Special Report
School & District Management

Cyberattacks Force Schools to Bolster Online Security

By Alyson Klein — March 17, 2020 7 min read
BRIC ARCHIVE

The notification came in at 5:30 a.m. that something was wrong with the servers in the Cherry Hill School District outside Philadelphia. By 7:30, Wi-Fi was down. Email too.

Superintendent Joseph Meloche and his team later learned that a hacker had taken over their system, potentially through a phishing email. It took district officials and a slew of vendors more than two weeks to get everything back up and running, from staff email to the checkout system used in the school libraries. That meant 20-hour days, with emails flying back and forth daily from 5:30 a.m. to midnight.

And although learning was uninterrupted, the experience last fall was more than just a technical nightmare, Meloche said. The district had to explain to parents why they were unable to email their child’s teacher.

“It seemed like, ‘Wow, the district is falling apart,’ but we were actually functioning and functioning well,” said Farrah Mahan, Cherry Hill’s curriculum director. Still, the task of getting back to normal was grueling. “This was a marathon, you have to be slow and steady and pace yourself. There was a lot of conversation about self-care and making sure that we were taking some moments to be offline.”

Cherry Hill is far from alone. There have been at least 775 publicly disclosed cyber incidents nationally since 2016. That includes phishing attacks, data breaches, ransomware attacks, and denial-of-service attacks, according to the K-12 Cybersecurity Resource Center. And the number of incidents more than doubled in 2019, compared with 2018, from 122 to 348.

In fact, 2019 had the highest number of incidents since Douglas Levin, the founder and president of EdTech Strategies, began tracking the problem.

One possible explanation: School hacks are increasing because K-12 school systems are so reliant on technology and have potentially valuable data on students and employees, Levin said. “There are bad guys who are targeting [schools] because they’ve become successful,” Levin said.

He added that the coronavirus pandemic could exacerbate the problem because hackers play on people’s fears, more students could be using school-issued devices at home more often, and dealing with coronavirus-related technology needs could divert IT resources away from cybersecurity efforts.

Serious Consequences

Some systems, including Alabama’s Houston County school district, have had to close or postpone classes. The Rockville Center School District outside New York City paid hackers $100,000 to recover its data, according to local news reports. (The payment was covered by the district’s insurance policy, the local radio station reported.) Back in September, Louisiana Gov. John Bel Edwards, a Democrat, declared a statewide emergency after school systems in three parishes were hit by cyberattacks.

Districts are coping mostly with ransomware attacks, which will encrypt files in a computer and can quickly render entire systems inaccessible, and phishing attacks, which seek to steal employee credentials so that hackers can get into a computer system or steal valuable data, said Amy McLaughlin, the cybersecurity director for the Consortium for School Networking.

Numbers Show K-12 Cybersecurity Falling Behind Growing Problem

Schools are increasingly becoming the victims of cyberattacks—such as phishing, ransomware, and denial-of-service—because they are easy targets.

775 publicly disclosed cyber incidents in K-12 schools since 2016, including phishing attacks, data breaches, ransomware attacks, denial-of-service attacks, and other incidents.

The number of incidents more than doubled in 2019, from 122 the previous year to 348 .

Source: K-12 Cybersecurity Resource Center


44 percent of chief technology officers report their districts do not offer cybersecurity training for district employees

35 percent offer training to both teachers and principals

18 percent said their districts planned to add training this school year

73 percent of education technology leaders reported they were backing up all information and storing it off site in case of an attack

69 percent are encouraging staff to upgrade passwords

47 percent are increasing the use of encryption

34 percent are having cybersecurity practices audited by an outside organization

20 percent are convening a cybersecurity team

Source: Consortium for School Networking/Education Week

These tactics aren’t always sophisticated. The classic phishing attack could be an email that says something like “this is an emergency, please send all W-2 forms for current employees,” McLaughlin said. Or a hacker may try to copy the email of a district leader, say the superintendent, and ask their executive team to buy gift-certificates and send the codes to them right away.

K-12 systems make “really easy targets” because they are staffed by helpful, diligent people, and because district leaders’ schedules are a matter of public record, so it would be easy for a hacker to include seemingly relevant details in a phishing email, McLaughlin said.

‘Cybersafety’ Is Key Word

McLaughlin’s number one piece of advice for combatting those types of scams? Train staff. And she’s not talking about a quick, 15-minute annual in-service training, sandwiched between other professional development. She’d rather see “an ongoing marketing campaign” where everyone in the district reminds staff, and even students, to report phishing scams. Districts could offer a reward each month for the person who reports the most potential problems, she suggested, or have students make posters about the problem.

Staff should be encouraged to report every possible attempt. District tech leaders “would much rather spend time saying, ‘nope that’s not legit,’ than to have someone click [on a suspicious link or email] even once.”

She also suggests districts use the term “cybersafety” when discussing these issues. “When you talk about safety, people listen,” she explained. “When you talk about cybersecurity, it sounds like some nerdy, geeky thing and their eyes glaze over.”

Reporting every possible hacking attempt is advice Cherry Hill took after the hack earlier this year. After the incident, district leadership also moved email to a cloud-based system, with two-factor authentication. And officials told employees, “If you receive an email from an external person, if you don’t recognize the person or the name, don’t click on any forms,” Mahan said. “One person in a district of 11,000 could bring down our entire system. You have to be mindful of what you’re clicking on.”

But not every district trains its employees on cybersecurity. In fact, in a survey conducted by CoSn and Education Week, 44 percent of CTOs said they don’t offer such training. Another 35 percent said they offer training to both teachers and principals. And nearly 18 percent said they planned to add training this school year.

Back Up Computer Systems

Districts also need to do some technical work, including backing up their systems, and testing those backups. “A lot of ransomware attacks are successful because backups have been compromised,” McLaughlin said. Staff should make sure they are storing files in a place where it can be backed up, not directly on their laptops.

