The U.S. Government Accountability Office (U.S. GAO) has released a report showing that schools remain vulnerable to cyberattacks.
“Kindergarten through grade 12 (K-12) schools have reported significant educational impact due to cybersecurity incidents, such as ransomware attacks. Cyberattacks can also cause monetary losses for targeted schools due to the downtime and resources needed to recover from incidents,” the report states.
The U.S. GAO report says that learning loss following a cyberattack ranged from three days to three weeks, and recovery time ranged from two to nine months.
Escalating cyberattacks on schools drive need for collaboration
The non-partisan U.S. GAO office recommends that the government establish a collaborative mechanism, such as an applicable coordinating council, to manage cybersecurity efforts between agencies and the K-12 community.
The GAO observations come as schools continue to bear the brunt of cyberattacks in 2022, with the education attacks escalating.
In 2020, for instance, the K–12 Cybersecurity Center registered a record-breaking number of incidents, with 408 reported across 377 school districts in 40 states.
A leading cybersecurity research company says that the numbers have only grown since 2020, showing the education sector enduring double the number of weekly cyber-attacks compared to the other industries’ average. This sector had an average of almost 2,000 attacks per organization every week (a 6 percent increase compared to July last year and a startling 114 percent increase compared to July two years ago).
Other statistics of note:
- 56 percent of K-12 schools and 64 percent of higher education institutions reported a breach in 2021.
- 27 percent of schools think their data is inadequately protected.
- 42 percent of schools have students or staff that circumvent cybersecurity protections
- $265 is the average price of an educational record on the dark web vs. $5 for a credit card number.”All of these statistics point to the value the vertical has for hackers,” says Marvin Goesch, a school cybersecurity specialist in Los Angeles. Goesch adds that while healthcare has done a better job of fortifying its defenses, the education sector has lagged, and their data is often just as lucrative for hackers as healthcare.
Forthcoming Summit to Educate the Educators on Cybersecurity Safety
All of this points to the importance of the first-ever National Summit on K-12 School Safety and Security, hosted by the Cybersecurity and Infrastructure Security Agency (CISA). The annual summit will be held virtually this year from Nov. 1-3.
“If you are an MSP with education clients in your portfolio, attending this summit would be a wise use of time,” Goesch advises. The event is free and will cover some of the following topics:
- Physical Security
- Emergency Planning
- Capacity Building
- Training, Exercises, and Drills
- Targeted Violence
- Reporting Systems
- Threat Assessment
- Violence Prevention
- Online Safety
“These are all crucial areas that often are missed in cybersecurity,” Goesch emphasizes. “Most schools and the MSPs that manage their security are simply ill-prepared for some of the threats that are currently out there, so simply having a plan in place often goes a long, long way towards mitigation.” He adds that even the parts of the summit that cover physical safety and infrastructure safety at schools can be beneficial for MSPs to attend.
“With schools, perhaps more so than other client types, a holistic approach to cybersecurity is necessary, and that means understanding the students, staff, campus lay-out and the physical plant,” Goesch says.
The line-up of speakers ready to talk about schools and cybersecurity include the “who’s who” of education security luminaries. Here is just a tiny sampling:
November 1 (Day 1) – Violence Prevention
- Alejandro N. Mayorkas, Secretary, United States Department of Homeland Security (Keynote Speaker)
- Lina Alathari, Ph.D., Chief, National Threat Assessment Center, United States Secret Service
- Theresa Campbell, Chief Executive Officer, Safer Schools Together
November 2 (Day 2) – Cybersecurity and Online Safety
- Jen Easterly, Director, Cybersecurity and Infrastructure Security Agency (Keynote Speaker)
- Stephen Balkam, Founder and Chief Executive Officer, Family Online Safety Institute
- Kyla Guru, Founder and Chief Executive Officer, Bits N’ Bites Cybersecurity Education
November 3 (Day 3) – Physical Security
- Tony Montalto, President, Stand with Parkland (Keynote Speaker)
- David Mussington, Ph.D., Executive Assistant Director for Infrastructure Security, Cybersecurity and Infrastructure Security Agency (Keynote Speaker)
- Mo Canady, Executive Director, National Association of School Resource Officers
“All of these speakers bring with them a wide variety of experiences in education and security,” Goesch points out. He adds that the U.S. GAO’s additional recommendations, if implemented, will help school security situations.
One of the U.S. GAO recommendations is that the Secretary of Education should develop metrics for obtaining feedback to measure the effectiveness of Education’s K-12 cybersecurity-related products and services available for school districts.
“Currently, we have a patchwork approach to school cybersecurity, a more centralized approach would allow us to better filter data, which would make the battle against hackers much more winnable,” Goesch concludes.