K-12 Cybersecurity: Helping Schools Pass the Test

Mar 21, 2018

Since January 2016, cybersecurity incidents in Kindergarten through 12th grade public schools across the United States are up 223% year-over-year. In this time, 300 reported incidents resulted in leaked faculty, students’ and parents’ personal information, lost taxpayer dollars and wasted class time due to systems and networks shutdowns. 1

What makes grade level institutions such an easy target? Why are K-12 attacks on the rise? Who is behind these cyber threats? What can you do right now to help safeguard personal information? Read on for key information to help protect your student body in public and private schools alike.

Figure 1: K-12 Public Schools that have been attacked since 2016 Source: EdTech Strategies


Blue PinsPhishing attacks resulting in the disclosure of personal data
Purple PinsOther unauthorized disclosures, breaches or hacks resulting in the disclosure of personal data
Yellow PinsRansomware attacks
Green PinsDenial-of-service attacks
Red PinsOther cyber incidents resulting in school disruptions and unauthorized disclosures

Why Hacking Schools is Child’s Play

Like any cyber victim, your school becomes an automatic target the moment you house sensitive data within your school’s network. However, school-related cyber incidents are on the rise for two main reasons:

1) Schools are increasingly reliant on vulnerable technologies. Cybersecurity becomes an afterthought when software engineers rush development to market. As schools rapidly integrate digital tools and software into their regular processes, they are exposed to cyber attacks.

2) Financially motivated attackers pursue soft target industries—the education sector is one of them. Few schools have the budget and expertise to mitigate cyber risks. For every one school that has the finances to afford a robust cybersecurity program, nine others do not. Most K-12 schools task their limited staff of one or two IT employees with keeping the day-to-day operations running smoothly. These IT professionals often lack the necessary cybersecurity experience to protect schools’ sensitive data.

What information is on the line?

Schools foster collaborative learning environments, which can create a seamless access of information when security settings are not configured properly. It is the role of an IT security professional to ensure that the confidentiality, integrity, and availability of information remain unaltered. This important information includes:

  • Personally identifiable information (PII);
  • Personal health information (PHI) ;
  • Financial data;
  • Annual employee reviews and
  • Testing data.

It’s critical to remember that people are at the nucleus of every cyber attack. So, who is seeking your organization’s most private and important information for profit?

A Human Face Behind Cyber Attacks

A malicious attacker is anyone seeking to gain unauthorized access to a system. This includes anyone from a single outside attacker that is motivated financially or politically, an insider such as a current or former employee or student, or even an organized crime group.

On January 31, 2018 the FBI alongside the Department of Education's Office of the Inspector General released a Private Industry Notification (PIN), a statement about a cybercriminal group that threatens schools and its students. “Since April 2016, a loosely affiliated group of highly trained hackers calling themselves TheDarkOverlord (TDO) have conducted various extortion schemes with a recent focus on the public school system. TDO used remote access tools to breach school district networks and then proceeded to steal sensitive data. To extort money from its victims, including students, TDO threatened violence or the release of stolen sensitive data. As of January 2018, TDO was responsible for at least 69 intrusions into schools and other businesses, the attempted sale of over 100 million records containing personally identifiable information (PII), and the release of over 200,000 records including the PII of over 7,000 students due to nonpayment of ransoms.”2

While alarming, this information can fine-tune your approach to protecting your student body and faculty from agile and predatory cyber attackers.

A step in the right direction with Critical Security Controls (CSC)

The CIS3 Critical Security Controls are a recommended set of easily actionable cyber defense to help you stop pervasive and dangerous attacks. Experts including NSA Red and Blue teams, the US Department of Energy nuclear energy labs, law enforcement organizations and a selection of the nation’s top forensics and incident response organizations created these controls. The key to the Controls’ success is agility in the face of a dynamic cyber threat landscape—drawing from the most common attack patterns highlighted in the leading threat reports, updating based on new attacks and reanalyzing by groups from Verizon to Symantec. 4

CIS recommends a series of controls as part of “Foundational Cyber Hygiene” when establishing a strong cyber security posture. Cyber hygiene refers to maintenance routines that ensure a healthy cyber security network. These five controls should be considered first, and are based on effort level and potential budgetary impact:

  1. With medium effort and a low budget, you can take a full inventory of authorized and unauthorized devices to ensure that the right people have access to your protected information
  2. At low effort and a low expense level, you can then take an inventory of authorized and unauthorized software
  3. With medium effort and a low budget, you can secure configurations of software and hardware to ensure that they do not become an attack vector for attackers
  4. Using only a medium effort level and budget, you can continuously conduct vulnerability assessments and remediation to ensure your systems and networks are thoroughly safeguarded from the risk of cyber threats
  5. While requiring a high effort level and budget, controlling the use of administrative privileges can serve as a direct barrier between your school’s vital information and the hackers that hope to profit from it

The first step in implementing the Critical Security Controls (CSC) should be to identify the school district’s critical assets and resources as well as the associated risks. Critical cyber threats facing the education industry, in particular K-12, include spear phishing, ransomware, malware (other than ransomware), loss or theft of equipment, and disgruntled student or staff. The table below outlines the actions that you can take to help mitigate these threats, the cost of the action and effort level. The level of effort is a measure of the complexity and time resources that may be expended in implementing and maintaining the specified control. Notice, that with the exceptions of spear phishing, implementing the foundational cyber hygiene controls assists in mitigating all of the identified threats to some degree.

Figure 2: K-12 Common Attacks mapped to CSC

While the education sector is a soft target for cyber attackers, there are immediate steps you can take to fortify your organization’s cyber security today. The steps outlined in the mentioned tables are a great starting point to protect without draining all of your resource and breaking the bank. For more information on how you can help safeguard your student body and faculty’s critical information from profiteering cyber attackers, contact our cybersecurity advisors.

Message Us 212.842.7005

Sign up for Our Blog!

* All fields are required

By choosing to submit data, you are agreeing to the storage and usage of your contact information to deliver the requested services.