Jason Dial, the superintendent of the Ava R1 school district, in southwestern Missouri, which experienced an attack earlier this school year, seconded that advice.

“Be sure that you have quality backup solutions,” he said. “If it hasn’t happened to you yet, it’s going to happen. In order to be ready for it, you have to make sure you have prepared yourself so that you’re not down very long.” His district, he said, had recently installed backups and “didn’t lose anything” but “if it had happened to us a year ago, we would have been in a lot worse situation.”

Many districts are already working on backups, according to the CoSn/Education Week survey of 513 K-12 technology leaders in the United States Seventy-three percent of education technology leaders suggested they were backing up all information and storing it off site in case of an attack. Other popular strategies included encouraging staff to upgrade passwords (69 percent), increasing use of encryption (47 percent), having cybersecurity practices audited by an outside organization (34 percent), and convening a cybersecurity team (20 percent).

Sometimes, hackers demand a ransom for restoring a district’s data. McLaughlin’s advice: Don’t pony up. “I would certaintly recommend against paying, because it’s just like kidnapping,” she said. “People will continue to do that if they continue to get rewarded.”

Dial said that when district officials arrived at school on the day of the hack, several printers had messages on them saying “we have locked all of your data. If you would like it back, please send an email to this email address and we will send further instructions.”

But the hackers never heard from the Missouri district. “We choose not to respond to those types of threats. We knew that we had quality backup solutions off site,” Dial said.

And, in case the worst happens, McLaughlin recommends districts have a cyber security plan in place that’s been read and vetted by lawyers. Key staff should know what they need to do and what sort of information they need to have, in the event that they have to call the insurance company.

District leaders also need to make sure they have an incident response plan in the event of a cyber event—and they should practice it, just like they would a fire drill, McLaughlin said. “Having that pre-prepped is so much better than trying to build an airplane while you’re flying it,” she explained.

Another piece of wisdom from district leaders who have weathered attacks: Be sure to put some money aside in case the worst happens. Bob Blalock, the technology coordinator in Houston County, said his district might have ended up in a tight financial spot without some funding in reserves.

“We were very fortunate we had some budget for an emergency situation,” he said. “We are not an affluent school system.” (Blalock declined to say just how much the district spent rectifying the situation other than that it was “very expensive.”)

Intern Jake Maher contributed to this article.
A version of this article appeared in the March 18, 2020 edition of Education Week as Cyberattacks Forcing Schools to Bolster Security

Events

This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
Equity & Diversity Webinar
Culturally Relevant Pedagogy to Advance Educational Equity
Schools are welcoming students back into buildings for full-time in-person instruction in a few short weeks and now is the perfect time to take a hard look at both our practices and systems to build
Content provided by PowerMyLearning
Classroom Technology Webinar Making Big Technology Decisions: Advice for District Leaders, Principals, and Teachers
Educators at all levels make decisions that can have a huge impact on students. That’s especially true when it comes to the use of technology, which was activated like never before to help students learn
Professional Development Webinar Expand Digital Learning by Expanding Teacher Training
This discussion will examine how things have changed and offer guidance on smart, cost-effective ways to expand digital learning efforts and train teachers to maximize the use of new technologies for learning.

EdWeek Top School Jobs

Teacher Jobs
Search over ten thousand teaching jobs nationwide — elementary, middle, high school and more.
View Jobs
Principal Jobs
Find hundreds of jobs for principals, assistant principals, and other school leadership roles.
View Jobs
Administrator Jobs
Over a thousand district-level jobs: superintendents, directors, more.
View Jobs
Support Staff Jobs
Search thousands of jobs, from paraprofessionals to counselors and more.
View Jobs

Read Next

School & District Management Opinion Leaders, Your Communication Plan Needs to Start With Your Staff
Staff members are the point of contact for thousands of interactions with the public each day. They can’t be the last to know of changes.
Gladys I. Cruz
2 min read
A staff meeting around a table.
Vanessa Solis/Education Week and Getty Images
School & District Management L.A. Unified to Require Testing of Students, Staff Regardless of Vaccination Status
The policy change in the nation's second-largest school district comes amid rising coronavirus cases, largely blamed on the Delta variant.
Howard Blume, Los Angeles Times
4 min read
L.A. schools interim Sup Megan K. Reilly visits Fairfax High School's "Field Day" event to launch the Ready Set volunteer recruitment campaign to highlight the nationwide need for mentors and tutors, to prepare the country's public education students for the upcoming school year. The event coincides with National Summer Learning Week, where U.S. Secretary of Education Miguel Cardona is highlighting the importance of re-engaging students and building excitement around returning to in-person learning this fall. high school, with interim LAUSD superintendent and others. Fairfax High School on Wednesday, July 14, 2021 in Los Angeles, CA.
In this July 14, 2021, photo, Los Angeles Unified School District interim Superintendent Megan K. Reilly speaks at an event at Fairfax High School in Los Angeles. Reilly announced a new district policy Thursday requiring all students and employees of the Los Angeles school district to take weekly coronavirus tests regardless of their vaccination status.
Al Seib/Los Angeles Times via TNS
School & District Management Why School Boards Are Now Hot Spots for Nasty Politics
Nationalized politics, shifts in local news coverage, and the rise of social media are turning school board meetings into slug fests.
11 min read
Collage of people yelling, praying, and masked in a board room.
Collage by Gina Tomko/Education Week and Getty Images
School & District Management Opinion The Six Leadership Lessons I Learned From the Pandemic
These guiding principles can help leaders prepare for another challenging year—and any future crises to come.
David Vroonland
3 min read
A hand about to touch a phone.
Vanessa Solis/Education Week and Getty Images