Report: Cybersecurity Incidents at K-12 Schools Nearly Tripled in 2019

For the first time since the K-12 Cybersecurity Resource Center began collecting data, schools have canceled classes or closed due to cybersecurity attacks.

Report: Cybersecurity Incidents at K-12 Schools Nearly Tripled in 2019

As schools become increasingly reliant on technology for teaching and learning, it is putting them at greater risk for cybersecurity incidents, which is apparent in the findings of a new cybersecurity report.

“The State of K-12 Cybersecurity: 2019 Year in Review,” released by the K-12 Cybersecurity Resource Center, found there were 348 cybersecurity incidents reported at 336 K-12 education agencies across 44 states in 2019 — a 185% increase from 122 incidents in 2018.

Of the 348 incidents, 60% were due to data breaches, primarily involving the unauthorized disclosure of student data. The second most frequent type of cyber incident was ransomware or malware at 28%. These types of incidents are the most expensive and disruptive, according to the report.

For the first time since the resource center began tracking school incidents, malware/ransomware incidents resulted in numerous school districts canceling classes or closing in 2019.

The report also shared the worst cybersecurity incidents affecting public schools in 2019, including:

  • Louisana public schools: A State of Emergency was declared in July 2019 after three public school districts fell victim to ransomware, affecting 10% of Louisana’s 5,000 network servers and more than 1,500 computers.
  • Rockville Centre School District: On July 25, 2019, Ryuk ransomware struck the New York school district. The district’s insurance company negotiated the ransom demand down to $88,000 from $176,000, which was covered by them.
  • Las Cruces Public Schools: An October 2019 ransomware attack infected thousands of servers and devices in the New Mexico school district. The district did not pay the ransom and had to reformat nearly 30,000 devices.

The report further breaks down the characteristics of public school districts that experienced these attacks, including by community type, enrollment size, poverty status and region. See below graphic.

 

What Should Be Done Next?

The report ends by providing next steps that should be taken to combat these incidents. More than 50% of the 775 cybersecurity incidents impacting students and educators since 2016 were due to insiders in the school community, including vendors and other third-party partners, suggesting additional focus should be placed on shared school data.

“While school districts must be on guard against criminal actors preying on school communities from afar, they would do well to focus also on shoring up internal policies and practices involving the collection, storage, and sharing of student and employee data under their direct control,” reads the report.

To combat cybersecurity attacks, the report also recommends policymakers, school leaders, and technology leaders do the following:

  • Invest in greater IT security capacity dedicated to the unique needs of school districts
  • Enact federal and state school cybersecurity regulations to ensure baseline school district and vendor cybersecurity practices
  • Support K-12-specific cybersecurity information sharing and research
  • Invest in the development of K-12 specific cybersecurity tools

“These ideas notwithstanding, keeping K-12 schools ‘cyber secure’ is a wicked problem – one that will surely grow more severe until the practice of ongoing cybersecurity risk management becomes institutionalized in school district culture,” concludes the report. “It won’t be solved solely by an infusion of money, new technologies, new policies and regulations, or a cybersecurity awareness campaign; all are likely necessary, but how they are implemented and evolve over time to meet the specific and idiosyncratic needs and constraints facing public K-12 schools will matter most of all.”

In Florida and Michigan, respective senators Gary Peters and Rick Scott introduced a new bill called the “K-12 Cybersecurity Act” in December 2019, which pushes for some of the above recommendations, according to CISO MAG.

The bill directs the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) to study the specific cybersecurity risks associated with K-12 institutions, and then develop cybersecurity recommendations and set up online tools to help schools meet cybersecurity requirements.

About the Author

Contact:

Amy is Campus Safety’s Senior Editor. Prior to joining the editorial team in 2017, she worked in both events and digital marketing.

Amy’s mother, brother, sister-in-law and a handful of cousins are teachers, motivating her to learn and share as much as she can about campus security. She has a minor in education and has worked with children in several capacities, further deepening her passion for keeping students safe.

In her free time, Amy enjoys exploring the outdoors with her husband, her son and her dog.

Read More Articles Like This… With A FREE Subscription

Campus Safety magazine is another great resource for public safety, security and emergency management professionals. It covers all aspects of campus safety, including access control, video surveillance, mass notification and security staff practices. Whether you work in K-12, higher ed, a hospital or corporation, Campus Safety magazine is here to help you do your job better!

Get your free subscription today!


Leave a Reply

Your email address will not be published. Required fields are marked *

Get Our Newsletters
Campus Safety Online Summit Registration Promo Campus Safety HQ