Like so many facets of human life, education has been upended by the COVID-19 pandemic. In place of classroom instruction, many students are learning (or is that “learning”?) virtually and remotely.
While the shift to remote education may have helped state and local governments better contain the spread of COVID-19, it’s also added a layer of cybersecurity risks that educational institutions are forced to confront.
Protecting students online
Even before the pandemic, many schools had been the victim of cyberattacks.1 School networks contain sensitive personal information on students, including their academic, financial, and medical records, making them attractive targets for cybercriminals. In 2017, for instance, hackers penetrated multiple school district servers across the United States and used the data they stole to extort students.2 In 2019, educational facilities ranked as the most-targeted sector for a range of malicious software attacks.3
As physical classrooms have given way to laptops, video conferencing and collaboration software, hackers have wasted no time adjusting to a virtualized learning environment. One elementary school had a video conference disrupted by a hacker who displayed obscene images to dozens of children.4 Other video class sessions have been interrupted by uninvited users displaying offensive images and text.5
These attacks prompted the Federal Bureau of Investigation to issue a warning to schools about video conferencing security practices.6 The FBI also noted that students may not be sophisticated enough to recognize social engineering attacks, such as phishing, that could be executed in chat boxes on virtual collaboration platforms.
Preparing for the year ahead
While the course of the COVID-19 pandemic remains uncertain, the director of the Centers for Disease Control and Prevention, along with others in the epidemiological community, have warned about the possibility of a “second wave” of infections coinciding with the 2020-21 flu season.7 School districts across the country may find themselves returning to remote learning if a second wave prompts stricter lockdowns.
Even absent a spike in new COVID-19 cases, many schools may retain elements of remote schooling in the new school year to support social distancing through smaller class sizes. Virtual learning platforms, and their attendant cyber risks, appear to be here to stay for the foreseeable future.
To help schools navigate this new normal, the U.S. Cybersecurity and Infrastructure Security Agency has released a set of guidelines to advise schools on how to protect themselves and their students during remote learning.8 Some schools have established review boards to vet software tools to ensure they comply with school privacy and cybersecurity policies.9
Cyber risk transfer solutions can also be a critical arrow in a school’s risk management quiver. Like a traditional business, schools can incur steep costs (both financial and reputational) when cyberattacks occur. To take but one example, the average cost of a data breach in the educational sector was nearly $5 million in 2019.10 With school activity potentially more exposed to cyber risk, the need for risk transfer has only grown more urgent.
- The K-12 Cyber Incident Map, K12 Cyber Secure, < https://k12cybersecure.com/map/ >, accessed on June 5, 2020.
- “Cyber Actors Take Advantage of COVID-19 Pandemic to Exploit Increased Use of Virtual Environments.” Federal Bureau of Investigation, April 1, 2020,
< https://www.ic3.gov/media/2020/200401.aspx >, accessed on June 5, 2020. - 2019 State of Malware, Malware Bytes, January 23, 2020, < https://resources.malwarebytes.com/files/2019/01/Malwarebytes-Labs-2019-State-of-Malware-Report-2.pdf >, accessed on June 5, 2020.
- “Utah Elementary School Zoom Meeting Hacked with Pornography,” Associated Press, April 3, 2020,
< https://apnews.com/02a1ed0e4ff1ad263f68fb3ee2bfb7b5 >, accessed on June 5, 2020. - Kristen Taketa, “San Diego ‘Zoombombing’ incident highlights need for schools to use safety controls,” The San Diego Union-Tribune, April 8, 2020,
< https://www.sandiegouniontribune.com/news/education/story/2020-04-08/san-diego-zoombombing-incident-highlights-need-for-schools-to-use-safety-controls >, accessed on June 5, 2020. - “Cyber Actors Take Advantage of COVID-19 Pandemic to Exploit Increased Use of Virtual Environments.”
- William Cummings, “CDC Director Redfield warns second coronavirus wave could be 'more difficult,' hit same time as flu,” USA Today, April 22, 2020,
< https://www.usatoday.com/story/news/politics/2020/04/22/coronavirus-cdc-director-redfield-warning-second-wave/3002165001/ >, accessed on May 1, 2020. - Secure Video Conferencing Guidelines for Schools, S. Cybersecurity and Infrastructure Security Agency, May 13, 2020,
< https://www.cisa.gov/publication/secure-video-conferencing-schools >, accessed on June 5, 2020. - Steven Blackburn, “What schools can do to protect against rising cybersecurity threats,” District Administration, May 21, 2020,
< https://districtadministration.com/schools-protect-rising-school-phishing-school-cybersecurity-threats/ >, accessed on June 5, 2020. - Cost of a Data Breach Report 2019, IBM, July 23, 2019, < https://districtadministration.com/schools-protect-rising-school-phishing-school-cybersecurity-threats/ >, accessed on June 5, 2020.