A new report from the K-12 Cybersecurity Resource Center found that there was a surge in cyberattacks against K-12 schools and that changes in education modalities due to the pandemic are largely to blame.
“The 2020 calendar year saw a record-breaking number of publicly-disclosed school cyber incidents,” the report said. “Moreover, many of these incidents were significant: resulting in school closures, millions of dollars of stolen taxpayer dollars, and student data breaches directly linked to identity theft and credit fraud.”
During 2020, the K-12 Cybersecurity Resource Center’s K-12 Cyber Incident Map cataloged 408 publicly-disclosed school incidents, which includes student and staff data breaches, ransomware and other malware outbreaks, phishing attacks and other social engineering scams, denial-of-service attacks, and other cyber incidents. The K-12 Cybersecurity Resource Center said this represents an 18 percent increase in publicly-disclosed attacks from 2019.
In terms of what attacks K-12 schools are facing, 45 percent of the incidents were denial-of-service attacks, 36 percent were data breaches, 12 percent were ransomware, 2 percent were phishing, and 5 percent were categorized as “other.”
The report noted that the pattern of cyberattacks during the first quarter of 2020 – which was largely pre-pandemic – was a direct extension of trends from 2019. However, the second quarter of 2020 – which was during K-12 schools’ shifts to remote learning – marked a “sharp departure” from previous trends. During the second quarter, schools saw a rise in two new types of attacks – class and meeting invasions. The two types of invasions either targeting classes or public school board meetings are attacks where unauthorized individuals disrupt online classes, often with hate speech; shocking images, sounds, and videos; and/or threats of violence. In Q3 and Q4, invasion attacks continued but were joined by more traditional attacks.
The K-12 Cybersecurity Resource Center identified four likely culprits behind the increase in attacks.
First, schools rapidly increased their reliance on technology for education over a few short months. Schools needed to quickly deploy thousands of new devices and rapidly train teachers to begin using entirely new learning platforms. Additionally, the report noted that teachers could use free applications and services that had not undergone appropriate vetting.
Second, school district IT staff who were unable to physically service devices due to COVID-19 safety restrictions may have granted users elevated access to their devices and/or deployed remote access tools to support remote learning.
Third, remote learning devices were being used on untrusted networks in student and educator homes were re-introduced to school networks in the fall for those districts that returned to in-person or hybrid learning. The report noted that these devices may or may not have been updated or scanned for malware before that reintroduction.
Fourth, the report argued that threat actors may be growing “increasingly sophisticated in targeting school districts,” and are focusing their efforts at times during the school year that schools may be most vulnerable, including at the beginning of the school year and over Thanksgiving and winter holidays.
The report also identified recommendations for policymakers, education leaders, and school district vendors to better secure students, district employees, and taxpayer funds from the threat of cybersecurity incidents.
Schools paid a heavy price due to the increase in attacks. The report found that phishing attacks cost schools on average $2 million per incident. In 2020, $9.8 million was stolen from a single school district.
- Investing in greater IT security capacity dedicated to the unique needs of schools;
- Enacting Federal and state school cybersecurity regulations to ensure minimum school district and vendor cybersecurity practices;
- Supporting K-12 specific cybersecurity information sharing and research; and
- Investing in the development of K-12 specific cybersecurity tools.