Cybercriminals are after our kids’ data online. There’s help for parents and schools | Opinion
Schools are vital to our way of life. I stand firmly in my belief that there is no more important institution to the future prosperity and strength of the United States than our nation’s K-12 education system. Disruptions to our education system due to cyberattacks and cybersecurity vulnerabilities are simply unacceptable.
Parents, I’m talking directly to you. You probably know what physical security measures are being employed at your child’s school. Do you also know what cybersecurity steps are being taken to protect your children’s personal information from online criminals?
We currently see a growing number of cyberattacks at K-12 schools, disrupting the delivery of critical education services across the country, and threats such as ransomware are threatening teachers’ and administrators’ abilities to educate children. These threats are widespread, quite calculated and often involve the theft of personal information from one of our most vulnerable populations — our children.
If someone had told me 10 or 20 years ago that in the near future, school districts across our region would have to shut down services because of cybersecurity breaches, I might not have believed it. But over the past several years, the education sector — especially K-12 institutions — has been a frequent target of ransomware attacks, phishing schemes and data breaches that have led to the theft of our children’s digital identities by cyber-criminals. That’s meant restricted access to networks and data, delayed exams and even canceled school days.
Children’s personally identifiable information is a particularly valuable commodity for online criminals. These thieves can use a child’s stolen Social Security number to open illegal lines of credit, make large purchases and rack up enormous amounts of debt. All of this nefarious activity might go undetected for years, and might not be discovered at all until children are old enough to open their first bank account or use their Social Security number for financial purposes. Sadly, the sale of stolen identities on the dark web by cyber-criminals is rampant.
The pandemic significantly tested the nation’s education system, necessitating an unexpected pivot to virtual learning that rendered our K-12 educational institutions increasingly vulnerable as new technologies were adopted on an unprecedented scale. School districts implemented new virtual networking technologies that facilitated distance learning and made schools more efficient and effective, but the online crooks were watching.
This technological gain was accompanied by heightened technological risks that were quickly exploited. Malicious cyber-criminals escalated their targeting of K-12 education organizations across the country, with catastrophic impacts on students, their families and school staff.
K-12 schools lag behind on tech security
The sad reality is that school districts with limited cybersecurity capabilities and constrained resources are often the most vulnerable. We refer to them as “target-rich/cyber-poor.” However, online criminals can also put even school districts with robust tech security programs at risk. K-12 institutions have become particularly lucrative targets, and research shows that many of these schools are in dire need of significant cybersecurity improvements.
A recent report issued by the Center for Internet Security states that the K-12 sector lags behind others when comparing cybersecurity program maturity. For example, in data collected from 197 school districts during the 2021-2022 academic year, K-12 schools averaged 3.55 out of 7 on a “cyber-maturity” scale that CIS uses to gauge organizations’ progress in implementing basic security practices such as multifactor authentication, employee training and incident response planning.
The report found that 81% of schools hadn’t fully implemented multifactor authentication, with 29% not using it at all. At 20% of the schools studied, cybersecurity accounted for less than 1% of the information technology budget, and on average K-12 schools only spent 8% of their IT budgets on security. This is not sustainable.
The good news is that there are four very simple things that every K-12 school can do to make themselves more secure right away: Enable multifactor authentication. Use strong passwords. Think before you click. And update software regularly. The federal Cybersecurity and Infrastructure Security Agency explains these easy steps at its “4 Things You Can Do To Keep Yourself Cyber Safe “page.
Our agency also provides tips devoted solely to stopping ransomware attacks in K-12 schools by providing school district staff, parents and students with resources necessary to understand and protect themselves against ransomware. And finally, CISA provides an online toolkit with recommendations, guidelines and planning resources to help schools bolster their cybersecurity no matter where they fall on the cybersecurity spectrum. All of these services are provided at no cost.
I encourage parents to reach out to your child’s school or school district. Ask what is being done to secure their personal information. The Cybersecurity and Infrastructure Security Agency applauds the K-12 schools in our region that are placing emphasis on online security, and we welcome any K-12 school district to contact us with questions or requests for assistance.
No single organization can confront today’s complex cybersecurity threat landscape alone. It takes all of us working together to secure our K-12 students from risk online.
This story was originally published September 18, 2023 at 5:08 AM.