America’s schools face an increased risk of cybercrime breaches. Breaches are becoming unfortunately commonplace among institutions K to post-secondary, leaving students vulnerable at all stages of their educational journeys. This article will explore the issue of education data security, its impacts, current challenges, and what can be done to mitigate the risks posed by cybercriminals who target them. 

A Quick Look at the Current State of Affairs

Like virtually every other facet of society, education faces a growing risk of cybercrime in today’s day and age. New technology has allowed classrooms to innovate in terms of the instruction they provide students, but at the same time, opened the door to new vulnerabilities.

The FBI recently sounded the alarm regarding schools’ increased victimization in cybercrime. It has reported seeing an uptick in the number of ransomware attacks targeting education data security, often originating from remote desktop protocol (RDP) credentials and phishing emails.

Ransomware is a type of malicious software that encrypts data until the victim pays a ransom to receive their decryption key.

Schools can be especially vulnerable to this type of attack due to the large amounts of financial information and personal data they store. CBS News reports that the average ransom payment for a ransomware attack on an educational institution is roughly $50,000, but some schools have paid as much as $1.4 million to get decryption keys and regain access to their data.

K12 SIX also released shocking numbers in its recent ‘State of Cybersecurity’ report, which highlighted four separate incidents resulting in financial damage ranging from $206,000 to an astounding $9.8 million. The latter case involved an attacker obtaining information from the district’s investment advisor and bank.

What are Hackers Looking For?

While it is impossible to definitively state the goals of any given cybercriminal, there are some trends when it comes to education data security breaches.

Financial information is often at the top of their list, as schools may store anything from tuition payments to student loan applications on their servers. Personal information such as Social Security numbers and email addresses can also be of interest, as can other pieces of personally identifiable information (PII) such as medical histories and academic transcripts.

In some cases, cybercriminals may also be after intellectual property, such as research data or proprietary software code. Therefore, schools need to take steps to properly protect their networks from unauthorized access and breaches.

What Impacts Can Ransomware Have on an Educational Institution?

Ransomware can have devastating effects on its victims in any circumstance, but in the case of schools, the impacts are particularly damaging. Educational institutions serve as the backbone of our communities and are essential for a functioning society. When they’re compromised, it can have serious implications beyond the financial losses we’re used to seeing.

Impact on Students

As most educational institutions are responsible for the health and safety of their students, ransomware can be especially damning. It can prevent teachers from accessing course materials or student records, preventing them from providing quality instruction. It can also delay tests, disrupt grading systems, and limit access to the internet—all of which are essential parts of the learning process.

Impact on Faculty

Ransomware attacks can also have a serious impact on teachers and other faculty members. It can prevent them from accessing their emails, files, or any other resources they rely on to do their jobs properly. Additionally, it can lead to administrators having to quarantine certain systems or the entire network, limiting access to essential tools.

Impact on Institutional Resources

Ransomware attacks can have a serious impact on the institution’s financial resources. It can prevent them from collecting tuition fees or other payments, as well as leave them vulnerable to legal action if student data is compromised. This could result in hefty fines and damage to their reputation—the latter of which could cause enrollment numbers to drop.

Impact on Community

Schools play a fundamental role in their local communities and can affect the lives of many people beyond their students and faculty. Cyberattacks could lead to delays in school projects, lost educational resources, and even closures of certain schools. These can all have serious repercussions for the economic, educational, and cultural well-being of a community at large.

Why are Educational Institutions Targeted in Cyberattacks?

Amid the countless incidents, breaches, and attacks to hit education data security in recent years, one giant question prevails – why?

Schools are large organizations, sure, but they don’t have anything near as valuable as a bank or major corporation, right? Wrong.

Educational institutions are privy to a wealth of important information and records, much of which can be tied back to a person’s overall identity. Not only do they register information regarding course enrollments and grades, but also sensitive things like addresses, contact information, ID, transaction records, and payment data. Hackers can make use of all of the above to exploit victims in any kind of cyberattack.

Aside from the fact that they hold valuable assets, schools may also experience increased rates of cybercrime due to the lack of measures in place to protect them. The COVID-19 pandemic served as an excellent example of just how unprepared America’s schools were to handle instruction online, making them easy targets for malicious actors.

One high-profile incident involving the University of California San Francisco saw the school pay over $1 million in ransom when threat actors infected servers in its School of Medicine. NetWalker ransomware held their critical data and medical records hostage, leaving the school with no choice but to pay up.

Another university, this one in Massachusetts, was forced to shut down for a week in June 2021 after it experienced an unexpected ‘cybersecurity incident’.

K-12 schools haven’t been immune either, with The K12 Security Information Exchange (K12 SIX) reporting that more than 1,330 incidents have taken place since 2016. That works out to an average of one incident per school day over the same data period.

