The start of the new school year has seen a spike in cyberattacks against districts across the country, with small districts emerging as an especially attractive ransomware target by hackers.
Hospitals, municipalities and colleges have also been targeted, but school districts are particularly enticing to hackers because they store lots of private information about students, families and staff, and because they often don’t have the resources to block attacks, the New York Times reported last month.
In Louisiana, Gov. John Bel Edwards declared a statewide emergency last month in response to ransomware attacks on three school districts, and authorized state resources and cyber assistance to help the districts, The Hill reported. There have been 533 cyber incidents involving school districts since January 2016, with the majority of attacks concentrated in suburban and urban school districts, according to the report in The Hill.
In addition to the three districts in Louisiana, other recent cyberattack victims have included Lynn County School District in Nevada, Ohio’s Coventry Local School District, Alabama’s Houston County School District and the Syracuse and Watertown City School Districts in New York, according to published reports.
The education sector ranked last among 17 industries in terms of cybersecurity preparedness, according to a report by security ratings firm SecurityScorecard Inc. that was cited in The Wall Street Journal earlier this month. Schools and educational organizations struggle in particular with patching, application security, endpoint security and network security, the report found.
Many school leaders feel that their backup systems are adequate, yet it is always wise to get external validation and make sure all possible scenarios that could impact a school are considered, wrote technology consultant George Breeden in a DA op-ed earlier this year.
“Educating your staff is your best and most powerful firewall,” Breeden wrote. “Social engineering and tricking staff into bypassing security systems is one of the largest threats to every organization. Take the time to educate your staff on the risks, and be relentless in correcting bad behavior for the greater good of the institution.”
For instance, the Metropolitan School District of Wayne Township in Indianapolis runs a phishing simulation that sends suspicious-looking emails to teachers and staff. Those who click the link receive a three-minute online training that shows the red flags of a scam. Later in the school year, the district runs the simulation again. At-risk employees who click receive a longer video and sometimes face-to-face training.