As schools around the country began the fall semester, learning plans have ranged considerably. Some started all-remote, others with a hybrid approach, and still others had all students return in-person but with new requirements for social distancing. The common goal is to keep students, teachers and staff as safe as possible, but online schooling options also bring increased risk for schools' networks and data.

While it might not seem as high value a target as, say, financial institutions, education is quickly becoming a tantalizing sector for cybercriminals. Schools are increasingly vulnerable to such attacks; there have been more than 1,000 cybersecurity incidents affecting U.S. K-12 public schools since 2016, according to the K–12 Cyber Incident Map

Why education is under siege?

There are two primary reasons: Schools hold a lot of valuable personal data, and they are sometimes more likely to be underfunded in terms of being able to apply cybersecurity measures. Criminals want to target the social security numbers of children because they are essentially a clean slate with no credit history established. This means that compromising a child's identity can go undetected for years, as they aren't focused on credit reports and credit scores like adults are.

Online and remote learning has made it harder for schools to keep this personal information secure. With students and faculty working from home, on often-unsecured internet connections and devices, opportunities for bad actors to breach networks have grown significantly.

Earlier this year, the FBI specifically warned of an increase in attacks plaguing schools. Cybercriminals can smell opportunity, so some have started to focus on the education sector due to the massive shift to distance learning. In some cases, all it takes is for one person to make a mistake, like clicking on a malicious link, and an entire school district network can become infected or suffer a data breach. 

Types of attacks

Of course, some attacks against educational institutions appear to be by insiders — specifically students.  In some cases, even if it was meant to be a prank to avoid school for a day, it doesn't mean these attacks are benign.  A well-structured distributed-denial-of-service attack could leave a school's online learning platforms and networks out of commission for days or even weeks.

Other attacks are destructive and targeted to do more than wreak havoc. Cybercriminals have increased their ransomware attacks against schools. They hold the networks and data hostage unless school districts pay the ransom. These criminals are even threatening to release personal information as another means of intimidating schools into paying. 

Everyone has a cybersecurity role to play

How can all those affected by cyber-attacks on schools try to protect themselves? And how can the risk be prevented or mitigated? The heavy lifting will need to be taken care of by individual school districts and schools. IT departments will need to take extra care in choosing secure platforms for remote teaching and add in other necessary precautions. The K-12 Cybersecurity Resource Center also offers a free assessment for school IT officials. It's a 50-question assessment that's based on the NIST Cybersecurity Framework and intended to help school districts identify and prioritize cybersecurity controls.

Cinthia Pergola helps her son Francisco during an online class at their home in Sao Paulo, Brazil amid the novel coronavirus pandemic Cinthia Pergola helps her son Francisco during an online class at their home in Sao Paulo, Brazil amid the novel coronavirus pandemic Photo: AFP / NELSON ALMEIDA

However, that doesn't mean everyone else is off the hook. There are certain things that teachers, students, and parents can do to minimize some of the risks. They include:

  • Education: Even young children can learn basic cyber hygiene, including not clicking on suspicious emails, websites, text messages and so on. Free programs are available online to give end-users essential security training and information. There's even a Garfield-themed virtual cyber training aimed at children from 6 to 11 years old.
  • Password security: Another easy step is to simply make passwords harder to guess, and also use different passwords for different accounts. School officials should implement multifactor authentication on top of this as an added security feature.
  • Examine home networks: For parents and teachers who can do so, this is probably a good time to consider adding or upgrading security solutions to protect the home network and devices from attacks. Endpoint devices should be protected with traditional antivirus (AV) and additional endpoint protection security. In addition, many home routers now include gateway security, which should also be enabled. Some cable operators and internet service providers provide free security. It's also important to make sure all default passwords are changed and that logging into home Wi-Fi requires a password.

A group effort

It's unfortunate that hackers lack the human decency to leave children and the teachers who educate them alone. Now more than ever, teachers, staff and parents need to keep cybersecurity and cyber awareness top of mind. With no concrete end in sight for remote working and learning, all parties must maintain vigilance to keep the wheel of education turning. IT departments can take the self-assessment noted above and help all end-users learn about and practice good cyber hygiene.

(Renee Tarun is a deputy chief information security officer at Fortinet. She worked with the U.S. government for over 20 years, serving more than 12 years as a cybersecurity leader for the National Security Agency.)