COVID-19 ISO Insights

Physical Virus Overshadows Cyber Risks That May Loom for Schools This Year

August 31, 2020

By: David Geller, CPCU, SCLA

This time last year, when things were simpler, cyber risks were drawing many of the headlines as schools were poised to begin. Among the noteworthy cyber attacks levied on schools across the U.S. ahead of Fall 2019 were:

  • Various New York schools had been targeted by the same ransomware (Ryuk), reported Newsday: The Rockville Centre School District reportedly paid nearly $100,000 to restore its data.
  • One school district in Orange County, NY, according to NBC News, was forced to delay the start of the to delay the start of school due to the impact of a ransomware attack.
  • These troubles were not confined to New York school districts. Also having their first day pushed back was a school in Alabama, according to the Times. The superintendent told The Dothan Eagle that even after school did eventually start, teachers would likely not be able to use their computers.
  • The Times also mentioned that the Louisiana Governor declared a state of emergency after computers were disabled at three school districts over the 2019 summer.

Now, we are confronted with a virus in the physical world that may have served to diminish the concerns of computer viruses and other malicious cyber activity that can be spread digitally.

Why Are Schools So Exposed to Cyber Attacks?

School districts may represent an appealing target for cyber criminals due to a potential lack of investment into cybersecurity; according to the New York Times, many school districts in the United States do not have a single staff member that focuses strictly on cybersecurity.

In addition to the vulnerabilities sometimes laden within typically older IT systems, also making school districts a particularly salacious target for hackers is the piles of private data that schools sit on top of. While the motivations of hackers do vary, the Times notes that financial gain is a popular reason that these attacks are levied.

Given the urgency for schools to decrypt and restore this private information subsequent to the attack, especially just before a school year begins, schools may be perceived as a victim that is more willing to comply with ransomware demands to ensure this sensitive data is accessible again.

The “New Normal” Could Make Schools An Even More Appealing Cyber Target

Schools across the United States operate with limited IT budgets. In recent years, some experts have reportedly called for more capital to be allocated to the fortification of IT systems in schools to make them less vulnerable to attacks. This investment would already have been difficult for schools to manage, but now, with cities and municipalities potentially confronting huge funding shortfalls due to COVID-19’s economic impacts, coupled with the necessary attention focused on keeping schools safe from virus spread, securing the necessary resources may take years.

This dynamic is further complicated by the fact that some schools will continue to operate online, providing more vectors for hackers to potentially exploit. According to FOX 12 Oregon, the President of the K-12 Cybersecurity Resource Center expects to see more cyber attacks as classes continue to take place online. The article also provides a suggestion from the Department of Education that “people regularly update security software on their computers, and tell children to use different and unique passwords for every online account that include symbols, numbers, uppercase and lowercase letters.”

June 2020: Schools Globally Faced 60% More Malware Incidents Than Corporations

Wily hackers, unsurprisingly, have been keen to exploit these weaknesses. According to Wired, this past June, over 4.7 million malware incidents were detected in the education industry worldwide—around 60% higher than all corporate and institutional incidents that were reported.

Limited defensive capabilities may serve to exacerbate these trends. Spectrum News notes that protective measures like two-factor authentication during logins are less practical for school-aged children to undertake, further inhibiting the schools’ ability to protect against an attack. Additionally, the article cites different exposures that a breach could lead to, including:

  • Identity theft, where a hacker can use a child’s identity to open credit lines (the article mentions that freezing a child’s account on credit monitoring services such as Equifax could be a way for parents to prevent this from happening)
  • The malicious exploitation of personal information that schools keep on file relating to the students, which includes bullying, immigration status, family or medical issues, gender issues, and more.
  • One school district in Oklahoma, according to Kfor, had the start of their year delayed due to a ransomware attack.

Back in July, a ZDNet report stated that the Federal Bureau of Investigation (FBI) issued a security alert pertaining to schools and cybersecurity during the COVID-19 crisis, stating that “‘K-12 institutions have limited resources to dedicate to network defense, leaving them vulnerable to cyber attacks.’”

While attention is rightfully being paid to how schools cope with the lingering presence of COVID-19, it is important to consider other risks that may be exacerbated in this environment as well.