The rumbling yellow school buses and children at recess clambering on jungle gyms are becoming familiar sights. Schools are back in session across most of the country and while students have been having fun over the summer, hackers have been brushing up on their skills, ready to strike “Hackers don’t take summer vacation,” warns Vince Carter, a cybersecurity specialist who works with several school districts in Detroit. In Chambersburg, Pennsylvania, the 9,000-student school system began its semester with a three-day shutdown.
According to local news sources: For the third day in a row, the Chambersburg Area School District canceled all classes due to “temporary network disruptions.” The school closures come less than one week into the new school year. In a statement online, the district said it was “working diligently with third-party forensic specialists to investigate the source of this disruption, confirm its impact on our systems, and to restore full functionality to our systems as soon as possible.” Students in Chambersburg were told to leave their own personal electronic devices at home when the schools reopened.
Outside observers said what happened in Chambersburg had all the hallmarks of a ransomware attack. But Chambersburg is not alone. Several school districts across the U.S. have experienced similar attacks.
“Schools usually have the resources to pay hackers to unlock their systems, and schools operate on an urgent, set calendar. One or two lost days of instruction have a ripple effect, so hackers know if they can breach, they can probably collect,” Carter explains.
Student devices create cybersecurity vulnerabilities
The dangers are evolving each school year as hackers adapt and schools try to keep up. One of the biggest dangers now is the number of personal devices students keep at home all summer. Carter highlights that many of the devices are under poor cybersecurity conditions, and then the kids bring them back in the fall and connect them to the school’s network, which can create a Petri dish of problems.
The federal government has taken notice by launching a new cybersecurity resiliency program this year aimed at fortifying cyber defenses in K-12 schools. All the efforts will be under the umbrella of the Government Coordinating Council, whose mission will be to coordinate activities, policy, and communications between federal, state, local, tribal, and territorial governments that strengthen the cyber defenses and resilience of K-12 schools.
There are also age and experience factors at schools. While many children are more cyber-savvy than adults, Carter says, students may be less aware of cybersecurity risks than adults, making them more susceptible to scams and phishing attacks. And even if students are aware, youthfulness can sometimes enhance risks.
“The invincibility-of-youth thinking that dominates kids and younger adults doesn’t exclude cybersecurity. So kids, even if they know cybersecurity basics, may take more risks than their adult counterparts.”
Vigilance is key to preventing threats
There are also evolving tools that hackers have access to. Carter advises to look for deep fakes, social engineering, and artificial intelligence to play a greater role in cyberattacks against schools. “Unfortunately, we don’t often know what new weapons the hackers have in their arsenal until they use them,” Carter says. This means MSPs and school CISOs must constantly watch for evolving threats.
Carter notes that several factors make schools attractive targets for hackers. Among them are:
Data: Schools are a treasure trove of data. “From social security numbers to PHI to addresses and some banking, school records have it all. Breaching a school is like winning the lottery for a hacker,” Carter explains, adding that the protection a school has often depends on district size and affluence. “Usually, larger cities or more affluent suburbs have cutting-edge internal IT teams that do the heavy lifting,” Carter notes that smaller, more rural schools and parochial schools often rely on MSPs or a combination of in-house IT and an MSP.
Money: Schools can often afford to pay hackers and are sometimes willing to just so their students can return to learning.
Weak security: This varies significantly by school system, but the more cash-strapped districts or in some cases the more rural institutions haven’t invested in cybersecurity, and hackers know this.
Carter says there are a variety of ways schools and their MSP partners can mitigate threats:
Education: Schools should provide students with training on how to protect themselves from cyberattacks. This training should cover phishing, social engineering, and ransomware topics. “The mission of schools is to educate; we should make cybersecurity training at least part of the curriculum. Then the school can have thousands of young eyes and ears looking out for potential threats and feeling part of a shared mission,” Carter recommends.
Strong password policies: Part of the education mission should include strong passwords for all accounts. Passwords should be at least 12 characters long and include a mix of upper and lowercase letters, numbers, and symbols, advises Carter.
Following fundamentals and involving students in cybersecurity can help keep the classroom from being an attractive target for hackers.
Photo: Stuart Monk / Shutterstock