The city of Des Moines, Iowa, is accustomed to seeing its schools close in January, but the closings usually involve snow or ice, not a cyberattack. On January 10 and 11 of this year, however, Des Moines Public Schools were closed as administrators assessed the damage inflicted by a ransomware attack.
The district announced that preceding the attack, personal identifiable information (PII) had been compromised, and those impacted would be notified. By January 12, students were back in school, but it would take weeks before Wi-Fi was restored to all campus buildings.
Meanwhile, more than 1,700 students who attend school on Nantucket Island also recently got an unexpected winter break when hackers targeted their school. As reported in the Nantucket Current, the district worked to keep the attack from rippling further by telling staff and students not to use any school-issued devices because “they could compromise home networks.”
And Tucson’s public school systems, the second largest system in Arizona, also recently battled a ransomware attack, but they managed to stay open.
Schools are increasingly vulnerable
TechTarget reports that ransomware attacks have flatlined in most industries, but schools have been the exception.
“K-12 schools have long been frequent targets for ransomware gangs, but attacks appear to have accelerated in recent years,” the report says. This is an opinion shared by Alan Furst, a Houston-based cybersecurity consultant who works directly with education systems.
“Schools have loads of PII, and there are few things more valuable to hackers. And a lot of that PII belongs to younger people who might not discover it has been swiped and leveraged for years. So even if the schools don’t pay up, there’s still value for the hacker, not to mention that school systems are made vulnerable by thin IT staff and undefended attack surfaces,” Furst explains.
What can MSPs do?
“Not all schools hire MSPs to manage their services, and most of the larger districts have their own IT teams,” Furst adds. MSPs with educational clients in their portfolio need to better assess where the attack surfaces are and protect PII.
Without the PII, there is no incentive for the hackers to hack,” he says,
He also advocates a robust zero-trust program. EdTech Magazine recently highlighted the benefits to schools of adopting zero-trust when combatting ransomware.
A solid zero-trust implementation helps with ransomware in four ways:
- Reducing infection
- Blocking lateral network movement
- Blocking exfiltration of stolen data
- Alerting to suspicious network activity
Schools and cybersecurity have been on the front burner for the government’s Cybersecurity and Infrastructure Security Agency (CISA), which recently released a report on cyber safety. The information made three broad recommendations, which include:
- Invest in the most impactful security measures and build toward a mature cybersecurity plan.
- Recognize and actively address resource constraints.
- Focus on collaboration and information-sharing.
“A lot of the advice in the report is fundamental, but you’d be surprised how little some schools do when it comes to cybersecurity, so having the government using its bully pulpit should help raise awareness,” said Furst.
More specific steps the report recommends include a complete MFA program, frequent back-ups, and fixing known vulnerabilities. One clear step Furst sees schools skimping on is having a “cyber incident response team.”
“It’s too late to devise a plan once a system has been breached, and you have to have a clear, actionable plan on the shelf and ready to go,” he recommends.
Per the CISA report:
Every K-12 organization should have an Incident Response Plan that spells out what the organization needs to do before, during, and after an actual or potential security incident. It will include roles and responsibilities for all significant activities and an address book, should the network be down during an incident. It should be approved by the senior official in the organization and reviewed quarterly and after every security incident or “near miss.”
“I see many schools that could have contained an attack early had they had a plan in place, but they didn’t. MSPs that manage educational portfolios need to have such a plan,” Furst advises.
He adds, “With proper training, every staff member can be deputized to be on the front lines of warding off a cyberattack.”.
MSPs need to make sure training is implemented. “If a school is attacked and an MSP is in charge of the IT situation, they make easy scapegoats in shifting blame, but the school has the responsibility to create a vigilant cyberculture,” Furst says.
Photo: George Rudy / Shutterstock