While some school administrators may, the unfortunate truth is that most teachers have little to no training in cybersecurity. They’re the front lines of defense against cyberattacks and not only are they unprepared, but the technology at their disposal is often outdated.

According to a recent survey conducted by IBM, sixty percent of teachers received no extra cybersecurity training from their employers during the COVID-19 pandemic. Even more shocking, half of the respondents indicated that they had never received cybersecurity training before.

While federal laws like the Family Educational Rights and Privacy Act (FERPA), Children’s Internet Protection Act (CIPA), and Children’s Online Privacy Protection Rule (COPPA) aim to regulate students’ activity online, they fall short of fully protecting schools themselves. Education records remain a hot item for attackers, and schools are simply not doing enough to defend against them.

But according to experts, this might be an issue of resource scarcity rather than one of carelessness. Although many schools recognize the importance of robust data security, few have the funding necessary to put proper solutions in place. It’s getting hard to find a district with enough funding to invest in proper classroom sizes and resources. IT? That isn’t on the top of the priority list.

As attacks continue to proliferate though, the consensus among both lawmakers and educators is that cybersecurity can’t wait any longer. Many states have begun stepping up their efforts in data privacy enforcement, with 45 having enacted some form of new student-oriented law since 2014. Among the most prominent include the Student Online Personal Protection Act (SOPPA), which requires Illinois’ State Board of Education to ongoingly publish lists of online services and applications the district uses, data being collected, why it’s being collected, and to notify parents of any compromised security within 30 days.

Other states have followed suit, with laws regulating education data being passed in various forms. Examples include the Student Online Personal Information Protection Act (SOPIPA) in California and the Massachusetts Data Security Law.

How are Schools Attacked by Cybercriminals?

Cyberattacks directed at schools can take many forms, but generally target unsuspecting teachers, students, or staff members. Among the most common are phishing and ransomware attacks, both of which can be devastating for educational institutions.

In the case of phishing, malicious actors try to get users to click on a malicious link or open an infected file, usually by masquerading as a legitimate email. It’s the same tactic hackers use to steal credentials and money from individual users, but in the case of schools, they may also be after personal data like Social Security numbers or financial details.

Ransomware attacks on the other hand are especially dangerous for educational institutions due to their sheer potential for destruction. This type of attack occurs when malicious actors infiltrate a school’s computer system, encrypt the data stored on it and then demand a ransom for its return. What makes this attack particularly dangerous is that schools don’t always have the resources necessary to restore their data, leaving them in a difficult situation.

Ultimately, cybercriminals are motivated by financial gain or political agendas – or sometimes both. Through their attacks, they can access and steal sensitive data or demand hefty ransoms for the return of important files. For schools already struggling with resource shortages, these attacks can be especially damaging. They have the potential to further exacerbate an already-dire crisis in education, with both students and staff forced to pay the cost.

How School Data Security Can Be Improved

It’s clear that there’s a problem regarding the education data security of America’s institutions. Attacks and breaches have become all too common, and many decision-makers continue to push forward for legislative protections and guidelines.

But besides that, what else can be done? Government moves at a notoriously slow pace, and as we’ve already established, cybercrime does the opposite. In fact, regulations may never keep pace with the real threats that exist out there; should schools simply sit back and accept that risk?

The answer is a hard no. While the current landscape may be full of threats, and many districts underfunded, schools aren’t defenseless against the throes of cybercrime. There are several things any educational institution can do to help strengthen its security posture, both in the short- and long term.

A few examples are listed below.

Creating a Cybersecurity Plan

Having a cyber security plan in place is essential for any educational institution, as it outlines the steps they will take to protect their data and systems from malicious attacks. This should be regularly reviewed and updated to reflect the ever-changing landscape of threats, while also making sure that everyone in the district understands exactly what’s expected of them.

Investing in Security Training

All staff members need to be familiar with basic security protocols, so investing in regular training sessions can go a long way. They don’t have to be expensive, either; many third-party providers offer free webinars or online courses that can give everyone the fundamentals they need to stay safe.

Using and Regularly Updating Antivirus and Anti-Malware Software

Antivirus and anti-malware software are essential tools for any school, as they can detect and neutralize potential threats before they cause damage. However, this is only effective if the software is regularly updated with the latest security patches. This should be done at least once a month, but more frequently if possible.

It’s clear that the age of data privacy is upon our educational institutions, and with it comes a slew of new challenges to be overcome. Schools must begin finding the resources to bolster their security, or risk becoming easy prey for cybercriminals.

By investing in the right tools and personnel, any educational institution can protect itself from a cybersecurity standpoint – and in the long run, this could make all the difference. Tools like TeraDact’s Tokenizer+, Redactor+, and Secrets+ can buffer security measures for any size institution. With the right attention and resources, our schools may soon be better able to protect the data entrusted to them.