Education at all levels has not been spared from the rise in data breaches. And recent headlines in the K-12 segment (including K-12 edtech) indicate this problem is only getting worse — and more sophisticated:
“It is a bit of a cat-and-mouse game, meaning that as people learn how to protect themselves from attacks, the [bad] actors change their tactics and get more sophisticated.”
— Doug Levin, National Director of the K12 Security Information Exchange
Since cyber attacks range in scope, magnitude, and method of attack, the best way to defend your school against cybercrime is to have a strong defense: having strong cybersecurity infrastructure in place to start with.
In today’s blog, we’ll cover the types of attacks cyber criminals use, why they target K-12 education, and cybersecurity tips for schools.
Because education institutions range in size and type, the reasons a cyber criminal may target a specific school or district can vary.
For example, a data breach against a private school may be in pursuit of financial data, while an attack against a public district may be after student data.
You should evaluate your risk and understand what’s at stake if someone with unauthorized access gets into your systems.
Motives vary. And so do the methods of attack. Below, we’ve outlined the two most common types of cyber attack.
You may be familiar with the most common type of social engineering: phishing. Phishing scams happen whereby someone tries to get you to hand over access or information (such as login credentials) by deception.
While you may think you’re too savvy to fall for a phishing scam, some can be very convincing.
Worse, if you receive a phishing email or text at a coincidental time (for example, if you’re expecting to hear from a coworker about something and you get a phishing email in that timeframe), you may not even think twice that it could be a phishing attempt.
To see this type of coincidence in action, watch the below video from renowned cybersecurity expert Jim Browning and how a hacker convinced him to delete his massively popular cybersecurity channel:
From the description:
“It wasn’t exactly my finest hour, but it does go to prove that anyone can be scammed if the circumstances are exactly right.”
Distributed Denial of Service (DDoS) attacks are common against all types of school in K-12 since even amateur hackers can execute these attacks on poorly protected networks.
DDoS attacks happen when an attacker floods a server with traffic, which prevents legitimate users from accessing the sites and services associated with the attacked server.
Data theft is of concern to all types of education institutions because all schools must store and manage heaps of personal data for students, their families, and staff.
Names, addresses, contact information, financial information, social security numbers — and much more — are all attractive to cyber criminals, especially those looking to conduct a ransomware attack (another type of social engineering attack). They can either sell this information to a third party, or they can hold this data (or your systems) ransom for money.
Data theft attacks are particularly concerning because they can remain undetected for a long stretch of time.
Unfortunately, something as simple as a phishing scam to a well-meaning authorized user can give access to an unauthorized party. This highlights the importance of giving regular training and cybersecurity exercises to all employees in a school.
While more of a risk for private schools and higher education, cyber attacks for financial gain are another motive.
Schools that take payments (whether that’s for tuition or fees) through online portals make an attractive target — especially if the school is handling large sums of money and multiple transactions.
The effects of a cyber attack on a K-12 school can be devastating and long lasting. In the wake of a data breach, schools and districts may have to contend with a number of consequences:
Fortunately, there are a few measures schools can take to better protect themselves.
Similar to how a lion is more likely to give up a fight with a water buffalo in favor of something weaker, like a gazelle, cyber criminals don’t want to waste excessive time and energy — not to mention the threat of being exposed — trying to infiltrate a school or district with strong security measures in place.
The sad truth is not all technology is created equally safe. Not all software vendors prioritize cybersecurity.
Vendors of education technology have a duty to their customers to ensure the safety of the historical and present data they help schools store and manage.
To understand what a secure system looks like, take the example of SchoolMint’s school data management system, Schoolrunner.
All of Schoolrunner’s data is encrypted both in transit (as someone is submitting data and loading it onto the site) and at rest (when it’s just sitting in the database). Because all of this data is encrypted, even if someone accessed the database, they wouldn’t be able to read the data.
For employees who can access the data, we work on encrypted harddrives, and users must be given explicit access via a secure tunnel so that there’s an added layer of security beyond just the username and password.
Additionally, Schoolrunner is FERPA compliant. You can read more about FERPA compliance here.
For SchoolMint as a whole, SchoolMint has full-time security specialists on staff who work each day to expand our current cybersecurity monitoring and tighten internal security policies and concerns.
We also:
As annoying and inconvenient as software updates can be, there’s a very good reason for them: they’re often done to patch cybersecurity vulnerabilities.
For an example of how drastic these vulnerabilities can be, take the example of tech titan Apple.
In September 2021, Apple discovered a major security flaw with their products (the iPhone, iPad, Macs, Apple Watch). They released an emergency software patch to fix the flaw.
For users who didn’t install the update, the potential consequences were severe. The security flaw allowed hackers to secretly install spyware on Apple devices — even if the user didn’t click on a link at all. This spyware could then eavesdrop in the background of the user’s phone while collecting and stealing sensitive data.
Heed this story and ensure the devices and systems your school uses remain up to date.
Antivirus software alone does not provide adequate cybersecurity protection. However...
You should still have it.
Antivirus software offers a degree of protection against malware and viruses, especially those created by less experienced hackers.
Antivirus software should be part of your cybersecurity strategy but not be your cybersecurity strategy.
The online landscape has changed, so you must change with it to ward off identity theft, coordinated attacks, and sophisticated phishing scams.
Multi-factor authentication is a security measure by which a user can access a system only after presenting two or more pieces of evidence that only they know or have access to.
For example, when you try to log into your bank account and they text your phone a special code you need to login, that’s two-factor authentication.
Implementing multi-factor authentication for all users at your school(s) can be highly cost-effective and prevent unauthorized access.
The three most common threats to any school’s cybersecurity are phishing attempts, ransomware or malware, and a general lack of awareness on the part of staff and students.
Through routine education — perhaps with a cybersecurity handbook, one that covers the types of attacks, good cybersecurity practices, what information coworkers should and shouldn’t share — and training about cybersecurity, you can create a better-informed staff and implement security measures that will discourage hackers.
A good place to start is by creating a cybersecurity policy that’s strictly enforced schoolwide or across the entire district.
This policy may include rules such as discouraging employees from bringing their own devices to work. Personal devices offer a vulnerability to any security system.
While your school may have few resources or little budget for cybersecurity staff or software, we highly recommend allocating finances for this when possible. No school wants to be caught in a data breach crisis.
Don’t be reactive about cybersecurity after an attack has happened. Be proactive so that the attack doesn’t happen to begin with.
While no one method alone is 100% effective, additional security measures stack.
You can better protect your school or district by using a combination of secure platforms (and make sure to ask them in turn about their own security measures), antivirus software, up-to-date software for employees, and ongoing training about social engineering and other types of cyber attacks.