Add cybersecurity as becoming another headache for school districts. As if educators did not have enough stress this past year, as in transitioning to online learning in the midst of the novel coronavirus pandemic, now they are in the crosshairs of cybercriminals eager to hold their data ransom for money.
Recent high-profile ransomware attacks on meat producer JBS and the Colonial Pipeline, which shut down fuel supplies to the eastern U.S. for five days, have shown how vulnerable industries can be; the same goes for municipalities. But increasingly, school districts are targets. According to the FBI, school systems are now the top targets for cyberattacks. The number of ransomware incidents involving school systems has risen dramatically over the past two years; in 2020, there were nearly 1,700 school-related attacks. And protection against ransomware often is one of the smallest line items in a school budget.
Some of the largest districts in the U.S. have been attacked, including Clark County Public Schools, Fairfax County Public Schools and Baltimore County Public Schools.
From 2019 to 2020, attacks against schools and universities rose 35 percent, according to Nick Rossmann, global threat intelligence lead for the IBM Security X-Force. “They might not have the same level of cybersecurity awareness as some other industries,” he said. Online learning also has generated even more opportunities for hackers. “We just have more accounts, creating a lot of hay for attackers to use, more passwords and more passwords associated with emails.”
To help school systems boost their defenses, IBM recently awarded a total of $3 million in grants to six school districts to provide cybersecurity assessments and help with protection. Each district will receive about $500,000 worth of services from IBM consultants. The six school systems are: Brevard Public Schools in Viera, Florida; Poughkeepsie City School District, Poughkeepsie, New York; KIPP Metro Atlanta Schools, Atlanta, Georgia; Sheldon Independent School District, Houston, Texas; Newhall School District, Valencia, California; and Denver Public Schools, Denver, Colorado. To reach more school districts, IBM also is posting educational videos about cybersecurity on its website.
IBM consultants will assess the defenses a district has in place, where it can improve, help school personnel develop an incident response plan and ways to communicate with staff and students. About half of all the applicants said their cybersecurity budget was no more than $100,000, and that was for the whole district, said Rossmann, which is miniscule compared to private industry. About 250 districts applied for the grants; 40 percent of applicants already had been the targets of cyberattacks, according to Rossmann. Personnel in more than half of the school districts had no security training.
In reviewing the applications, IBM weighed the districts’ budgets, the cybersecurity measures they were planning, how they currently were positioned in terms of security, their existing software security and if they had experienced ransomware attacks, he added.
“This is a wonderful opportunity to be able to receive support from an internationally-known organization with expertise in this space,” said Dr. Eric Jay Rosser, superintendent of the Poughkeepsie City School District, one of the grant recipients. The district weathered a ransomware attack on one of its servers in February 2020, right before the pandemic exploded. Poughkeepsie did not pay any ransom and lost some lesson plans and data related to classroom teaching. “I refuse to pay ransom to people who would compromise money dedicated to children’s education,” Rosser said. “Besides, we had no mechanism to pay it.” The district would have needed approval from the community to appropriate funds, he said.
After the attack, Poughkeepsie contacted an information technology company to address the damage and purchased a new server and software to safeguard data. But any additional advice is welcome. “We’re hoping we will be able to learn from the experts providing evaluations of our current infrastructure so we can continue to structure our cyber security posture,” noted Rosser.
Budgets are the biggest hurdle when it comes to fortifying schools against cyberattacks, Rossmann said. “We're trying to find the right balance of how to maximize budgets with the size of the districts,” he added.
Limited resources, the failure to update programs and not using cloud storage can make school systems particularly vulnerable, even if they don’t have the deep pockets of businesses and municipalities, IBM’s Rossmann noted. Many ransomware perpetrators use financial analysts to ascertain potential victims’ financial resources, he said, and generally demand smaller ransoms from school systems, in the hope of collecting at least some money. “They (cybercriminals) want to maximize payments and try to get paid.”
IBM consultants do not take a position on whether or not victims should pay ransom, Rossmann added. “If an organization has critical data, life-saving information, treatment information or is on the verge of complete business collapse, those are reasons for considering that option,” he said. “They have to weigh that.” And just making a payment does not instantly resolve the problem. “Once someone gets the keys back, it could take weeks or months to get all the information back.”
Preparation and organization are the best strategies for avoiding ransomware attacks, Rossmann added. “It’s what they do on their network that makes the difference,” he said. “Do what’s in your control.”
Image credit: Sigmund/Unsplash