Best practices for preventing and preparing for cyberattacks in K-12 schools
Being the target of a cyberattack is no longer a matter of if, but when, said Jeremy Koellish, director of information services and technology at San Luis Coastal Unified School District, during a panel discussion about cybersecurity at CSBA’s Annual Education Conference and Trade Show in December.
The new frontier in school safety
by heather kemp
Best practices for preventing and preparing for cyberattacks in K-12 schools
Being the target of a cyberattack is no longer a matter of if, but when, said Jeremy Koellish, director of information services and technology at San Luis Coastal Unified School District, during a panel discussion about cybersecurity at CSBA’s Annual Education Conference and Trade Show in December.
warp illustrated waves with pink circle and cyber security icons

he session, moderated by CSBA CEO & Executive Director Vernon M. Billy, featured Koellish and Los Angeles USD Superintendent Alberto Carvalho recounting attacks on their respective districts in 2022.

In both cases, the “when” was on long holiday weekends — a time criminals likely assume no one is monitoring a local educational agency’s systems.

The districts’ stories exemplify an issue that is becoming increasingly worrisome for K-12 leaders. The impacts of cybersecurity incidents can be significant for LEAs, causing monetary losses and learning disruption, among other complications.

Information technology (IT) is critical to conducting many school-based operations. Cyberattacks can leave LEAs unable to perform functions as basic as providing academic instruction or paying employees. Schools’ reliance on IT to deliver instruction and services to students increased during the COVID-19 pandemic, further amplifying their vulnerability.

In 2022, 45 school districts operating 1,981 schools were impacted by ransomware, according to Emsisoft Malware Lab’s The State of Ransomware in the US: Report and Statistics 2022.

The last few years have seen an increase in ransomware incidents and the average cost of data breaches, according to David Lane, commander of the California Cyber Security Integration Center (Cal-CSIC), who also presented at the AEC session. Cal-CSIC acts as the state’s hub for cybersecurity preparedness and response and interacts and shares intelligence with agencies at the local, state and federal levels. “We’re here to help,” Lane said.

Under Assembly Bill 2355, signed by Gov. Gavin Newsom in September 2022, LEAs are now required to report cyberattacks to Cal-CSIC if more than 500 people are impacted. Cal-CSIC is tasked with creating a database to track the incidents and submitting a report to the Governor and “relevant policy committees of the Legislature” annually by Jan. 1.

National efforts to stop or disturb bad actors — such as the U.S. Department of Justice’s months-long “disruption campaign,” which involved the Federal Bureau of Investigation infiltrating the network of a ransomware group that had targeted more than 1,500 victims including schools — are ongoing, but LEAs must also take steps to protect themselves.

Knowing where to start or what resources are available can be difficult when dealing with such a complex and ever-evolving subject. Lane recommended three questions trustees should ask their IT teams or vendors:

  1. How are you identifying your sensitive data and who has access to it?;
  2. Is your most sensitive data backed up with confidence?; and
  3. Do you have an action plan to leverage in the event of a cyber incident?

Koellish suggested conducting a security audit on the district’s networks to know where things stand and where improvements should be made. Districts should also consider investing in cybersecurity or making sure the amount of cybersecurity insurance they have is adequate.

Preparing and reacting
When San Luis Coastal USD was hit, Koellish and his team weren’t aware of assistance available through groups like Cal-CSIC. A veteran in the field, Koellish worked for a private entity before making the jump to education and had previously experienced 10 ransomware attacks.

He advises LEAs to have a plan in place to continue operations should they be attacked. District leaders may even consider including it in disaster preparedness plans. “The reality is, in the moment, it’s a very terrifying situation and the bad actors contact you to make it even more terrifying, so you have to have a plan, ” Koellish said.

Getting through an attack can take financial, technical and/or emotional tolls on districts and months to unwind, as is illustrated through San Luis Coastal USD’s experience.

The LEA was hit in May 2022 and, at the time, didn’t think the cybercriminals had gotten any substantial information from them. Through discovery conducted by a third-party IT forensic company hired by their insurance following the incident, the district learned that their network was compromised for roughly five days before the attack. The cyberattackers waited for a three-day weekend to have free rein while staff was off.

white icon of box secured with chain and lock
defined by the Cybersecurity & Infrastructure Security Agency (CISA) as “a form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption.”
The district received just one call from the bad actors. Their contingency plan was put into action and systems were recovered and were being monitored. The plan included shutting off infected servers, restoring a trusted backup, working to address the point of access that allowed cybercriminals to enter, auditing the network to make sure the hackers didn’t have persistent access, and forcing wholesale password changes.

