Privacy & Security

Are Schools Now a Step Ahead of Cybercriminals? Not Quite, New Report Suggests

By Alyson Klein — March 10, 2022 4 min read
Image of a red glowing caution sign over a dark field of data.
  • Save to favorites
  • Print

Publicly reported ransomware attacks against K-12 schools and districts increased last year, even as documented cyberattacks in the K-12 system overall fell by more than half, according to a new report released March 10.

Ransomware attacks increased from 50 in 2020 to 62 in 2021, while the number of cyberattacks in general declined for the first time in three years, from 408 in 2020 to 166 in 2021, according to the report from the K12 Security Information Exchange or K12 Six.

In fact, ransomware attacks—in which hackers essentially take a district’s data and refuse to give it back until they have received payments that can run in the hundreds of thousands of dollars—now make up the largest category of attacks for the first time since 2016, the year K12 Six began tracking cybersecurity incidents in schools.

In previous years, data breach attacks—in which someone who is not authorized to see or change certain types of data breaks into a district or school’s computer system and copies, steals, transmits, changes, or just views the information—were most common.

What’s more, ransomware attacks are increasingly coming from sophisticated cybercriminals who often work overseas in countries that are tough for U.S. law enforcement to reach, said Doug Levin, the national director of K12 SIX and one of the top experts in the country about cybersecurity for K-12 schools.

Often, these attackers intentionally target K-12 districts. They have been known to threaten to publicly release student data if their demands aren’t met and some have followed through on those threats. Others have threatened parents directly, hoping they’ll put pressure on their child’s school district to pay up.

Ransomware attacks can be very costly, in both learning time and money. Districts often close down their buildings to restore their systems. A Missouri district cited in the report, for example, closed for two days last year following an attack.

Even if districts—or their insurance companies—don’t pay a ransom, the costs of getting computer systems back in order can be “staggering,” the report said. For instance, Maryland’s Baltimore County school system spent almost $9.7 million responding to a late 2020 ransomware attack, the report notes.

Meanwhile, the seemingly dramatic decrease in the number of cyberattacks overall from 2020 to 2021 might seem like great news. But the outlook is much cloudier when you consider the broader context around K-12 cybersecurity, the report says.

To begin with, the number of cyberattacks may have been inflated during 2020, due to widespread virtual schooling across the country that year. Districts gave out millions of devices for students to use at home, on unfamiliar networks. Going back to in-person learning might have made it easier for districts to guard against attacks, the report says.

It’s also far from clear that the number of attacks has actually fallen as much as the data seem to indicate. That’s because K-12 Six is only able to count attacks that have been publicly reported. And requirements for schools to publicly report if they have been victims of cyberattacks are weak, at best, the report notes.

In fact, some districts have worked hard to avoid publicly disclosing attacks, the report says. Case-in-point: Florida’s Broward County district waited five months to report key information to people whose data was impacted, three months longer than allowed under federal rules, according to stories in the Sun Sentinel newspaper cited in the K-12 Six report.

The district also declared it had conducted its own cybersecurity investigation, but then later said the results of that inquiry weren’t put into writing, according to the K-12 Six report. And the report noted that district officials lobbied the state legislature to craft a law that would make it tougher for the public to find out about school cyberattacks.

But hiding the problem isn’t going to help, the report cautions. Weak public disclosure laws, “only [serve] to obscure the realities of school district and vendor operations from those charged with oversight, and to place school community members at unnecessary risk,” the report says.

To be sure, some districts may be much more cybersecure than they were just a few years ago since there is now a higher level of awareness of the potential for cyberattacks. Plus, insurance companies are beginning to require districts to have their own cybersecurity systems in place before they will take them on as clients. That means districts are beginning to put in place “commonsense” measures, such as multi-factor password authentication for employees and students, the report says.

“School districts may have done a modestly better job of defending their communities from cybersecurity threats” last year, the report concludes.

As in past years, larger, wealthier districts appear more likely to be the victims of cyberattacks than smaller, poorer districts, the report says. But it’s difficult to say whether that’s because hackers are more likely to target big districts, or whether larger districts are just more likely to publicly disclose attacks.

The federal government is beginning to direct its attention to K-12 cyberattacks. Congress recently passed legislation requiring a study of cyberattacks in schools, and another measure providing $1 billion to help states and local government organizations—including school districts—combat cyberattacks.

But policymakers will need to make sure all that research and money leads to, “meaningful improvements in K-12 cybersecurity risk management practices,” the report says.

Related Tags:

Events

This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
Early Childhood Webinar
How the Science of Reading Elevates Our Early Learners to Success
From the creators of ABCmouse, learn how a solution grounded in the science of reading can prepare our youngest learners for kindergarten.
Content provided by Age of Learning
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
English-Language Learners Webinar
Classroom Strategies for Building EL Students’ Confidence and Success
Fueling success for EL students who are learning new concepts while navigating an unfamiliar language. Join the national discussion of strategies and Q&A.
Content provided by Project Lead The Way
Future of Work Live Online Discussion Seat at the Table: Understanding the Critical Link Between Student Mental Health and the Future of Work
In recent months, there’s been a rallying cry against the teaching of social-emotional skills. Discover why students need these skills now more than ever.

EdWeek Top School Jobs

Teacher Jobs
Search over ten thousand teaching jobs nationwide — elementary, middle, high school and more.
View Jobs
Principal Jobs
Find hundreds of jobs for principals, assistant principals, and other school leadership roles.
View Jobs
Administrator Jobs
Over a thousand district-level jobs: superintendents, directors, more.
View Jobs
Support Staff Jobs
Search thousands of jobs, from paraprofessionals to counselors and more.
View Jobs

Read Next

Privacy & Security Cybersecurity a Top Ed-Tech Priority for States, But Funding Lags
Only 8 percent in a survey of state ed-tech leaders said their state provides “ample” funding for cybersecurity.
3 min read
 abstract digital key with technology interface, cybersecurity, key, lock, cellphone, fingerprint, and cloud computing icons
As schools increasingly turn to technology, the risk of cyberattacks have also grown.
iStock/Getty Images Plus
Privacy & Security Why the Los Angeles Cyberattack Is a Wake-Up Call for Every School District
A massive cyberattack shut off access to email and crippled the district’s website and systems used for teaching and attendance.
5 min read
Hacker attack and data breach, information leak and cybersecurity concept.
iStock/Getty Images Plus
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
Privacy & Security Quiz
Quiz Yourself: How Much Do You Know About Cybersecurity?
Answer 5 questions to assess your knowledge on cybersecurity.
Content provided by Bluum
Privacy & Security 'There Are So Many Issues’: Why Schools Are Struggling to Protect Student Data
While efforts have been made to protect student data, there are still troubling examples of data breaches.
8 min read
Illustration of numerous computer windows overlapping with creepy eyeballs inside the close, open, and minimize circles within the various window screens.
Daniel Hertzberg for Education Week