An increasing number of cyber criminals are turning their sights on schools, and the effects are growing more and more worrisome. In 2021 alone, 67 ransomware attacks across almost 1,000 schools cost institutions over $3.5 billion. Factoring in the value of ransom payments, learning loss, and lost data, the true cost of these attacks may never be known.
While several ransomware attacks made headlines in 2022, the actual number may be even higher because not all US school districts are required to report cybersecurity incidents. The consequences of these attacks directly impact students and institutions. For example, the US’s second-largest school district, Los Angeles Unified, experienced “significant disruptions” to its computer systems following a ransomware attack over Labor Day Weekend. In January, the Albuquerque, New Mexico school district was forced to cancel classes for two days after emergency contact data for students was compromised.
Ransomware attacks can also lead to schools shuttering for good. In May, the 157-year-old Lincoln College in Illinois was forced to close its doors after a ransomware attack left the school locked out of crucial data for student retention, recruiting, and fundraising efforts. Even after paying a significant ransom to recover its data, the school could not recoup the losses caused by the attack due to substantial enrollment shortfalls.
As ransomware attacks on schools become more frequent and more damaging, it’s increasingly clear that the education sector is especially vulnerable to cyber-attacks. What’s also clear is that a number of glaring security flaws are to blame for making schools a prime target for cybercriminals.
Why cybercriminals target schools
Schools are especially appealing to cybercriminals for a number of reasons. First and foremost, schools are home to a large amount of personal data pertaining to students, faculty, and staff. Second, cybercriminals looking for a low-risk, high-return scheme are often drawn to schools because district decision-makers are sometimes willing to pay a high ransom to keep student information private. Third, cybercriminals also take advantage of the fact that many schools are unprepared to protect themselves from ransomware attacks. While corporations often have robust cyberdefense systems in place, many school districts and universities do not.
How schools can protect themselves
In the case of cyber-attacks, it’s better to be proactive than reactive. Unfortunately, outdated software, lack of security measures, and unregulated third-party access are just a few reasons schools often fall victim to ransomware schemes. Limiting third-party access is one of the most important things schools can do to protect themselves and sensitive student data from threats big and small.
1. Limiting, monitoring, and controlling third-party access:
Many schools don’t keep track of all the third-party vendors and outside companies that have access to their network, which leaves them vulnerable to attacks. “The State of Cyber Security and Third-Party Remote Access Risk” report found that many cyberattacks occur due to organizations giving too much unchecked access to third parties. Out of all the organizations surveyed, just 36 percent of respondents have visibility into the level of access and permissions both internal and external users have, and only 45 percent have identified the third parties that have access to the most sensitive data.
External parties with network access should be viewed as a security risk, but manually managing third-party access can be time-consuming on internal resources. More than 50 percent of schools surveyed for the aforementioned report stated that they found managing third-party access risk overwhelming. Implementing access controls and monitoring via automated technology can save time and resources while reducing the potential for human error.
2. Access controls:
Access controls act as a virtual checkpoint that stops users from going any further than they need to within a network. For example, access controls can ensure that a software vendor only has access to the files that are relevant to its software, or that any outside third party can’t access confidential information like students’ social security numbers. Access controls also limit the amount of damage a malicious user can do when they enter the network, significantly reducing the potential negative impacts of a ransomware attack.
Types of access controls that schools can implement include:
- Access notifications
- Access approvals
- Time-based access
- An access schedule
- Zero Trust Network Access
- Multi-factor authentication
- Privileged credential management
No matter what type of access controls are used, it’s essential for schools to practice Zero Trust Network Access. At a minimum, this means taking steps like multi-factor authentication for every user and preventing access creep by third-party users. In addition, ensuring that users only have access to the network information they need — and nothing more — is essential to preventing cyber-attacks.
3. Access monitoring:
Access monitoring tools act as a virtual watchdog on alert for suspicious activity. If anything out of the ordinary occurs, the tools trigger alarms and alerts to network administrators. According to “The State of Cyber Security and Third-Party Remote Access Risk” report, 51 percent of organizations have adopted automation into their cybersecurity strategy in the last two years. As a result, schools looking to protect themselves against ransomware attacks should begin implementing a robust access control and monitoring strategy in 2023 and beyond.
Cybercriminals won’t stop targeting schools anytime soon — but with the right security and monitoring tools, school officials can keep important student information safe from attacks. Controlling and limiting third-party access is the best way for school districts, colleges, and universities to protect themselves (and student data) from ransomware schemes. It’s up to these institutions to take an active role in preventing cybercrime for the good of students, teachers, staff, and the safety of education as we know it.
