Privacy & Security

Are Schools Now a Step Ahead of Cybercriminals? Not Quite, New Report Suggests

By Alyson Klein — March 10, 2022 4 min read
Image of a red glowing caution sign over a dark field of data.
  • Save to favorites
  • Print

Publicly reported ransomware attacks against K-12 schools and districts increased last year, even as documented cyberattacks in the K-12 system overall fell by more than half, according to a new report released March 10.

Ransomware attacks increased from 50 in 2020 to 62 in 2021, while the number of cyberattacks in general declined for the first time in three years, from 408 in 2020 to 166 in 2021, according to the report from the K12 Security Information Exchange or K12 Six.

In fact, ransomware attacks—in which hackers essentially take a district’s data and refuse to give it back until they have received payments that can run in the hundreds of thousands of dollars—now make up the largest category of attacks for the first time since 2016, the year K12 Six began tracking cybersecurity incidents in schools.

In previous years, data breach attacks—in which someone who is not authorized to see or change certain types of data breaks into a district or school’s computer system and copies, steals, transmits, changes, or just views the information—were most common.

What’s more, ransomware attacks are increasingly coming from sophisticated cybercriminals who often work overseas in countries that are tough for U.S. law enforcement to reach, said Doug Levin, the national director of K12 SIX and one of the top experts in the country about cybersecurity for K-12 schools.

Often, these attackers intentionally target K-12 districts. They have been known to threaten to publicly release student data if their demands aren’t met and some have followed through on those threats. Others have threatened parents directly, hoping they’ll put pressure on their child’s school district to pay up.

Ransomware attacks can be very costly, in both learning time and money. Districts often close down their buildings to restore their systems. A Missouri district cited in the report, for example, closed for two days last year following an attack.

Even if districts—or their insurance companies—don’t pay a ransom, the costs of getting computer systems back in order can be “staggering,” the report said. For instance, Maryland’s Baltimore County school system spent almost $9.7 million responding to a late 2020 ransomware attack, the report notes.

Meanwhile, the seemingly dramatic decrease in the number of cyberattacks overall from 2020 to 2021 might seem like great news. But the outlook is much cloudier when you consider the broader context around K-12 cybersecurity, the report says.

To begin with, the number of cyberattacks may have been inflated during 2020, due to widespread virtual schooling across the country that year. Districts gave out millions of devices for students to use at home, on unfamiliar networks. Going back to in-person learning might have made it easier for districts to guard against attacks, the report says.

It’s also far from clear that the number of attacks has actually fallen as much as the data seem to indicate. That’s because K-12 Six is only able to count attacks that have been publicly reported. And requirements for schools to publicly report if they have been victims of cyberattacks are weak, at best, the report notes.

In fact, some districts have worked hard to avoid publicly disclosing attacks, the report says. Case-in-point: Florida’s Broward County district waited five months to report key information to people whose data was impacted, three months longer than allowed under federal rules, according to stories in the Sun Sentinel newspaper cited in the K-12 Six report.

The district also declared it had conducted its own cybersecurity investigation, but then later said the results of that inquiry weren’t put into writing, according to the K-12 Six report. And the report noted that district officials lobbied the state legislature to craft a law that would make it tougher for the public to find out about school cyberattacks.

But hiding the problem isn’t going to help, the report cautions. Weak public disclosure laws, “only [serve] to obscure the realities of school district and vendor operations from those charged with oversight, and to place school community members at unnecessary risk,” the report says.

To be sure, some districts may be much more cybersecure than they were just a few years ago since there is now a higher level of awareness of the potential for cyberattacks. Plus, insurance companies are beginning to require districts to have their own cybersecurity systems in place before they will take them on as clients. That means districts are beginning to put in place “commonsense” measures, such as multi-factor password authentication for employees and students, the report says.

“School districts may have done a modestly better job of defending their communities from cybersecurity threats” last year, the report concludes.

As in past years, larger, wealthier districts appear more likely to be the victims of cyberattacks than smaller, poorer districts, the report says. But it’s difficult to say whether that’s because hackers are more likely to target big districts, or whether larger districts are just more likely to publicly disclose attacks.

The federal government is beginning to direct its attention to K-12 cyberattacks. Congress recently passed legislation requiring a study of cyberattacks in schools, and another measure providing $1 billion to help states and local government organizations—including school districts—combat cyberattacks.

But policymakers will need to make sure all that research and money leads to, “meaningful improvements in K-12 cybersecurity risk management practices,” the report says.

Related Tags:

Events

Special Education Webinar Reading, Dyslexia, and Equity: Best Practices for Addressing a Threefold Challenge
Learn about proven strategies for instruction and intervention that support students with dyslexia.
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
Families & the Community Webinar
How Whole-Child Student Data Can Strengthen Family Connections
Learn how district leaders can use these actionable strategies to increase family engagement in their student’s education and boost their academic achievement.
Content provided by Panorama Education
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
College & Workforce Readiness Webinar
The School to Workforce Gap: How Are Schools Setting Students Up For Life & Lifestyle Success?
Hear from education and business leaders on how schools are preparing students for their leap into the workforce.
Content provided by Find Your Grind

EdWeek Top School Jobs

Teacher Jobs
Search over ten thousand teaching jobs nationwide — elementary, middle, high school and more.
View Jobs
Principal Jobs
Find hundreds of jobs for principals, assistant principals, and other school leadership roles.
View Jobs
Administrator Jobs
Over a thousand district-level jobs: superintendents, directors, more.
View Jobs
Support Staff Jobs
Search thousands of jobs, from paraprofessionals to counselors and more.
View Jobs

Read Next

This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
Privacy & Security Quiz
Quiz Yourself: How Much Do You Know About Digital Threats on Student Devices?
Answer 8 questions to assess your knowledge of digital threats on student devices.
Content provided by Lenovo
Privacy & Security School Facebook Pages and Privacy Concerns: What Educators Need to Know
Facebook pages can build an online school community and boost school spirit. But they can pose serious problems for student privacy.
4 min read
All seeing eyes watching a boy on his laptop as he sits at the top of a giant staircase that resembles the Facebook thumbs up icon.
Illustration by Gina Tomko/Education Week and Getty
Privacy & Security Education Dept. Slow to Recognize Seriousness of Cyberattacks, GAO Watchdog Report Finds
The federal government has largely dropped the ball on some key steps to help schools prevent and deal with cyberattacks.
3 min read
 abstract digital key with technology interface, cybersecurity, key, lock, cellphone, fingerprint, and cloud computing icons
iStock/Getty Images Plus