Cyber security more critical with the expansion of virtual learning
Hand typing on key board with lit-up red keys
With K-12 schools already a top target for hackers prior to the pandemic due to the combination of high-value data available and the often lower level of cybersecurity measures in place, lawmakers and policymakers have emphasized the need to better protect educational institutions.

A recent report from the Consortium for School Networking found close to 100 cybersecurity bills were introduced in 27 states in 2020 — California accounted for four of those bills, though none made it to the Gov. Gavin Newsom’s desk. The report, found here, cited an additional 10 proposals introduced at the federal level.

As more students and educators rely on technology to support distance learning, researchers noted that the associated risks and challenges, including rising cyberattacks on school district networks, have also risen.

“Cybersecurity is not a new problem, but there has been an exponential growth and persistent sophistication of cyberattacks targeting school districts and other education entities during the pandemic,” according to the report. “Large and small, urban and rural, all school districts have been subjected to ransomware demands, denial of service attacks, and other costly and often operationally debilitating attacks.”

Among the most common types of cybersecurity incidents schools face are disclosures of personal data, phishing, denial of service, ransomware and other types of incidents that can lead to school disruptions and unauthorized disclosures. Ransomware has been particularly popular due to the likelihood that districts will pay ransoms to have access to student and personnel data restored quickly.

“Large and small, urban and rural, all school districts have been subjected to ransomware demands, denial of service attacks, and other costly and often operationally debilitating attacks.”
Report from the Consortium for School Networking
The shifts in the most common or successful types of cyberattacks show just how nimble districts must be in keeping systems up to date and students and staff aware of suspicious requests and communications. Just three years ago, a report from the K-12 Cybersecurity Resource Center found that a number of successful phishing attacks targeted at school district business officials were among the most concerning incidents. Phishing is the practice of sending bogus emails that appear to be from a reputable company, but are actually bait designed to trick the recipient into providing personal or sensitive information such as passwords or checking account, credit card and Social Security numbers.

Throughout the country, legislation addressing K-12 cybersecurity risks focuses on areas including cybersecurity instruction for students, technical assistance to schools, investments for improving technology and professional development, building a cyber workforce through career technical education and expanding cybersecurity awareness, training and research.

California districts hit by cyberattacks at the start of the 2020–21 school year
In September 2020 alone, multiple school districts in California were impacted by cybersecurity incidents. Both Ventura Unified School District and Conejo Valley USD dealt with a denial-of-service attack which briefly affected internet service and connections to the district networks. A denial-of-service attack is when a host or server is inundated by a malicious threat until legitimate users are unable to access it.

About 50 miles east, the Newhall School District had to put its classes on hold for the day after a ransomware attack. In a distance learning situation in which all classes are entirely online, that is a significant barrier to keeping students engaged and learning, district superintendent Jeff Pelzel told Stateline.

“With COVID, we don’t have the luxury of saying, ‘We want to bring you back in and teach you live right now.’ And if you sit home with paper and pencil, you’re not moving learning forward because you’re not in touch with the teacher,” he said. “It’s another layer of frustration for teachers, administrators, parents and students.”

What districts can do to mitigate cybersecurity risks
There are a number of steps districts can take to mitigate cybersecurity risks, according to the report. LEAs should:

  • Maintain a cybersecurity insurance policy
  • Regularly audit cybersecurity preparedness
  • Regularly change and strengthen passwords
  • Use two-factor authentication
  • Routinely back up systems and keep them offline, or “immutable”
  • Evaluate tech inventory to eliminate unneeded internet-facing systems or servers
  • Regularly install security updates and software patches