Key points:
K-12 school districts are becoming an increasingly popular target of ransomware operations and other cyber threat actors. Ransomware attacks alone targeted 108 U.S. school districts in 2023–more than double the 45 attacked in 2022. Just as the 2024 school year was about to start, a ransomware attack shut down some schools in the United States and Great Britain, including 34 schools serving 17,000 students in the Seattle area.
And although the number of attacks overall declined somewhat during the past year, the costs of those attacks are escalating. So far in 2024, recovery costs for K-12 schools are averaging $3.76 million, more than double the costs from 2023.
The wealth of personal information that school districts hold on students and parents makes them a prime target for cybercriminals looking to exploit or sell the data on black markets. The fact that many schools rely on older, underfunded IT infrastructure and have not invested heavily in cybersecurity controls or defenses also makes them easier to breach–and smaller IT departments with fewer resources also mean they are slower to respond to threats.
Thankfully, the much-needed funding and resources needed to enhance schools’ cybersecurity infrastructure is coming. The Federal Communications Commission (FCC) recently announced that it is making up to $200 million available in reimbursements to help schools, school districts, and libraries purchase equipment and services to improve their cybersecurity postures.
The Schools and Libraries Cybersecurity Pilot Program, intended to help institutions improve protection against ransomware and other attacks, is accepting applications from schools, libraries, or consortia until November 1. Before applying for the pilot program, however, institutions should make an effort to understand their current security postures and vulnerabilities–and how the categories of services and product available can help–to fully ensure requested services will address the most important vulnerabilities and infrastructure challenges they face.
Let us first review the covered services and equipment, which involve four basic categories of cybersecurity.
The four pillars of cybersecurity the pilot program addresses
Advanced/next generation firewalls. These network security software process network traffic and apply rules to block potentially dangerous traffic. While most schools likely have a firewall in place, internally managed firewalls are time-consuming and laborious to administer.
Endpoint protection. Endpoint protection and response (EDR) tools monitor endpoints such as laptops, smartphones, and other devices for signs of attack or anomalous behavior. This is also a solution that some schools may already have. For example, schools using a provider like Microsoft could have licensing that includes some amount of endpoint protection, but it’s likely not robust. It’s encouraged that schools look at what they have in place for their tech stack to determine the extent of their current EDR capabilities.
Identity protection and authentication. As credential compromises have become the primary means of access for attackers, the front line of defense has shifted from endpoint devices to the user. This means that individual users, particularly those with privileged access, will be the most likely target for cybercriminals. Identity and access management (IAM) tools control which users can access resources. As schools adopt more digital platforms for learning, administration, and communication, these tools help manage and control who has access to various resources, ensuring that only authorized individuals can access sensitive data like student records, health data, and financial details. As with EDR tools, current IAM tools provided to schools may not be robust enough.
Monitoring, detection and response. This category includes equipment, services, or a combination of both that monitor and/or detect threats to a network and take responsive action to remediate or otherwise address those threats. This includes managed service providers, who combine technology with human expertise to identify attackers and limit the impact of threats as they move through a school’s network. Under current budget constraints, this is the capability schools and libraries are least likely to have, as it requires a dedicated team to ensure no malicious actors are in the network.
Beyond funding: Essential next steps for maximizing the FCC pilot program
School districts must first understand the risks and where they stand in relation to them to fully reduce their vulnerability to cyberattacks. Once they understand which services they have and the extent of those services, they can then identify any gaps in security capabilities and make a plan for speaking to the appropriate vendors of those tools.
To make the most use of the program and the funding the FCC will supply, schools need to choose their solutions carefully. Schools can ensure cybersecurity vendors will meet their needs by following some key steps:
Put vendors through their paces. It’s important to identify the right vendors for what you need. Ask vendors to demonstrate how they have responded to attacks, as well as their proven experience in working with schools or educational institutions. These vendors will better understand the specific challenges schools face, such as limited budgets, varied user groups (students, staff, parents), and the need for a secure but accessible online learning environment.
Check customer references. Request references from other K-12 districts that have used the vendor’s services. This provides insights into the vendor’s ability to deliver on their promises, handle sensitive data, and provide ongoing support. A positive customer reference can be a major indicator of whether the vendor and their solution will be suitable to address your own needs.
Check for important features and support. A major block to getting adequate security in place within school districts is at the top of the pyramid. When evaluating vendors in any category, a key area where they can provide support is their ability to offer tabletop exercises that can engage and educate administrators and other faculty who might not understand or appreciate security. These exercises simulate real-world cyberattacks to help schools prepare for potential incidents, allowing them to practice their incident response in a low-risk environment, ultimately improving their overall cybersecurity posture. They also serve as an educational tool, raising awareness about common attack vectors like ransomware or phishing so the entire staff can be better prepared to recognize and respond to cyber incidents. Finally, they can help uncover vulnerabilities in communication, decision-making, and technical defenses–allowing leaders to understand cybersecurity deficiencies firsthand and the devastating impact they can have.
When considering monitoring, detection, and response (MDR) solutions, there are a few capabilities that are essential for robust cybersecurity. The first is user and entity behavior analytics (UEBA), which uses machine learning to help identify signs of insider threats, external attacks, and risky behavior on a network, including endpoints. It allows schools to identify whether behavior meets the standard baseline or if it’s starting to stray. For example, someone accessing an Oregon school network from the Bahamas might look fishy, but if it’s a teacher on vacation there, it could be okay.
MDR tools should also be autonomous. A solution must be able to capture information and respond automatically. If it identifies stolen credentials being used on the dark web, for example, ensure that it can initiate password resets and disable those credentials. There are various touch points that can indicate a ransomware attack or data exfiltration, such as file modifications, registry keys being added, or auto run tasks being added to the registry. A solution should be able to detect that activity and stop it before too much damage is done. In other words, these solutions should block and tackle as criminals make moves.
Safeguarding education through smart cyber investments
Schools focus primarily on educating students–and as educational institutions, their mindset has traditionally leaned toward sharing, rather than protecting, information. Cybersecurity has not always been top of mind. But the trend in cyberattacks, which can shut down schools and prevent them from teaching, is changing that.
Schools need to strengthen their cybersecurity postures, and programs like the FCC pilot can help. By clearly assessing their current security posture and taking action to close any gaps in their defenses using the appropriate services and equipment, they can get back to their main goal of educating their students without worrying about suffering from disruptive cyberattacks.
