In November 2019, New Jersey’s Livingston was forced to open school on a two-hour delay as they worked to wrestle control of their systems back from a ransomware attack. That attack managed to take data and systems offline across nine district schools.
Right before the holiday season, California’s Tulare Joint Union High School District received a very unwelcome gift –a cyber-attack. The attack, which was coined, “very bad and complicated,” by the district’s assistant superintendent, Lucy Van Scyoc, in an emailed statement to the Tulare Advance-Register, was reported to go after the district’s financial and administrative accounts.
These two attacks are just a small sample of the nearly innumerable and seemingly increasing cyber-attacks that have been perpetuated against educational institutions. To learn more about why these attacks are targeting schools, we recently sat down with Larry Akinsooto, the CEO of the JDL Group.
During our discussion, we asked Larry if attacks against schools were – in fact – happening more often, who was perpetuating these attacks and what schools could do to protect themselves.
Here is what he had to say:
Equivity: We’ve seen two prominent education-focused cyber-attacks in just the past few months. How common are attacks like this against schools, school districts and institutions of higher learning? Are they becoming more frequent?
Larry: These are becoming more and more common. All different types of educational institutions are vulnerable – from K-12 to institutions of higher learning like colleges and universities. We’re seeing an increase in these attacks across the country.
Why are they being targeted? It’s simple – they’re considered a softer or easier target. Many of the K-12 schools and districts don’t have full-time staff that are responsible for cyber-security and are dedicated to protecting them. Oftentimes, these schools and districts are strapped for cash and they don’t have the funding. The limited funding that they do have goes towards their core mission – the education of children.
The individuals charged with cyber-security are multitasking – they’re doing that in addition to numerous other responsibilities. The reality is that preventing cyber- attacks is a full- time job and requires on-going training and certification. With so different responsibilities, cyber-security becomes an afterthought.
There has been a huge increase in ransomware attacks because it’s easy money. The schools are just an easy target.
With the K-12 schools and districts, it’s often about shutting the schools down unless they get money. With higher education, malicious actors are often going after them for other reasons. They seek research information or information about alumni donors, where they can possibly get some significant dollars.
Equivity: Are any particular educational institutions more at risk than others?
Larry: I think the organizations that don’t have a fully-staffed Cyber security team that’s up-to-date on their attack surface. Organizations that aren’t ready or trained to handle phishing and spear-phishing attacks – or are using legacy vendors to protect their environment – are the most susceptible.
And that’s not specific to any one type of school, district or college. That’s something that we see across the board in education. There are different types of attacks being utilized against K-12 institutions and higher education institutions, but we see schools that fit that profile across the board.
For K-12 schools, there are an entirely unique set of concerns and challenges that can arise from a successful cyber-attack. Schools could have their cafeterias or payment processing systems impacted or teachers may not be able to access their lesson plans and educational materials, making it difficult to teach their students that day’s lessons. Finally, with the advent of IOT (Internet of Things), more connected and automated buildings and devices like door locks can be compromised, making it difficult for schools to protect their students.
Equivity: Why are education networks vulnerable to attacks? What about schools and universities make their networks more vulnerable or susceptible?
Larry: There are a few reasons. Schools are strapped for money, as a result, they rely heavily on legacy systems in their operations, and it’s hard to update & monitor them around the clock.
Many of these schools – especially at the higher education level – have small groups of individuals that monitor a giant network with multiple, disparate types of users. At the JDL Group we have seen small teams of IT and cyber security professionals must monitor a network with 15,000 users and 150,000 devices since each student, faculty and staff members have multiple connected devices.
Trying to control and monitor all of that with a few IT folks that aren’t properly trained is virtually impossible. The lack of funding also means that they often don’t have staff members that are educated on the latest and greatest cyber threats and security solutions.
We’ve seen the government step in and put programs like E-Rate in place to help cash-strapped schools purchase modern infrastructure. But that is for infrastructure. There is no program like that for cyber-security today. However, it’s something that they’re talking about at the federal level right now, and something that could have a huge, positive impact on the cyber security of schools.
Equivity: What should schools do to protect themselves? What are three simple steps they should be taking to make their networks more secure and decrease their chances of becoming victims?
Larry: First, they need to educate the staff, the faculty and the students. They need to learn about phishing scams and spear phishing attacks. They need to be educated on how to identify them and the damage they can do.
Then, they need to partner with a technology company that is going to help them. The partner they choose should be able to educate them on the threat landscape and help them clean up their current and existing network environment.
That partner should help them to embrace new solutions – especially solutions that are easily deployed and easily managed. Their chosen partner should understand their goals, know their playbook and set up defenses appropriately.
Finally, they need to start taking cyber-security seriously.
Right now – especially with the K-12 schools – it’s all about security. The one theme that I see everywhere I travel in K-12 schools is, “security first,” and, “if you see something, say something.” But that’s about physical threats.
I’d like to see them taking cyber-security as seriously. We need to get all schools to start taking cyber-security as seriously as physical security and ramping up their defenses accordingly.