Report: Cybersecurity Incidents at K-12 Schools Nearly Tripled in 2019
For the first time since the K-12 Cybersecurity Resource Center began collecting data, schools have canceled classes or closed due to cybersecurity attacks.
As schools become increasingly reliant on technology for teaching and learning, it is putting them at greater risk for cybersecurity incidents, which is apparent in the findings of a new cybersecurity report.
“The State of K-12 Cybersecurity: 2019 Year in Review,” released by the K-12 Cybersecurity Resource Center, found there were 348 cybersecurity incidents reported at 336 K-12 education agencies across 44 states in 2019 — a 185% increase from 122 incidents in 2018.
Of the 348 incidents, 60% were due to data breaches, primarily involving the unauthorized disclosure of student data. The second most frequent type of cyber incident was ransomware or malware at 28%. These types of incidents are the most expensive and disruptive, according to the report.
For the first time since the resource center began tracking school incidents, malware/ransomware incidents resulted in numerous school districts canceling classes or closing in 2019.
The report also shared the worst cybersecurity incidents affecting public schools in 2019, including:
- Louisana public schools: A State of Emergency was declared in July 2019 after three public school districts fell victim to ransomware, affecting 10% of Louisana’s 5,000 network servers and more than 1,500 computers.
- Rockville Centre School District: On July 25, 2019, Ryuk ransomware struck the New York school district. The district’s insurance company negotiated the ransom demand down to $88,000 from $176,000, which was covered by them.
- Las Cruces Public Schools: An October 2019 ransomware attack infected thousands of servers and devices in the New Mexico school district. The district did not pay the ransom and had to reformat nearly 30,000 devices.
The report further breaks down the characteristics of public school districts that experienced these attacks, including by community type, enrollment size, poverty status and region. See below graphic.
What Should Be Done Next?
The report ends by providing next steps that should be taken to combat these incidents. More than 50% of the 775 cybersecurity incidents impacting students and educators since 2016 were due to insiders in the school community, including vendors and other third-party partners, suggesting additional focus should be placed on shared school data.
“While school districts must be on guard against criminal actors preying on school communities from afar, they would do well to focus also on shoring up internal policies and practices involving the collection, storage, and sharing of student and employee data under their direct control,” reads the report.
To combat cybersecurity attacks, the report also recommends policymakers, school leaders, and technology leaders do the following:
- Invest in greater IT security capacity dedicated to the unique needs of school districts
- Enact federal and state school cybersecurity regulations to ensure baseline school district and vendor cybersecurity practices
- Support K-12-specific cybersecurity information sharing and research
- Invest in the development of K-12 specific cybersecurity tools
“These ideas notwithstanding, keeping K-12 schools ‘cyber secure’ is a wicked problem – one that will surely grow more severe until the practice of ongoing cybersecurity risk management becomes institutionalized in school district culture,” concludes the report. “It won’t be solved solely by an infusion of money, new technologies, new policies and regulations, or a cybersecurity awareness campaign; all are likely necessary, but how they are implemented and evolve over time to meet the specific and idiosyncratic needs and constraints facing public K-12 schools will matter most of all.”
In Florida and Michigan, respective senators Gary Peters and Rick Scott introduced a new bill called the “K-12 Cybersecurity Act” in December 2019, which pushes for some of the above recommendations, according to CISO MAG.
The bill directs the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) to study the specific cybersecurity risks associated with K-12 institutions, and then develop cybersecurity recommendations and set up online tools to help schools meet cybersecurity requirements.