schools due to the downtime and resources needed to recover from incidents. Officials from state and local entities also reported that the loss of learning following a cyberattack ranged from three days to three weeks, and recovery time ranged from two to nine months.”
What are the challenges?
Witnessing the rapid digitalization of the sector, threat actors targeted K-12 schools opportunistically during Covid-19. But attacks have not slowed, even as the country exits the pandemic. They know understaffed and underfunded schools are still vulnerable. Often attacks are timed to hit the start of the school year when IT staff are distracted by day-to-day jobs like resetting passwords and onboarding staff and students.
As the US Cybersecurity and Infrastructure Security Agency (CISA) explains in a new report, a lack of cyber hygiene is often to blame for breaches. That includes basics like multi-factor authentication (MFA), regular patching and backups, incident response planning, and staff/student cybersecurity training.
Many school districts are stuck in a kind of doom loop of having always done IT a particular way and believing they don’t have the budget or talent to change things up. This kind of vicious cycle is perpetuated by a lack of collaboration via groups CISA recommends, like MS-ISAC and K12 SIX. These organizations can help a great deal by sharing best practices and offering peer support.
Building better security for our kids
Budget is always cited as the number one barrier to better K-12 cybersecurity. The mentality in the sector is usually that funds should be used to support improved learning outcomes rather than plowed into IT. But we must also remember that in an increasingly digital teaching environment, cyberattacks can have a significant impact on learning. In this context, an investment in cyber is an investment in our children’s future.
CISA lists plenty of things that K-12 school districts can be doing to build a more mature cybersecurity plan without breaking the bank, including migrating IT services to more secure cloud versions. It also reminds superintendents and boards that extra funding may be available via the State and Local Cybersecurity Grant Program (SLCGP). But beyond that, where should security spending be focused?
A good start would be those cyber hygiene best practices outlined by CISA. These can go a long way to preventing the majority of attacks, and then providing the capabilities to respond quickly to minimize the impact of a breach if the worst does happen. Consider a platform-based solution that can save money on multiple licenses and eliminate potential coverage gaps.
The Tanium platform is already helping education institutions to:
- Gain visibility into all assets (including servers, laptops and cloud endpoints) in real time, including any issues they’re experiencing.
- Regain control of the endpoint environment by taking action across all assets at speed and scale — anything from patching to configuration changes and killing processes.
- Respond faster through rapid alerting of incoming attacks and the ability to take corrective action across all affected endpoints. This helps to limit the blast radius of an attack and recover quickly.
Ultimately, as CISA argues, “change must come from the top down.” That puts the focus on K-12 leaders to create and reinforce a cybersecurity-first culture. IT personnel can’t be expected to bear the burden alone. It’s time to make cyber a strategic priority and reach out to local and state entities for support. There’s too much at stake to persist with the status quo.