January 21, 2025
With a growing list of attacks on educational institutions around the country, we are often asked, “Why are schools such attractive targets for cybercriminals?” The reality is, with tight budgets, and an ever-increasing list of demands put on small IT teams, many school districts are falling behind the foundational practices for cybersecurity. Small IT teams are required to manage a large diverse fleet of devices across many buildings, using third-party software and systems, and many times fighting for budget along the way.
If that sounds like your school, then I have good news. You don’t have to be a sitting duck, nor do you have to be Fort Knox. If you increase your security to the point that attacking you is no longer quick and easy, hackers typically move on to another easier target. In this blog, I’ll explore how cybercriminals tend to attack schools and what you can do to keep your organization and its data safe.
Common Cyberattacks in Education
There’s certainly a large amount of overlap between attacks carried out on schools and other industries. However, here’s where K-12 schools, colleges, and universities should focus.
Phishing Campaigns
According to KnowBe4’s 2024 Phishing by Industry Benchmarking Report, the average employee was 34.3% likely to interact with a phishing email. Engaging, high-quality security awareness training is very effective at helping employees recognize a phishing email for what it is. However, according to a recent survey, 26% of teachers said they hadn’t received any cybersecurity training whatsoever.
Phishing scams are typically the first component of more complex and devastating attacks. Once a hacker tricks an employee into revealing their login credentials or other sensitive data, their next attack phase will often take one of these subsequent forms.
Data Theft
Data is a hot commodity on the dark web. Current estimates place a single individual’s identity at $1,170. And schools collect a lot of data.
Here’s what hackers are especially interested in:
- Student, staff, alumni, and family data (including addresses, birthdates, etc.)
- Donor information and giving history
- Information regarding financial aid
- Social security numbers
- Payment information
- Individual education plans
With these details, a hacker might be able to impersonate a relative or open a credit card or loan in a student or staff member’s name.
But data isn’t the only way hackers can make money from under-protected schools.
Ransomware
In March of 2023, a hacker threatened to leak over 300,000 student records that were held by Minneapolis public schools. The school refused to pay the $1 million ransom, and the ransomware gang subsequently made good on its threat, dumping these sensitive records online.
While many organizations feel pressed to pay ransoms to avoid being in the headlines, the reality is that simply paying the ransom won’t always be the end of the story. A couple of common reasons include:
- Cybercriminals don’t always make good on their promises
- Decryption keys may not work, or work too slowly to get your organization back up and running in a timely manner
- Paying the ransom may embolden future attackers to target your organization
- By paying certain ransomware criminals, your organization may be violating U.S. government rules regarding paying cybercriminals who reside in countries that are subject to U.S. sanctions
DDoS Attacks
During a DDoS (distributed denial of service) attack, a hacker can overwhelm school networks with traffic, preventing any access to online tools, including learning platforms, email systems, and administrative tools. Baltimore County Public Schools were hit with just such an attack in 2022.
Some hackers will threaten a DDoS attack unless a ransom is paid. Believe it or not, some students hire hackers to carry out these attacks on their behalf. This type of attack can also serve as a distraction and be a sign that something larger is planned or occurring in other parts of your network.
The Best Cybersecurity Solutions for Schools
Here are the tools and practices that tend to buy the best protection for schools that are tight on time and on a budget.
Multi-Factor Authentication and Password Requirements
Many schools lack strong password policies, making them easy targets for their own students, let alone sophisticated international cybercrime gangs.
Require strong passwords on all online accounts, and make sure passwords are also changed regularly. And to combat any phishing scams, require multi-factor authentication (MFA) to protect sensitive accounts in the event that legitimate user credentials are compromised.
Security Awareness Training
Don’t underestimate the danger that can come from just one email. Spear phishing — where scammers try to make their emails appear to be coming from a trusted source — can have devastating consequences.
- In 2020, a Texas school district reported that a seemingly normal school-vendor transaction resulted in a loss of $2.3 million
- In 2019, scammers stole $3.7 million from a Kentucky school system using a fraudulent email
Ongoing, engaging training is remarkably effective and helpful for everyone in your organization, but your school’s financial staff, IT personnel, and leadership are often a spear-phisher’s preferred targets.
Vendor Due Diligence
Every entry point into your systems is a potential risk, and that includes any vendors with access to your online systems or physical facilities. According to a recent survey, 98% of organizations use a vendor that had a data breach recently.
Proper vendor due diligence is incredibly important. And it’s also very important to act on the information you receive. If one of your vendors isn’t taking reasonable precautions, unless they’re willing to change that, it’s time to reconsider the relationship.
Network and Data Monitoring
No single cybersecurity solution can catch everything. But proper advanced network and data monitoring tools can alert your IT staff to any suspicious activity.
Once alerted, you’ll also need to be able to mount a swift and effective response, which brings me to my next point…
Incident Detection and Response
Proper Incident Detection and Response (IDR) is highly effective in minimizing the impact of a cyberattack. Getting initial responses in place is key to limiting the fallout you’ll experience. This can be a combination of sufficient logging, alerting procedures, staffing, solutions, and automation.
For example, in a ransomware attack, an effective IDR strategy can prevent the encryption of critical data and the loss of access to critical systems. IDR can also cut the cost of a data breach by 35%.
Patch Management
Every unpatched vulnerability you have in your IT environment is a possible entry point for hackers. In fact, around 57% of cyberattacks could be prevented with proper patch management.
Patch management can be time-consuming for already overwhelmed IT teams, but automated patching solutions are now available to make this job much easier.
Zero Trust Architecture
Many schools still focus their cybersecurity efforts on securing their perimeter. However, once a hacker makes it past a firewall, they can generally go where they please, unchecked.
Zero trust architecture isn’t a single tool or solution. It’s a cybersecurity concept that treats every user, device, and app as if they were a potential threat and places additional layers of security around sensitive systems and data.
Simplifying Cybersecurity in the Education Sector
Cybersecurity is constantly changing, and the same tools that were sufficient five years ago just aren’t enough today. It can be very difficult for any internal IT team to set aside time for patch management, let alone keep on top of emerging threats.
But there are additional resources schools can take advantage of. Earlier this year, the FCC launched a pilot program to help bolster cybersecurity for K-12 schools. National cybersecurity organizations like NIST and CIS also supply updated resources and recommendations for organizations, so they don’t constantly have to reinvent the wheel.
At Marco, we’ve created our own simplified checklist based on these guidelines, so it’s easy to see where you’re already following best practices or where a few upgrades are needed. Click the link below to access it!
