Now considered a "national security risk," ransomware continues to dominate the news, its impact felt across virtually all industries, from healthcare to utilities, government, telecommunications, education, and beyond. And it’s showing no signs of slowing down.
In fact, ransomware attacks in the education sector are on the rise. Between 2019 and 2020, there was a 19% increase in ransomware and other cyberattacks targeting K-12 schools. Between 2021 and 2022, 56% of K-12 education organizations were hit by ransomware, a nearly 25% increase from the previous year.
What is ransomware?
Ransomware is a type of malware (or malicious software) that infiltrates a victim’s device or network and encrypts their data, rendering it inaccessible. The hacker then holds the data ransom, demanding payment from the victim in exchange for restoring the encrypted data.
However, even paying the ransom does not guarantee that your data will be restored in its entirety. According to the 2022 State of Ransomware Report from Sophos, “While paying the ransom almost always gets you some data back, the percentage of data restored after paying has dropped. On average, organizations that paid got back only 61% of their data," leaving almost 40% of their data inaccessible.
Why are schools being targeted by ransomware?
The annual survey confirmed that the education sector, along with retail, reported the highest percentage of organizations hit by ransomware last year. And even more concerning, education ranked in the lower third of sectors able to stop their data from being encrypted in the event of an attack.
There are several reasons ransomware attacks are targeting schools, including…
- Budget constraints and limited funding for IT and cybersecurity tools
- Insufficient cybersecurity awareness and training among staff and teachers
- IT departments spread thin, especially throughout the shift to virtual learning
- Access to large quantities of sensitive student data
In addition to disrupting student learning, ransomware threatens a school or districts’ data security and student privacy and can incur a heavy price tag, whether in the form of ransom demanded or the cost to recover encrypted data.
Layered Cybersecurity Fundamentals for K-12 Schools
To bolster your district’s defenses against ransomware and other cyberattacks, we recommend establishing a multi-layered approach to cybersecurity. In a multi-layered approach, each component of your cybersecurity plan has a backup to counter any flaws or gaps, working together to build a solid foundation for your cybersecurity program.
Here are some of the fundamental security layers for K-12 schools:
- Endpoint protection. Think about all the devices in use throughout your school: laptops, tablets, workstations, and student and staff mobile devices, as well as printers, scanners, copiers, security cameras, and more. Every device connected to your school’s network is a potential entry point for hackers—and an endpoint that needs to be protected.
- Firewalls. A firewall acts as a barrier between a trusted network and an untrusted network, only allowing access to traffic that has been defined in your firewall policy. Firewalls are most effective when paired with strong content filtering solutions.
- Web content filtering. Web filtering software protects your end-users from being exposed to harmful or malicious online content. Web filtering can be deployed on-premises, but during the shift to remote learning, many schools deployed cloud-based web filtering to enable protection across all devices and learning environments.
- Email filtering. A key tool in mitigating the threat of ransomware is email filtering software. Phishing emails that bait recipients into clicking a malicious link or download an infected file are one of the most common ways hackers access networks to deploy ransomware attacks.
- Security awareness training and phishing simulations. Speaking of phishing emails, would your teachers and staff know how to spot one? Awareness of cybersecurity basics and best practices across your district is critical to ensuring that your end-users can identify phishing emails and other common cyber scams intended to trick them into giving up their passwords or downloading malicious files. This training can be reinforced periodically through activities such as phishing simulations, which test users on their vigilance in recognizing suspicious emails, further strengthening your defenses.
- Multi-factor authentication. Enabling multi-factor authentication (MFA) is one of the most important things you can do to reduce the risk of a ransomware attack against your district. A simple and highly effective cybersecurity layer, MFA requires multiple forms of verification to sign in to an application or account. For example, in addition to providing your username and password, you may also be required to enter a one-time passcode sent via email, text message, or push notification. These additional forms of authentication can stop hackers in their tracks, preventing them from exploiting weak or compromised end-user credentials to access your network.
- Backup and disaster recovery. A reliable data backup and disaster recovery solution is critical to getting your school’s operations back up and running after an IT disruption. In the event of a ransomware attack, these tools mitigate downtime and damage by allowing you to restore your data from a backup.
- Two important reminders about backup and disaster recovery: 1) Isolate your backups to ensure that if your network is breached, your backups can’t also be encrypted; and 2) don’t neglect the restoration process. Ensure you have a plan for how to restore your data after a disaster, document it, and test it.
But beware: having a secure backup of your data is no longer enough to thwart the ransom demands of cybercriminals. Keen to this tactic, hackers are now exfiltrating their victims’ data and if the victim does not agree to pay the ransom, the hackers release the sensitive files and may even alert the media that the hack occurred.