In July, Cal OES reached out to the district to inform them that sensitive data had been posted to the darknet. They worked with Cal OES and their insurance to get the data taken down.

Though the bad actors were only able to collect 8 gigabytes of information, it consisted of employee Social Security Numbers, including Koellish’s, which was accessed through a health insurance form saved on district servers.

“Those files did not need to be saved on our servers,” Koellish said. “You don’t always have to have a technical approach. Audit and evaluate what data is on your network and if you really do need to keep it. Had that information not been on our servers, we would have just continued on with our lives and that would have been it.”

Koellish said the district opted to be as transparent as possible with staff about the breach and shared resources with them like credit-monitoring tools. Leadership also made themselves available to address questions or concerns.

Chris Ungar, a board member at San Luis Coastal USD and CSBA Past President, recalled the assistant superintendent of business personally reviewing thousands of pieces of data that were hacked. “The board was kept informed by the administration as [the situation] unfolded and as we worked with law enforcement and our insurance carrier,” he said.

Ungar shared what the board learned from the attack, saying: “First and foremost, every organization should expect to be hacked. That means that preventative measures are key to recovery. Invest in backups and save, save, save. Also, make cybersecurity a priority, not only with the IT department, but with all staff and students who use the system. There are tons of ways to hack into a network; close as many of those doors as you can.  We were advised by law enforcement never to pay a ransom, and, in fact, our attorneys indicated that ransom payments might be an illegal use of public funds.

“Boards should have a general knowledge of cybersecurity so that they can initiate and support policies related to the issues of security, technology and instruction,” he continued. “We don’t need to be experts; however, we should understand the importance of technology as it relates to student learning and achievement.” 

Best practices
Koellish recognized that it is typically IT’s job to teach proper security practices but clarified that it is a team effort to keep networks secure, as various positions have access to private student information like grades, individualized education programs (IEPs) and medical information.

“There’s a balance between security and ease of use … [we] all have to take a greater sense of ownership when it comes to networks,” he said.

For staff, this can include things as simple as being taught strong password practices (containing at least eight characters, not including words associated with the district like a mascot, and not using a recycled password) and being cautioned about phishing.

In one midsize California district, IT has employed a unique approach to educating its community on typical email phishing schemes, which can infect a network when a link in an email from a seemingly known source is clicked on. “We conduct ongoing training campaigns,” the LEA’s chief technology officer said. “For example, we send out a fake email, and if a user clicks on it when they shouldn’t, they get a customized message along with a video training that explains what they did wrong and what to avoid in the future.” 

Due to concern that speaking freely could bring attention to the district or make it a target for hackers, the CTO asked to remain anonymous.

The district was the target of a cyberattack during the pandemic while remote studies were taking place, according to the CTO. “[Our district] experienced what is called a Distributed Denial of Service or DDoS. A DDoS attack involves multiple connected online devices, collectively known as a botnet, to overwhelm a target website with fake traffic in an attempt to make it unusable to legitimate users,” the CTO said. “We managed the attack with the help of a service to protect our network against this type of threat. We are now moving to K-12HSN’s DDoS Mitigation Service, provided through your internet connection from your local county office of education. This service is free of charge.”

Last year, the district was able to implement the use of employee multifactor authentication, a measure many LEAs struggle to undertake due to lack of support from educators, staff or even leadership.

The CTO urged LEAs to look to the Center for Internet Security (CIS) for resources around implementing high-quality protocols and practices. The district uses CIS Critical Security Controls (CIS Controls), which align with the NIST Cybersecurity Framework.

Utilizing items like next-generation firewalls and malware/antivirus on all Windows systems were also suggested in addition to training for staff and students and creating a “strong acceptable-use policy for students that has consequences for inappropriate use of technology.”

State and federal cybersecurity resources for K-12 schools
  • CDE’s Tips for a More Secure IT Environment:
  • U.S. Department of Education Office of Educational Technology’s Resources for K-12 Districts and Higher Education Institutions:
  • CISA School Safety and Security:
  • National Institute of Standards and Technology:
  • CSBA blog “Cybersecurity tips and resources for LEAs from AEC” on LAUSD’s experience:
  • From the Field: Five tips to protect your LEA’s data, California Schools, winter 2023:
Each fall, the district requires students to watch a video with information on topics including strong passwords, phishing and online safety, online meeting etiquette, cyberbullying and safety, and their digital footprint.

