School systems are supposed to be safe environments where kids can come to learn their ABC’s and lots more. Unfortunately, cybercriminals have something else to say about this. Currently, a U.S. school district now becomes the victim of a cyberattack almost every three days on average. In a report published by Malwarebytes, “2019 State of Malware”, education, manufacturing, and retail were the top industries impacted by malware trojans. Education was in fact #1 for the those impacted by Emotet, the most prevalent and elusive trojan recently. According to the firewall vendor, Fortinet, education is the most targeted sector for ransomware, with 13 percent of education institutions having experienced ransomware attacks at some point.
How is it that school systems are exploited so easily and frequently? The fact is that K12 institutions face some key challenges today. Below are some of the key challenges that school systems are dealing with.
Late to React to the Surge of Cyberthreats
The mission of K12 institutions is to educate children. The purpose of K12 technology department is to support the technology that teachers depend on. Traditionally, this means deploying and supporting computer devices to staff and students and making sure classroom projectors are running correctly. It isn’t second nature for K12 technology personnel to begin their day scanning for security threats. Call it naivety to some degree, but many K12 technology leaders have been behind the eight-ball in taking cybersecurity seriously. This isn’t a bad thing. Much of it is due to the singular focus on educating children. A survey published by the National School Boards Association found that school officials are less prepared for cyberattacks than their peers in private sector companies. In a recent survey of K12 CTOs, more than 70 percent do not take cyberattacks such as data breaches, ransomware or denial0of-service attacks as serious threats. The good news in the same study, however, showed that more than half now see phishing scams as a significant problem and an emphasis on email security is taking hold
I.T. Budget Constraints
According to the Consortium for School Networking (CoSN), the top barrier for 6 out of the last seven years is budget constraints. While all companies and organizations have budgets they must comply with, K12 budgets are far more constrained than the private sector. That’s because budgets are based on tax revenue estimates. There is no large slush fund to fall back on to purchase an unanticipated security system if necessary. What’s more, tax revenues fluctuate according to the business cycles of the area. During times of economic prosperity, districts might take advantage of large tax inflows and maximize their purchases for devices and education technology. Then when a downturn strikes, the necessary money to secure and properly maintain those devices isn’t there. Technology that doesn’t support instruction is often put on the back burner until times get better.
Insufficient I.T and Information Security Staff
Let’s face it, most school districts do not have the necessary staff to sufficiently protect their large networks. A big reason for this has to do with budget constraints. It is hard enough for large metro districts to obtain the adequate staff they need, while some rural districts must rely on whatever full-time staff member happens to know the most about technology. When it comes to cybersecurity, it's even worse. According to a CoSN survey last year, only 25 percent of K12 schools have a full-time staff member dedicated to network security. In rural schools the figure drops to just 8 percent.
Shadow IT is a problem for all types of organizations due to the Consumerization of IT. It is not uncommon for school administrators or teachers to make technology purchases without the consent or even knowledge of the system’s technology department. In these cases, equipment and software are purchased with little or no regard to cybersecurity. Some teachers bring in their own personal technology equipment such as printers, computer devices and WiFi hotspots. Because these devices are not enterprise-ready, they often lack the security standards required for networks that are actively targeted by cybercriminals. Naturally, it's impossible for internal technology staff to protect what they don’t know about.
Again, due to budget constraints, many school systems lack the latest technology. It's not uncommon to find classroom devices running outdated operating systems such as Windows XP or software that is no longer supported at all. These devices then go unpatched when vulnerabilities are discovered. Servers and outdated network devices such as routers and firewalls are often plagued with obsolete security protocols that offer minimal if not any protection at all.
Lack of Security Awareness & Training
For many teachers, there isn’t enough time in the day. Teachers and staff already have to juggle their time for professional staff and instructional training. IT staff are stretched thinly across the district supporting everyone and their devices. Then, of course, there are the students. With so many districts now implementing one-to-one device programs, younger students in middle and elementary schools are using computers. Of course, no one can expect them to practice good cyber hygiene at such a young age. All of this makes training users to be security conscious extremely challenging.
Across the US, K12 districts are scrambling to protect themselves from cyberattacks, coming in the form of phishing e-mails, malware and data breaches. In the end, all of these are challenges, and challenges are not permanent limitations. Being prepared to address these threats includes developing and promoting policies on responsible use, storing data securely, implementing comprehensive layered email and web security and backups. Challenges can be overcome and districts are beginning to find ways to get the job done, despite the unique trials and circumstances that other types of organizations don’t have to endure.
Are you an IT professional at a school, that wants to ensure sensitive school, student, and staff data and devices are protected? Talk to a specialist or Email us at email@example.com with any questions.