A real-world example of this in K-12 education is the Clark County School District in Las Vegas. As reported by the Wall Street Journal, “a hacker published documents containing Social Security numbers, student grades and other private information after officials refused a ransom demanded in return for unlocking district computer servers.”
This means that even if an organization can recover their systems and data quickly following a ransomware attack, they may still end paying the ransom to protect their reputation and limit the exposure of sensitive information.
The bottom line? The threat of ransomware is real, and no single tool is foolproof, which is why we recommend that schools implement multiple cybersecurity layers to identify threats, protect their networks, and safeguard student privacy in the fight against ransomware
Zero-Day Threats & Why Traditional Cybersecurity Tools are Not Enough
Your cybersecurity toolkit should also be reviewed regularly. Because the cyber threat landscape is evolving so quickly, if your district is relying on the same tools you were using even just a few years ago, there are likely gaps in your security that cybercriminals are eager to uncover and exploit.
And new threats are constantly forming. These are known as "zero-day” threats."
A zero-day threat is a threat that exploits an unknown computer security vulnerability. The term is derived from the age of the exploit, which takes place before or on the first (or “zeroth”) day of a developer’s awareness of the exploit or bug. This means that there is no known security fix because developers are oblivious to the vulnerability or threat.
Zero-day threats haven’t been seen before and because of this, they can evade traditional solutions that use the signatures of known malware to detect threats. And that means relying on traditional cybersecurity tools such as antivirus software is not enough.
Advanced Security: Analyzing Context and Behavior to Detect & Respond to Breaches
While signature-based detection tools are an important first layer to protect your users and network from known threats, your cybersecurity plan should also account for the new and increasingly sophisticated threats that are emerging every day.
Most of the commonly deployed cybersecurity tools focus on keeping cybercriminals out. But what if a hacker exploits a vulnerability and sneaks past your school’s defenses? Would you be able to detect the breach? And how would you respond to the threat? These are critical considerations as schools work to avoid both the cost and the disruption associated with a cyberattack.
In response to these questions, organizations—particularly those without a large internal IT department—are increasingly turning to managed security solutions that offer advanced capabilities to defend against emerging threats while also shifting the responsibility of detection and response away from their organization.
Adding expert eyes to your defenses with managed security
Known as managed threat detection (MTR) or managed detection and response (MDR), these advanced security solutions actively monitor, hunt, and respond to threats in real time. But MTR and MDR are not simply automated processes; rather, they integrate machine learning with a highly trained human element in the form of a 24/7 threat response team or Security Operations Center (SOC).
For organizations, these managed services provide the peace of mind of knowing that cybersecurity experts are monitoring your network at all times, including the weekends, holidays, and overnight hours in which your IT staff isn’t available—all of which are prime times for cyberattacks. They are also able to analyze activity on your network based on the context of your unique environment.
For example, if a user logs in during off-hours or is accessing files he or she doesn’t usually interact with, the team analyzes that activity to determine if a breach has occurred. If a threat is identified, the affected device or endpoint can be isolated from the network, preventing widespread damage and data loss.
Shifting the Tide for Cybersecurity in K-12
Too many stories have hit the news describing the gut-wrenching feeling of a school’s staff or administration turning on their computers in the morning, only to discover that their data is encrypted or their systems inaccessible. And with limited resources both in funding and staffing, the fight against ransomware and other attacks can feel hopeless.
But your district doesn’t have to be the next target. School districts can shift the tide by continuing to build their cybersecurity defenses:
- To get started, review your existing cybersecurity program, and evaluate which layers are needed to solidify your defenses. Many of the solutions in this layered approach are available in configurations built and priced specifically for K-12 school districts. If you have an internal IT department with the capacity to do so, they can implement these solutions. If not, you can work with a solutions provider to help you implement and/or manage your program.
- From there, consider your gaps, especially around detection and response. Ask the hard questions now about what you would do in the event of an attack, as well as what impact an attack would have on your district financially, operationally, and reputationally.
As long as the education sector remains a lucrative opportunity for cybercriminals, schools will continue to be a target. By building up your layers of protection now, you can position your district to be in the best possible position to respond to the evolving threat landscape.
Is your school district prepared to detect and respond to a breach? Whether you need help building your cybersecurity layers or are looking for a trusted partner to manage your cybersecurity program for you, the team at Prosource is here to help you fortify your defenses, secure your district’s network, and safeguard student data and privacy.
We protect and power more than 200 school districts with IT and cybersecurity solutions built for the needs and budget considerations of K-12 schools. Contact us to discuss your needs and how your school can take a proactive approach to cybersecurity.