Additionally, the LEA recently added a cybersecurity analyst position. Having skilled technology staff is important, the CTO said, though it can be a challenge as LEAs are competing for talent with private entities that often pay better. “Therefore, we need to partner as needed with auditing firms, or smaller districts can partner with their COE or share a resource among themselves,” the CTO said. “In addition, IT staff need to network with surrounding districts/COEs and join California IT in Education (CITE). No one person has all the answers, but as an aggregate, we can work together to secure our network/systems as best as possible.”

Current and potential resources
Gov. Gavin Newsom’s 2023–24 January Budget Proposal included $28.7 million to enhance Cal-CSIC’s capacity, though the potential investment isn’t specific to LEAs. The funding would increase Cal-CSIC’s efforts around identifying and mitigating cyberthreats, including enhanced threat detection, assessments and research, and incident analysis and response.

Cal-CSIC has a number of services available to K-12 schools. Under the umbrella of the California Office of Emergency Services, it provides daily bulletins and can scan systems for vulnerabilities, perform threat assessments for network health and provide possible solutions, as well as assist should a district be attacked.

The California Department of Education recently released updated free and low-cost tips to create more secure IT environments and has compiled information on ransomware, phishing, securing systems and best practices.

The list details 20 recommendations for LEAs, including: requiring IT staff to use tiered accounts for system administration purposes; regularly reviewing and limiting the number of domain administration accounts; blocking dangerous email attachment file types; requiring regular cybersecurity awareness training for all employees; having an incident response plan; and testing your backups.

Under the U.S. Department of Homeland Security (DHS), CISA is the nation’s de facto cybersecurity agency in terms of defense, according to Joseph Oregon, chief of cybersecurity for CISA’s Region 9, which includes California.

Oregon, who also spoke at the AEC panel, noted that there are both unsophisticated hackers who may train themselves using tools from the darknet and more sophisticated hackers at play. Hacking is viewed as a business model by some. “They are collecting data points, contextualizing that data and making strategic decisions against your organization,” he said.

With infrastructure that is outdated or not “mature” enough to properly defend against attacks, schools can be easy targets. CISA can help districts identify areas of concern and risk and assist with providing technical assessments. Oregon said they are looking to connect with K-12 partners to provide free resources.

In January, CISA released Protecting Our Future: Partnering to Safeguard K-12 Organizations from Cybersecurity Threats. The report offers an overview of cybersecurity risks and challenges in schools, a guide on how to implement the most impactful security measures, and recommendations for LEAs.

Though recent incidents have led to increased attention to K-12 cybersecurity, more can be done at the federal level to protect LEAs, according to Critical Infrastructure Protection: Additional Federal Coordination Is Needed to Enhance K-12 Cybersecurity, a report published by the U.S. Government Accountability Office (GAO) in October 2022.

The GAO reviewed cybersecurity in schools and made three recommendations to the U.S. Department of Education, including:

  • Having the Secretary of Education, in partnership with CISA and other stakehold­ers involved with updates to the Education Facilities Sector-Specific Plan, create a collaborative mechanism to better coordinate cybersecurity efforts.
  • Creating metrics to obtain feedback and measure the effectiveness of the department’s K-12 cybersecurity resources available to LEAs.
  • Having the Secretary of Education and federal and nonfederal stakeholders determine how to help LEAs overcome challenges and consider opportunities to address cyberthreats.

Federal and state funding is another area that could be improved and is one focus of CSBA advocacy this year. Federally, there is a lack of dollars earmarked for cybersecurity, but conversations are underway to change that.

In September, LAUSD sent a letter to the Federal Communications Commission requesting that the agency authorize the use of E-Rate funds for combating cybersecurity threats at public schools. The letter was signed by 1,100 LEAs and organizations from across the nation, including CSBA.

CSBA Legislative Advocate Erika Hoffman noted that cybersecurity can be costly and many districts don’t have full-on IT teams to champion the work. In February, Hoffman submitted comments to the FCC on behalf of CSBA in support of a change to the Category 2 definition that would allow for use of some E-Rate funding for cybersecurity.

Hoffman added that CSBA would love to see more direct funding from the state, but “that’s highly unlikely with our budget.”

The pandemic forced the world and education systems to become more reliant on technology than ever and “a very strong need to have security measures in place came to the surface,” Hoffman said. “We need to address that. For student, parents and community privacy — but also to ensure that educational programs for students can continue.”

Heather Kemp is a staff writer for California Schools.