Support LA School Report’s year-end campaign. All donations will be matched dollar for dollar.
After years of targeting and extorting high-value corporate targets, ransomware attackers have turned to more vulnerable prey — school districts. With less funding, less-than-mature cybersecurity defenses and limited (or even nonexistent) controls over an abundance of sensitive data, educational institutions are prime targets for cybercriminals.
As a number of recent notable attacks against school systems across the country demonstrate, schools are relatively low-hanging fruit for those who steal data and sell it or hold it for ransom. While corporations have been able to harden their defenses, boost spending on resilience measures, enhance their cybersecurity programs and evaluate risks, school systems — K-12 and higher education alike — haven’t been able to keep up.
In part, their vulnerability stems from the fact that school boards don’t tend to allocate funding to these risks. Focused on pressing priorities — everything from closing achievement gaps and catching kids up from COVID-related learning setbacks to ensuring schools’ physical safety — cybersecurity isn’t at the top of most school agendas.
When ransomware is discussed, it’s considered an IT issue — something that only the information technology department needs to worry about. Yet, in many instances, these departments are scarce in funding and staffing, so the initiatives are outsourced to third-party contractors without considering what internal staffing is needed to assign and oversee their work.
School boards fail to see cybersecurity investment as risk mitigation and often do not prioritize allocating budget dollars to beef up IT resources.
That said, school officials should not throw up their hands in despair and figure that they’re doomed when it comes to ransomware attacks. While no one can avoid being a target, a few crucial steps can go a long way toward minimizing the potential impact.
As a first step, school leaders should ask themselves: What data are we trying to protect? Schools maintain student records, personnel records, health care information and more. They have a variety of systems, from email to attendance tracking to e-learning, that contribute to daily operations. Wrapping their arms around what needs to be protected is the first piece of the puzzle.
Then, schools should take a “people, process and technology” approach to securing their infrastructure and building up resiliency.
From a people perspective, everyone in a school district — the superintendent, principals, teachers, students and parents — should know they’re responsible for helping to maintain good cyber hygiene. Then comes process: District policies should require things like end-user cybersecurity education and awareness, the use of strong passwords and mandates for regular anti-virus scanning. Technology is the third leg of the approach. It should be used to automate certain things like password length and reset periods, as well as keeping software and systems up to date to eliminate vulnerabilities in district computers, tablets, network devices and even learning management tools.
The final step is to have a plan for what to do if any of the school’s information or systems are attacked. Schools should have a crisis management plan for any kind of disruption, whether it’s an earthquake, a pandemic, a hurricane, a power outage or, yes, a ransomware attack. Surprisingly, few school systems actually do. They should have cyber incident response plans and test them — just as they conduct fire drills.
Without a well-rehearsed playbook for responding to a ransomware attack, the odds increase dramatically that getting back to normal will require paying ransom. Well-prepared, resilient organizations, by contrast, will have contingency plans that allow them to quickly revert to data backups and resume operations with minimal disruption.
A bit of good news for schools looking to reach that level of resiliency: In addition to the $190 billion in Elementary and Secondary School Emergency Relief (ESSER) funds that were issued last year for schools to use as they see fit, there’s a $1 billion grant in the pipeline specifically earmarked to help state and local institutions upgrade their cyber protection.
No school district enjoys spending time or money on cybersecurity, but the consequences of a ransomware attack are too dire to ignore. By giving this threat the attention it deserves, schools will better be able to focus on their real priorities of teaching and learning.
Barb Dawson is a managing director focused on higher education at Alvarez & Marsal, a global consulting firm.
Rocco Grillo leads global cyber risk and incident response investigations at Alvarez & Marsal.