The COVID-19 pandemic has escalated cybersecurity issues within the education industry. The lack of guidelines or policies for managing cybersecurity within schools has caused vulnerabilities and led to increased attacks. This article discusses four cybersecurity concerns and how to combat them, including blended learning (in-person and virtual), phishing attacks, limited resources, and poor password hygiene. 

Cyber threats continue to grow in primary and secondary schools

According to Microsoft’s cybersecurity global threat activity, the global education industry has experienced 63% of the cyber attacks within the last 30 days, that’s over 5 million of the over 8 million device encounters. 

Despite evidence of the increasing frequency and severity of cyber threats in kindergarten to 12th grade (K-12) schools, there are no concrete standards about how to handle cyber threats and what cybersecurity protection students, parents, or teachers can expect from their schools. 

In relation to this, Aaron Montemayor Walker, research principal, cybersecurity, G2, says:

"Schools are often targets for cyberattacks, like many other organizations. But they often lack the resources to properly protect themselves. Despite generally lacking personnel with extensive cybersecurity training, they must still ensure all devices are properly configured and updated and that data is securely stored in compliance.

Schools are in a great position to aid students in cybersecurity training. Security awareness tools can help introduce students to concepts like phishing, malware, and other cyber threats. Schools with computer science programs can also utilize secure code training to help students adopt a security-centric approach to coding and engineering." 

In the United States, the K–12 Cybersecurity Act of 2021, signed into law on October 8, 2021, comes in response to growing data security incidents impacting K–12 schools in recent years, including a dramatic rise in ransomware and other forms of malware. The law authorizes the director of the Cybersecurity and Infrastructure Security Agency (CISA) to conduct a study within 120 days of the specific risks impacting K–12 institutions. In the next 60 days, CISA will then develop recommendations for cybersecurity guidelines for K–12 schools, based on the results of the study. And within the following 120 days, it will create an online training toolkit for K–12 schools.

School districts face the challenge of balancing the quick adoption of new technology with protecting the privacy of students and staff. It is essential to fully understand how a tool works and how it protects students’ privacy and adheres to educational privacy laws, such as the Family Educational Rights and Privacy Act (FERPA).

Challenges in K-12 cybersecurity 

While Microsoft has noted over 8 million cyber threat device encounters in the last 30 days, the number of publicly reported cyber incidents is much lower. Since 2016, in the United States alone, there have been 1,180 cyber incidents publicly disclosed by schools and districts, according to data from the K–12 Cybersecurity Resource Center. There were 408 reported attacks in 2020, which is up 18% from 2019, according to the 2020 State of K-12 Cybersecurity Report.

Merry Marwig, CIPP/US, Senior Market Research Analyst at G2 said:

Like most crimes, cybercrimes are often crimes of opportunity. Hackers often target K-12 schools because schools commonly lack robust cyber security programs and the data that hackers can extract can be extremely valuable on illicit markets. For example, files containing students’ names, addresses, social security numbers, and other personally identifiable information can be sold to unscrupulous buyers who then can use those personal details to set up fraudulent loans. And honestly, most parents aren't monitoring their children's credit reports, so these fraudulent loans can go unnoticed for years. 

It is possible that schools and districts don’t necessarily know when there has been an attack so they are unable to report it or take action to mitigate future risks. It is critical to overhaul the approach to K-12 cybersecurity to ensure defense against the evolving threat landscape. 

Here are four cybersecurity challenges, and ideas for what can be done to combat them: 

Blending digital and in-person instruction

The “learn from home” movement in response to the global COVID-19 pandemic brought many changes to the education sector and it’s likely some of these will remain as we continue to evolve. Students and teachers were given laptops, tablets, or other devices to accommodate virtual learning. The shift to digital learning allowed students to stay in school during the pandemic. Moving forward, these hardware devices and tools, such as virtual classroom software, will allow for greater flexibility and access to learning. For example, schools can stay open during inclement weather, or students and teachers don’t have to take off an entire school day for a doctor’s appointment.

This is great progress, but can also introduce vulnerabilities if cybersecurity is not a prime consideration in digital learning strategies and policies. During the early days of the pandemic, we saw class and meeting invasions through video conferencing hacks, malware, email invasion, and website and social media attacks. To help detect these attacks, school administrators should invest in malware analysis tools or incident response software. 

These threats will continue to grow as school districts use devices to expand access to learning. School administrators will need to create best practices and policies for monitoring devices and access to software applications. It is essential to ensure all devices have the latest updates and devices should be scanned for malware before joining the school network. 

Phishing attacks 

Phishing is among the most common ransomware attacks. School administrators need to provide security awareness training and education for staff, students, and parents so they can be on the lookout for these schemes. School officials should invest in security awareness training software. These tools deliver simulated attacks or fraudulent emails to help employees better identify malicious content before encountering it in real-life scenarios.

In The State of 2021 K-12 Cybersecurity, Safety & Privacy webinar, Doug Levin, National Director of K12 SIX, shares that from 2016 through 2020, the median amount of money stolen from school districts via phishing campaigns was $2 million. But we reached a new record in 2020, with $9.8 million being stolen from a single school district.

Schools must have a plan for how they would respond, as well as a plan for how to prevent these attacks, such as conducting cybersecurity drills, monitoring suspicious log-ins, evaluating internal data, and promoting cyber security education and training for students, staff, and parents. 

Limited resources 

School cybersecurity incidents saw a massive increase during the shift to remote learning in response to the COVID-19 pandemic. 

In an ideal world, school district staff would have more time and money to devote to creating security policies and practices, they would have the resources and infrastructure in place to support them in implementing cybersecurity programs, and they would have federal or state cybersecurity guidelines to help them along the way. Without this, it’s unlikely to be acted upon as a high priority, if at all. 

Poor password hygiene 

We have all created those easy-to-remember passwords—favorite song title, favorite food, favorite color, our pet’s name plus some numbers and special characters, and so on. They are easy to remember and can be easily hacked. Students and staff are likely to fall back on these simple passwords when faced with creating credentials for accounts. 

As part of their renewed focus on cybersecurity, schools must be cognizant of this threat and investigate password auditing solutions that can mitigate the risk. For better security, schools can use multi-factor authentication software for account access or utilize identity and access management (IAM) software. 

What’s next?

Educators and cybersecurity experts are working together to create standards and guidance. Kindergarten Through Twelfth Grade Security Information Exchange (K12 SIX) is a nonprofit threat intelligence sharing community to help school districts to prevent and respond to cyber threats. K12 SIX offers cybersecurity resilience training to keep school districts running and students learning. Collaboration is the only way to keep pace with cyber threats.