Best practices to safeguard schools from a cyber attack
The new academic year has kicked off, and students and teachers have settled into their back-to-school routines. With a new school year comes new opportunities for cybercriminals to leverage school networks with a spoofed email or a malicious link. As of mid-September, over 100 reported ransomware attacks in 2023 impacted K-12 and higher education, according to Comparitech – with 2023 pegged to be a record-breaking year for ransomware attacks on schools. Not only is the new school year shaping up to face more attacks than in 2022, but the severity of the attacks has increased as well. Attacks to date in 2023 are seeing an increase in the number of records stolen by bad actors, as well as longer downtimes before functionality is restored. Multiple schools reported having to cancel classes or close down completely during the 2022-2023 academic year as a result of a cyberattack.
Students and faculty must remain on high alert as they ease back into their day-to-day rhythm of homework and lesson plans. In the spirit of giving schools the tools they need to start the academic year with their best foot forward, the White House held a cybersecurity summit in August to provide schools with the latest resources and best practices to give educational institutions a head start in their battle to safeguard their systems against hackers.
Noteworthy takeaways and resources from the summit include:
- The U.S. Department of Education’s plan to establish a Government Coordinating Counsel (GCC). The GCC sets out to coordinate policy to protect K-12 schools and districts from cybersecurity threats and offer support to districts in preparing for, responding to, and recovering from cybersecurity attacks. The Department of Education also released one of three Digital Infrastructure Briefs, K-12 Digital Infrastructure Brief: Defensible and Resilient, which dives into the following considerations:
- Implementing effective mitigation strategies such as multi-factor authentication, password policies, phishing prevention, and frequent software updates.
- Developing and practicing incident response plans to minimize impact of a potential data breach.
- Managing vendors and third-party risk to ensure vendors demonstrate commitment to safeguarding the data they collect and maintain.
- The K12 Security Information eXchange (K12 SIX), a national non-profit organization dedicated to protecting the U.S. K-12 community from emerging cybersecurity threats. K12 SIX operates as an enhanced information sharing and analysis center (ISAC) for the K-12 education sector. K12 SIX offers its members security training and access to virtual CISO services.
- Cybersecurity and Infrastructure Security Agency (CISA) plans to provide tailored assessments, exercises, and cybersecurity training to 300 new K-12 entities over the coming school year.
- PowerSchool, a provider of cloud-based K-12 software in the United States for 80% of school districts, will provide new free and subsidized “security as a service” courses, training, tools, and resources to all U.S. schools and districts.
- D2L, a learning platform company, has committed to providing access to new cybersecurity courses in collaboration with trusted third parties.
- Google released an updated K-12 Cybersecurity Guidebook, which offers steps education systems can take to ensure the security of their Google hardware and software applications for students and faculty members. The guidebook recommends that education systems establish school-wide password policies, such as robust password requirements, two-step verification, data-sharing policies, and retention rules.
With the sophistication of cyberattacks on the rise and 2023 estimated to be a record-breaking year for ransomware attacks on schools, educational institutions need to ensure they are proactive in their fight to ward off cyberattacks. If a school does not have an incident response plan in place, they should implement one, and if they already have one developed, they should practice it annually with their incident response team.
If you want to learn more about proactive cybersecurity defense, contact a member of McDonald Hopkins’ national data privacy and cybersecurity team.