As we discussed last week, back-to-school brings out hackers and cybercriminals. This week we’ll look at some of the specific threats that schools, educators, and even students face this year and what MSPs can to do help protect their education clients.
“MSPs can only do so much,” says Glenn Maxwell, an education cybersecurity consultant in Salt Lake City. “But they can educate the educators, which may be the best way to mitigate cybersecurity threats.”
Post-pandemic changes leave schools vulnerable
Maxwell explains that a combination of social media, an influx of BYOD onto campuses, and increasingly creative and determined hackers will make 2022 one of the most challenging years for MSPs with education clients in their portfolio. Schools are still struggling post-pandemic to realize the full scope of cybersecurity threats.
“The switch from paper and pen to tablets and Chromebooks was almost overnight,” Maxwell describes. “Many schools have limited IT staffs and either ignored cybersecurity or made-up protocols on the fly, which leaves real vulnerabilities. He adds that education has consistently ranked among the least secure sectors.
Threats are varied in scope and impact
Some of the specific threats MSPs should keep an eye out for as everyone heads back-to-school this year include:
Child exploitation: Hackers have a variety of motives, but money is the driving force and there are different ways of making money. Many parents post pictures of their child’s first day of school. It’s a celebratory time, but parents should be careful.
“There are just a lot of bad actors out there that will use the data gleaned from a child’s back-to-school photo for nefarious purposes,” Maxwell warns. “And while an MSP can’t control what a parent does on social media, they can be involved in crafting some cybersecurity ‘back-to-school basics’ that the school can share with parents.”
The parental checklist should include making sure their children’s devices are up to date with the latest security, using care on social media, and learning to avoid links from unknown sources.
Student attacks: Didn’t study for that geometry quiz? No problem, a student can gain a day or two to study by overwhelming the school’s computers and shutting down the campus with a DDoS attack. And these days, a student doesn’t even have to do it him or herself, they can just hire someone for $10 to do it for them.
EdTech Magazine describes these attacks:
A new trend in cybersecurity sees students paying for distributed denial of service attacks to overwhelm and disable district networks. Attackers target critical network assets in a DDoS exploit, intending to shut down operations. They can, for example, focus their efforts on school accounting or learning management systems. In most cases, though, they aim to disable the entire network.
According to Maxwell, DDoS attacks can be low-tech and old-school or newer and sophisticated, “but they are effective in accomplishing a limited goal,” he says.
An overwhelming amount of traffic floods the school system, which can grind education to a halt. Maxwell recommends a blend of firewalls and network redundancy so that if the system is overwhelmed, the school can seamlessly switch to a new one. He also advises something an MSP isn’t typically involved with: student discipline.
“The penalty should be made strong enough that a student thinks twice before doing something so foolish,” says Maxwell.
Ransomware: Roughly 1,000 schools in 62 districts were impacted by ransomware attacks in 2021. Though the number of reported ransomware attacks targeting the education sector is lower than last year, the FBI indicates that over half of all reported ransomware incidents targeted K-12 organizations.
“This shows us that schools remain an attractive target,” Maxwell observes.
Often schools have weak defenses and deep pockets and should pair a robust training program with network segmentation and early detection to mitigate as much damage as possible.
Data is currency: Schools safeguard enormous amounts of personal data, and hackers prize this data.
“To a hacker, data is the same as money; there’s no difference,” explains Maxwell. “So just like you wouldn’t leave a safe wide open with stacks of money inside, don’t leave the `information safe’ open. We’ve seen some schools do this, and that’s inviting hackers in.”
Bank account information, social security numbers, test scores, PHI (especially prized by hackers), and other identifying information can all be had “under one roof” if a hacker successfully breaches a school’s cyber perimeter.
“We are seeing more of what we call multi-purpose hacking,” says Maxwell. “For hackers, a school is like a department store, you can find everything you need all under one roof, from medical data to student test scores, so you’ll see them breaching and helping themselves to a little bit of everything to further their goals.”
Photo: Monkey Business Images / Shutterstock
getting kids to learn to avoid click bait is hard as everything is right up their alley when trying to sucker people to get something. Starting early and teaching them what is good and bad will not stop but slow down the rate
Good article about issues schools face.
Maybe schools should consider security awareness training as part of routine student curriculum?
Gotta protect the children
I spoke to one school IT manager where they had been breached three times and on all three occasions it had been teachers phished by compromised student accounts… and where teachers had also been using mobile devices which potentially made it harder to spot a malicious email. Schools (especially secondary/further/higher where email use is more prevalent) need to understand how prolific email is as a vector for cyber attacks (91%+) and employ additional systems and/or training to help secure that.
The key theme here is learning to educate the teachers as a front line defense. They must become the “human firewall” and good security hygene should be taught just as access instructions are given to students.