Opinion Blog


Rick Hess Straight Up

Education policy maven Rick Hess of the American Enterprise Institute think tank offers straight talk on matters of policy, politics, research, and reform. Read more from this blog.

Privacy & Security Opinion

What Can Be Done About K-12’s Looming Tech Nightmare?

By Rick Hess — January 24, 2022 4 min read
Image shows a multi-tailed arrow hitting the bullseye of a target.
  • Save to favorites
  • Print

School closures fueled by COVID and staffing shortages have been well documented of late. Far less attention has been paid to the spate of major school districts shuttered by cyberattacks.

Earlier this month, the Albuquerque public schools were forced to cancel classes due to a cyberattack that locked district staff out of the student-information database they use to record attendance, determine who is permitted to pick students up from school, and store student emergency contacts. Last March, the Buffalo, N.Y., district canceled classes for two days in response to a ransomware attack. Since the start of the pandemic, cyberattacks have also prompted school closures in districts including Hartford, Conn.; Newhall, Calif.; and Somerset Hills, N.J.

What can be done about this growing threat? Well, Eileen Belastock, the director of technology and information for the Nauset public schools in Massachusetts, tackles that issue in a fascinating, deeply troubling article for Education Next (remember, I’m an editor at Ed Next). In “Our Biggest Nightmare Is Here,” Belastock explores the cybersecurity risks facing America’s schools and just how ill-prepared many systems are for the challenge. At a time when schools have become extraordinarily reliant on vulnerable technology, it’s hard to think of a more important topic that gets less day-to-day attention (although Education Week’s own Alyson Klein deserves a hat tip for paying more than a little attention to it in stories like this and this).

As Belastock explains, “Of the 17 industries studied by information-security company SecurityScorecard, the education sector ranked as the least secure in 2018.” The explosion in online learning during the pandemic only exacerbated these challenges. In 2020, there were a record-breaking number of publicly reported cybersecurity incidents—“408 across 377 school districts in 40 states, according to the K–12 Cybersecurity Center,” or “a rate of more than two incidents per school day throughout 2020.”

Ransomware poses a particular danger to schools. First, hackers engage in “distributed denial-of-service attacks,” where a flood of internet traffic disrupts a district’s network and presents users from accessing payroll platforms, student schedules, or email applications. Then, while school networks are offline, they use malware to take control of a district’s data and demand a ransom to restore access.

As of this past August, Politico has reported that ransomware attacks have hit 58 education organizations and school districts, including 830 individual schools. Last March, the Broward County, Fla., district didn’t pay a $40 million ransom, leading the hackers to publish 26,000 stolen files online (these included student and staff Social Security numbers and addresses).

Things may only get worse, Belastock fears. The Consortium for School Networking has reported that hackers are shifting from companies “which are devoting increased resources to cyber defenses,” to more vulnerable sectors like “school districts, universities, and nonprofits.”

You’re not alone if you’re thinking, “Aren’t schools already wrestling with enough challenges?” I’m with you. But the reality is that the pandemic has yielded massive shifts to remote learning, with huge new outlays for hardware and software. Given the speed with which this all occurred, it’s no great surprise that much of this happened without a lot of attention to cybersecurity. And it’s not like K-12 was doing especially well on this score even before March 2020.

So, what now?

See Also

Belastock offers several practical suggestions, all of which seem wholly sensible. Since more than 90 percent of school-based cyberattacks start with phishing campaigns, in which cybercrooks try to get a user to reveal personal information or install malicious software on their computer or else impersonate a trusted party to obtain payments or financial information, she recommends cybersecurity training. Surveys suggest that educational administrators have not yet been prepared for these challenges, so such trainings could go a long way toward eliminating attacks that are the consequence of human error.

In an admonition that sounds all-too-familiar to those of us who’ve wrestled with less cataclysmic computer crashes, she also argues: “A robust backup system is the best protection against an attack, and the most effective backup systems are a) cloud-hosted or offline, b) not tied to a district’s domain, and c) inaccessible from the district network.” So, schools need to take backup seriously and do it pronto.

Finally, Belastock strongly urges school systems to obtain cyber liability insurance, which most insurance companies now offer to school districts—some for only $1,600 a year. The insurance typically covers not only any ransom itself but also experts to help analyze the breach, manage the district’s response, and recover lost revenue. Belastock argues that building this into a district budget is just accountable management and can potentially save millions.

This problem isn’t going away. Indeed, it’s a safe bet that it’s only going to get worse, as schools become ever more reliant on tech. Educational leaders and policymakers have spent the last two years investing heavily in education technology. It’s time to take aggressive steps to protect that investment.

Related Tags:

The opinions expressed in Rick Hess Straight Up are strictly those of the author(s) and do not reflect the opinions or endorsement of Editorial Projects in Education, or any of its publications.

Events

This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
IT Infrastructure Webinar
A New Era In Connected Learning: Security, Accessibility and Affordability for a Future-Ready Classroom
Learn about Windows 11 SE and Surface Laptop SE. Enable students to unlock learning and develop new skills.
Content provided by Microsoft Surface
Classroom Technology K-12 Essentials Forum Making Technology Work Better in Schools
Join experts for a look at the steps schools are taking (or should take) to improve the use of technology in schools.
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
Budget & Finance Webinar
The ABCs of ESSER: How to Make the Most of Relief Funds Before They Expire
Join a diverse group of K-12 experts to learn how to leverage federal funds before they expire and improve student learning environments.
Content provided by Johnson Controls

EdWeek Top School Jobs

Teacher Jobs
Search over ten thousand teaching jobs nationwide — elementary, middle, high school and more.
View Jobs
Principal Jobs
Find hundreds of jobs for principals, assistant principals, and other school leadership roles.
View Jobs
Administrator Jobs
Over a thousand district-level jobs: superintendents, directors, more.
View Jobs
Support Staff Jobs
Search thousands of jobs, from paraprofessionals to counselors and more.
View Jobs

Read Next

Privacy & Security Download Be Ready When Parents Ask These 7 Questions About Data Privacy
These questions offer a roadmap for issues that K-12 leaders should be prepared to discuss.
1 min read
Data security and privacy concept. Visualization of personal or business information safety.
iStock/Getty Images Plus
Privacy & Security Cyber Hackers Attack Schools More Often Than You Think: 8 Ways to Stop Them
Experts say there’s no magic formula for districts to completely protect themselves from these incidents, but there are ways to reduce risk.
1 min read
Image of a red glowing caution sign over a dark field of data.
Getty
Privacy & Security What Schools Can Learn From the Biggest Cyberattack Ever on a Single District
Hackers infiltrated a New York City school district vendor, jeopardizing personal information for 820,000 current and former students.
2 min read
Gloved hand reaching into a laptop screen hacking someone's account.
iStock/Getty Images Plus
Privacy & Security Are Schools Now a Step Ahead of Cybercriminals? Not Quite, New Report Suggests
Publicly reported cyberattacks against schools declined significantly over a two-year period, but ransomware attacks are rising.
4 min read
Image of a red glowing caution sign over a dark field of data.
Getty