Privacy & Security

Are Schools Now a Step Ahead of Cybercriminals? Not Quite, New Report Suggests

By Alyson Klein — March 10, 2022 4 min read
Image of a red glowing caution sign over a dark field of data.
  • Save to favorites
  • Print

Publicly reported ransomware attacks against K-12 schools and districts increased last year, even as documented cyberattacks in the K-12 system overall fell by more than half, according to a new report released March 10.

Ransomware attacks increased from 50 in 2020 to 62 in 2021, while the number of cyberattacks in general declined for the first time in three years, from 408 in 2020 to 166 in 2021, according to the report from the K12 Security Information Exchange or K12 Six.

In fact, ransomware attacks—in which hackers essentially take a district’s data and refuse to give it back until they have received payments that can run in the hundreds of thousands of dollars—now make up the largest category of attacks for the first time since 2016, the year K12 Six began tracking cybersecurity incidents in schools.

In previous years, data breach attacks—in which someone who is not authorized to see or change certain types of data breaks into a district or school’s computer system and copies, steals, transmits, changes, or just views the information—were most common.

What’s more, ransomware attacks are increasingly coming from sophisticated cybercriminals who often work overseas in countries that are tough for U.S. law enforcement to reach, said Doug Levin, the national director of K12 SIX and one of the top experts in the country about cybersecurity for K-12 schools.

Often, these attackers intentionally target K-12 districts. They have been known to threaten to publicly release student data if their demands aren’t met and some have followed through on those threats. Others have threatened parents directly, hoping they’ll put pressure on their child’s school district to pay up.

Ransomware attacks can be very costly, in both learning time and money. Districts often close down their buildings to restore their systems. A Missouri district cited in the report, for example, closed for two days last year following an attack.

Even if districts—or their insurance companies—don’t pay a ransom, the costs of getting computer systems back in order can be “staggering,” the report said. For instance, Maryland’s Baltimore County school system spent almost $9.7 million responding to a late 2020 ransomware attack, the report notes.

Meanwhile, the seemingly dramatic decrease in the number of cyberattacks overall from 2020 to 2021 might seem like great news. But the outlook is much cloudier when you consider the broader context around K-12 cybersecurity, the report says.

To begin with, the number of cyberattacks may have been inflated during 2020, due to widespread virtual schooling across the country that year. Districts gave out millions of devices for students to use at home, on unfamiliar networks. Going back to in-person learning might have made it easier for districts to guard against attacks, the report says.

It’s also far from clear that the number of attacks has actually fallen as much as the data seem to indicate. That’s because K-12 Six is only able to count attacks that have been publicly reported. And requirements for schools to publicly report if they have been victims of cyberattacks are weak, at best, the report notes.

In fact, some districts have worked hard to avoid publicly disclosing attacks, the report says. Case-in-point: Florida’s Broward County district waited five months to report key information to people whose data was impacted, three months longer than allowed under federal rules, according to stories in the Sun Sentinel newspaper cited in the K-12 Six report.

The district also declared it had conducted its own cybersecurity investigation, but then later said the results of that inquiry weren’t put into writing, according to the K-12 Six report. And the report noted that district officials lobbied the state legislature to craft a law that would make it tougher for the public to find out about school cyberattacks.

But hiding the problem isn’t going to help, the report cautions. Weak public disclosure laws, “only [serve] to obscure the realities of school district and vendor operations from those charged with oversight, and to place school community members at unnecessary risk,” the report says.

To be sure, some districts may be much more cybersecure than they were just a few years ago since there is now a higher level of awareness of the potential for cyberattacks. Plus, insurance companies are beginning to require districts to have their own cybersecurity systems in place before they will take them on as clients. That means districts are beginning to put in place “commonsense” measures, such as multi-factor password authentication for employees and students, the report says.

“School districts may have done a modestly better job of defending their communities from cybersecurity threats” last year, the report concludes.

As in past years, larger, wealthier districts appear more likely to be the victims of cyberattacks than smaller, poorer districts, the report says. But it’s difficult to say whether that’s because hackers are more likely to target big districts, or whether larger districts are just more likely to publicly disclose attacks.

The federal government is beginning to direct its attention to K-12 cyberattacks. Congress recently passed legislation requiring a study of cyberattacks in schools, and another measure providing $1 billion to help states and local government organizations—including school districts—combat cyberattacks.

But policymakers will need to make sure all that research and money leads to, “meaningful improvements in K-12 cybersecurity risk management practices,” the report says.

Related Tags:

Events

School & District Management Webinar Crafting Outcomes-Based Contracts That Work for Everyone
Discover the power of outcomes-based contracts and how they can drive student achievement.
School & District Management Webinar EdMarketer Quick Hit: What’s Trending among K-12 Leaders?
What issues are keeping K-12 leaders up at night? Join us for EdMarketer Quick Hit: What’s Trending among K-12 Leaders?
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
Artificial Intelligence Webinar
Teaching Students to Use Artificial Intelligence Ethically
Ready to embrace AI in your classroom? Join our master class to learn how to use AI as a tool for learning, not a replacement.
Content provided by Solution Tree

EdWeek Top School Jobs

Teacher Jobs
Search over ten thousand teaching jobs nationwide — elementary, middle, high school and more.
View Jobs
Principal Jobs
Find hundreds of jobs for principals, assistant principals, and other school leadership roles.
View Jobs
Administrator Jobs
Over a thousand district-level jobs: superintendents, directors, more.
View Jobs
Support Staff Jobs
Search thousands of jobs, from paraprofessionals to counselors and more.
View Jobs

Read Next

Privacy & Security Download A Tip Sheet to Help Teachers Prevent and Respond to Doxxing
Teachers can be a target for malicious actors. Use this tip sheet to prevent and respond to doxxing.
1 min read
Image of digital safety against doxxing and privacy invasion.
Laura Baker/Education Week via Canva
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
Privacy & Security Quiz
Quiz Yourself: How Much Do You Know About Cybersecurity For Schools And Districts?
Answer 6 questions about actionable cybersecurity solutions.
Content provided by FlexPoint Education Cloud
Privacy & Security What Schools Need to Know About These Federal Data-Privacy Bills
Congress is considering at least three data-privacy bills that could have big implications for schools.
5 min read
Photo illustration of a key on a digital background of zeros and ones.
E+
Privacy & Security Civil Rights Groups Seek Federal Funding Ban on AI-Powered Surveillance Tools
In a letter to the U.S. Department of Education, the coalition argued these tools could violate students' civil rights.
4 min read
Illustration of human silhouette and facial recognition.
DigitalVision Vectors / Getty