By Mike Bianco, director of information security, Skyward.
Schools face plenty of dangers and threats, from pandemics to budget cuts, but ransomware may be one of the most pernicious, transcendent, and frightening – and it’s not going away.
Ransomware is big business for crooks, and schools are seen as easy pickings. CBS News reports that cyberattacks and ransomware targeting K-12 schools hit record highs last year, with ransoms ranging from $10,000 to $1.4 million and a total cost to districts of more than $123 million, according to IBM.
Because so much of what a school system does, from teaching to storing records, takes place online, the threat of a ransomware attack effectively stopping those processes dead in their tracks and wiping out the supporting data is enough to keep administrators up at night.
Add to that the threat of students’ sensitive data stolen and dumped or sold to bad actors after ransomware attacks (NBC News reports that in 2021, ransomware gangs published data from more than 1,200 American K-12 schools), and it’s a miracle administrators get any sleep at all.
And in case a district admin was thinking of sneaking in a catnap, they should consider that 30% of educational outlets consider themselves unprepared to face a cyberattack resulting in their data being held for ransom. Why do so many ransomware attacks target schools? Several reasons:
Schools are vulnerable
Whether it’s students, parents, teachers, or back-office staff, the fact that so many different personas with so many different ideas about internet security are using the system makes it easy for hackers to exploit weaknesses.
Schools lack resources
Districts may not be able to afford the most robust ransomware-prevention tools, or the personnel needed to monitor them.
Data is centralized …
School districts tend to keep their data in one central repository, which is attractive to hackers. Think of it this way: If you’re a bank robber, do you want to rob one bank with $5 million in deposits, or five banks with $1 million in deposits each? Educational data is the $5 million bank.
And it’s valuable …
Student data is pure gold. It can be used in a variety of ways, to establish false identities, to apply for credit, and to make large purchases.
Producing additional blackmail opportunities
Suppose a hacker acquires the report cards and other data of high-school seniors. They could threaten to release the information to prospective employers if the student or their parents don’t pay a ransom.
(This is generally thought of as small potatoes by hackers, but it’s not out of the question.)
How districts can protect themselves
Given that schools are and will continue to be ransomware targets, what can districts do to prevent themselves?
First, districts need to realize they’re not Susan Storm, and they can’t put a force field around their data. There is no magic shield; there are only multiple layers of protection they can employ to deter hackers.
Second, they need to understand that protective measures may only make their district a less attractive target, and not a non-target. After the low-hanging fruit is harvested, their district may still be seen as ripe for the picking.
Third, districts have to accept the fact that protection against ransomware is ongoing and evolving. It is absolutely not a one-and-done.
Finally, districts can take tangible steps to lessen their vulnerability to ransomware attacks. Those steps include:
Backing up data to multiple locations, including to a cloud host with stringent security protocols and uptime guarantees.
Maintaining up-to-date anti-virus and anti-malware software.
Updating to the most recent versions of operating systems and software.
Restricting computer access, and regularly reviewing and managing permissions.
Conducting frequent phishing exercises and disaster simulations.
So what do the government experts at CISA recommend? A lot of the same types of measures: updating software, implementing multi-factor authentication, changing passwords regularly, putting anti-malware programs to work, and monitoring privacy settings.
Whatever you do–don’t pay ransom
However, one of the most important things the agency recommends is not paying ransom. CISA maintains that paying ransom doesn’t guarantee anything–especially not the recovery or return of your data.
In addition, paying ransom may also encourage hackers to target other organizations.
Given that, why do so many educational organizations pay ransom? There could be many reasons–expediency, panic, organizational directives–but in many cases it boils down to a lack of preparedness, no usable data backups, and no other viable options.
Videoconference security tips
Speaking of preparedness, districts that quickly pivoted to remote learning may have not been prepared for the possibility of data breaches coming from their videoconferencing software.
If districts are using Zoom or a similar tool, CISA recommends that they:
Make sure participants are using the most recent version of the meeting app.
Require passwords to access class sessions or meetings.
Encourage students to not share passwords or meeting codes.
Use an online “waiting room” or something similar to identify participants as they arrive.
Require participants to sign in using their full, true names.
Restrict screen sharing. Make sure only the meeting host can assign screensharing privileges.
Don’t let participants enter virtual rooms before the host arrives, and don’t let the host leave until all other participants have left.
Convincing the crooks and hackers to peddle their papers elsewhere won’t be easy. Schools will always be seen as attractive ransomware targets.
Still, if districts wake up, acknowledge the threat, and have a plan in place to deal with it, they can begin to lessen the threat of this nightmare scenario. And then maybe, just maybe, your administrator can get a good night’s sleep.