Ransomware attacks on schools are on the rise.
More than 1,600 schools were targeted by ransomware in 2020. In December, the FBI, along with the Infrastructure Security Agency and the Multi-State Information Sharing and Analysis Center, issued an alert that nearly 60 percent of ransomware incidents between August and September 2020 involved K-12 schools, which was nearly a 30 percent jump from the two months previous.
Despite this, many schools do not appear ready for the threat. A recent study by Morning Consult that was sponsored by IBM Security surveyed 1,000 U.S. educators and administrators.
- Nearly 60% of educators and administrators say they haven’t been given cybersecurity training for remote learning, despite nearly 80% of educators reporting they’re using online learning.
- Despite the FBI’s recent warning to schools, half of educators and administrators still aren’t concerned about impending cyberattacks.
- More than half of administrators and educators say budget is a barrier in securing cybersecurity for their schools.
- 60% of educators are using their own personal devices for remote learning, and 34% are doing so without any guidelines to protect those devices.
IBM is also offering $3 million in grants aimed toward improving cybersecurity in schools. The deadline for districts to apply is March 1.
IBM’s Christopher D. Scott, director of Security Innovation and Remediation, office of the CISO, offers takeaways from this survey and tips for better preparing yourself and your school to ward off potential cyber attacks.
Recognize the Need for Conversations Around Security
Since the mass migration to remote and hybrid classes began, Scott says teachers have been rightly focused on getting systems set up to serve the educational needs of their students, but they shouldn’t forget about securing those systems. When classes first went to video, educators realized they had to protect those video sessions against so-called Zoom bombing. Today, Scott says we need to think about the data and how to secure it.
Sometimes merely raising questions about online school security can get the ball rolling. “I found that starting that conversation is powerful,” Scott says.
More Collaboration Between Schools and with Law Enforcement
“What I'm hoping that we'll see in the future is more partnering and collaboration between law enforcement, districts, and subject matter experts in cybersecurity to build out this infrastructure in a way that secures the data better,” Scott says. “You may have something where you're reporting different concerns from a physical security aspect, but maybe now we say do we have the cyber contacts at the FBI?”
He adds you should also reach out neighboring schools, take advantage of free threat sharing services, and try to share as much intel as possible within and between districts.
Enlist Parents and Get Students Interested
Conversations around cybersecurity should also include parents. “There’s a lot of [cybersecurity] experience within the parents,” Scott says. In 2019 when a school district in Louisiana experienced a ransomware attack, many parents in the area, who were also experts in cybersecurity, helped the district recover.
The discussions around cybersecurity not only help protect schools but can build interest in potential careers for students one day. “At IBM we talk about ‘new collar’ jobs, we talk about the fact that cybersecurity is one of the biggest growing fields, and we don't have enough people for it,” Scott says.
Individual Teachers Can Help
While district-level security planning is needed, the actions of each teacher can make a difference. Scott says that just as teachers are able to physically lock their classrooms if there’s a threat in their physical school, they can also take steps to protect their remote classes.
“Consider the extra password to access a meeting. Consider looking at the email and going ‘Is this really an attachment I'm expecting?’ before I open it. It's just that little moment of thought that I think each individual person can take,” he says.
Providing educators with training and simple tips on how to recognize cyber threats, such as keeping an eye out for suspicious attachments, can really help, says Scott. “When they have the information, people make really great decisions,” he says.
Remember That Returning to In-Person School Doesn’t Eliminate Risk
As more and more schools resume in-person learning, the risk of cyber attacks won’t decrease. One security advantage of remote school is that educators’ devices spend less time connected to a central system. When more educators return to physical buildings, their devices will spend more time connected to the central system and will talk to each other more, Scott says.
“I actually think the risk gets a little greater as we move back,” says Scott.