Ransomware and other cyberattacks on K-12 schools are increasing, especially as districts lean further into technology use for teaching, learning, and other school operations.
Eighty percent of school IT professionals reported that their schools were hit by ransomware in the last year, according to a global survey of 3,000 IT/cybersecurity leaders conducted by cybersecurity company Sophos between January and March. That’s up from 56 percent from the 2022 survey.
School IT professionals were also more likely to report that they’ve experienced ransomware attacks than IT professionals from other industries, according to the survey, which included responses from 200 IT professionals from the K-12 sector.
“Given the resource challenges facing schools, we’ve accumulated a lot of sort of technical debt that is going to make better defending school communities from these threats a challenging endeavor,” said Doug Levin, the national director of the K12 Security Information Exchange, a nonprofit focused on helping K-12 schools prevent cyberattacks.
In a ransomware attack, cybercriminals break into a district or school’s network and take data and encrypt it, preventing the district from accessing the data. Attackers will decrypt and return the data if the district or its insurance company pays a ransom. Attackers typically threaten to release student and employee data to the public if they aren’t paid.
For instance, after a ransomware attack on Los Angeles Unified last year, hackers published highly sensitive mental health records of current and former students. And after a breach at Minneapolis Public Schools in March, a cyber gang published files detailing campus rape cases, child abuse inquiries, student mental health crises, and suspension reports, according to The 74.
Guidance from the FBI and the federal Cybersecurity and Infrastructure Security Agency discourages paying the ransom because it doesn’t guarantee that the data will be decrypted or that the systems will no longer be compromised. Paying the cyber criminals also encourages hackers to target more victims.
But the question of whether or not to pay ransom does not always have a simple answer, especially for school districts that have to ensure continuity of operations, according to experts. Due to insufficient cybersecurity resources, districts sometimes have to pay ransom fees to get their systems back because starting from scratch would be more expensive.
The loss of learning time after a cyberattack ranges from three days to three weeks, and recovery time from the attack can take anywhere from two to nine months, according to a 2022 U.S. Government Accountability Office report. School districts have also lost between $50,000 and $1 million per cyberattack, the report found.
This is ‘a systemwide issue’
While there are many strategies individual school districts can use to protect against cyberattacks, Levin said there needs to be a collective effort to protect all schools from these incidents.
“We do need a much more robust dialogue and conversation about these sorts of incidents,” Levin said, “and really treat the issue as if an attack on one school district is an attack on all school districts. We really need to view this as a systemwide issue, where we need to work together to learn from each other and defend collectively against these threats.”
School districts and ed-tech vendors need to come together and agree on what the cybersecurity measures should be and where the responsibility lies, Levin said. These measures should be mandated by policymakers, with investment in resources included so districts can take the steps they need to protect their communities.
The White House and the U.S. Department of Education earlier this month announced the launch of a “government coordinating council” that will facilitate formal collaboration among all levels of government and school districts to help strengthen schools’ cybersecurity.
The federal initiative “raises the visibility on these issues,” Levin said, but it’s still based on “voluntary improvement” from school districts instead of formal rules, so there’s “a tremendous amount of work still to be done.”
“We’re going to need to see much more robust and directive guidance from the U.S. Department of Education and the federal government, as well as dedicated resources to implement that guidance,” he said.
Some state legislatures are ramping up efforts to strengthen K-12 schools’ cyber defenses. Texas has allocated $55 million to protect school districts from major cyberattacks, and Minnesota approved $24.3 million in grants to address school districts’ cybersecurity needs earlier this year.