Opinion Blog

Rick Hess Straight Up

Education policy maven Rick Hess of the American Enterprise Institute think tank offers straight talk on matters of policy, politics, research, and reform. Read more from this blog.

Privacy & Security Opinion

What Can Be Done About K-12’s Looming Tech Nightmare?

By Rick Hess — January 24, 2022 4 min read
Image shows a multi-tailed arrow hitting the bullseye of a target.
  • Save to favorites
  • Print

School closures fueled by COVID and staffing shortages have been well documented of late. Far less attention has been paid to the spate of major school districts shuttered by cyberattacks.

Earlier this month, the Albuquerque public schools were forced to cancel classes due to a cyberattack that locked district staff out of the student-information database they use to record attendance, determine who is permitted to pick students up from school, and store student emergency contacts. Last March, the Buffalo, N.Y., district canceled classes for two days in response to a ransomware attack. Since the start of the pandemic, cyberattacks have also prompted school closures in districts including Hartford, Conn.; Newhall, Calif.; and Somerset Hills, N.J.

What can be done about this growing threat? Well, Eileen Belastock, the director of technology and information for the Nauset public schools in Massachusetts, tackles that issue in a fascinating, deeply troubling article for Education Next (remember, I’m an editor at Ed Next). In “Our Biggest Nightmare Is Here,” Belastock explores the cybersecurity risks facing America’s schools and just how ill-prepared many systems are for the challenge. At a time when schools have become extraordinarily reliant on vulnerable technology, it’s hard to think of a more important topic that gets less day-to-day attention (although Education Week’s own Alyson Klein deserves a hat tip for paying more than a little attention to it in stories like this and this).

As Belastock explains, “Of the 17 industries studied by information-security company SecurityScorecard, the education sector ranked as the least secure in 2018.” The explosion in online learning during the pandemic only exacerbated these challenges. In 2020, there were a record-breaking number of publicly reported cybersecurity incidents—“408 across 377 school districts in 40 states, according to the K–12 Cybersecurity Center,” or “a rate of more than two incidents per school day throughout 2020.”

Ransomware poses a particular danger to schools. First, hackers engage in “distributed denial-of-service attacks,” where a flood of internet traffic disrupts a district’s network and presents users from accessing payroll platforms, student schedules, or email applications. Then, while school networks are offline, they use malware to take control of a district’s data and demand a ransom to restore access.

As of this past August, Politico has reported that ransomware attacks have hit 58 education organizations and school districts, including 830 individual schools. Last March, the Broward County, Fla., district didn’t pay a $40 million ransom, leading the hackers to publish 26,000 stolen files online (these included student and staff Social Security numbers and addresses).

Things may only get worse, Belastock fears. The Consortium for School Networking has reported that hackers are shifting from companies “which are devoting increased resources to cyber defenses,” to more vulnerable sectors like “school districts, universities, and nonprofits.”

You’re not alone if you’re thinking, “Aren’t schools already wrestling with enough challenges?” I’m with you. But the reality is that the pandemic has yielded massive shifts to remote learning, with huge new outlays for hardware and software. Given the speed with which this all occurred, it’s no great surprise that much of this happened without a lot of attention to cybersecurity. And it’s not like K-12 was doing especially well on this score even before March 2020.

So, what now?

See Also

Belastock offers several practical suggestions, all of which seem wholly sensible. Since more than 90 percent of school-based cyberattacks start with phishing campaigns, in which cybercrooks try to get a user to reveal personal information or install malicious software on their computer or else impersonate a trusted party to obtain payments or financial information, she recommends cybersecurity training. Surveys suggest that educational administrators have not yet been prepared for these challenges, so such trainings could go a long way toward eliminating attacks that are the consequence of human error.

In an admonition that sounds all-too-familiar to those of us who’ve wrestled with less cataclysmic computer crashes, she also argues: “A robust backup system is the best protection against an attack, and the most effective backup systems are a) cloud-hosted or offline, b) not tied to a district’s domain, and c) inaccessible from the district network.” So, schools need to take backup seriously and do it pronto.

Finally, Belastock strongly urges school systems to obtain cyber liability insurance, which most insurance companies now offer to school districts—some for only $1,600 a year. The insurance typically covers not only any ransom itself but also experts to help analyze the breach, manage the district’s response, and recover lost revenue. Belastock argues that building this into a district budget is just accountable management and can potentially save millions.

This problem isn’t going away. Indeed, it’s a safe bet that it’s only going to get worse, as schools become ever more reliant on tech. Educational leaders and policymakers have spent the last two years investing heavily in education technology. It’s time to take aggressive steps to protect that investment.

Related Tags:

The opinions expressed in Rick Hess Straight Up are strictly those of the author(s) and do not reflect the opinions or endorsement of Editorial Projects in Education, or any of its publications.


School Climate & Safety K-12 Essentials Forum Strengthen Students’ Connections to School
Join this free event to learn how schools are creating the space for students to form strong bonds with each other and trusted adults.
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
IT Infrastructure & Management Webinar
Future-Proofing Your School's Tech Ecosystem: Strategies for Asset Tracking, Sustainability, and Budget Optimization
Gain actionable insights into effective asset management, budget optimization, and sustainable IT practices.
Content provided by Follett Learning
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Budget & Finance Webinar
Innovative Funding Models: A Deep Dive into Public-Private Partnerships
Discover how innovative funding models drive educational projects forward. Join us for insights into effective PPP implementation.
Content provided by Follett Learning

EdWeek Top School Jobs

Teacher Jobs
Search over ten thousand teaching jobs nationwide — elementary, middle, high school and more.
View Jobs
Principal Jobs
Find hundreds of jobs for principals, assistant principals, and other school leadership roles.
View Jobs
Administrator Jobs
Over a thousand district-level jobs: superintendents, directors, more.
View Jobs
Support Staff Jobs
Search thousands of jobs, from paraprofessionals to counselors and more.
View Jobs

Read Next

This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Privacy & Security Quiz
Quiz Yourself: How Much Do You Know About Cybersecurity For Schools And Districts?
Answer 6 questions about actionable cybersecurity solutions.
Content provided by FlexPoint Education Cloud
Privacy & Security A New Federal Taskforce Targets Cybersecurity in Schools
The “government coordinating council" aims to provide training, policies, and best practices.
3 min read
Illustration of computer and lock.
iStock / Getty Images Plus
Privacy & Security Q&A Why One Tech Leader Prioritizes Explaining Student Data Privacy to Teachers
Jun Kim, the director of technology for an Oklahoma school district, helped build a statewide database of vetted learning platforms.
3 min read
Jun Kim, Director of Technology for Moore Public Schools, poses for a portrait outside the Center for Technology on Dec. 13, 2023 in Moore, Okla.
Jun Kim, is the director of technology for the Moore school district in Moore, Okla., He has made securing student data a priority for the district and the state.
Brett Deering for Education Week
Privacy & Security A Massive Data Leak Exposed School Lockdown Plans. What Districts Need to Know
More than 4 million records held by school safety software company Raptor Technologies were left inadvertently exposed online.
5 min read
Concept image of security breach, system hacked alert with red broken padlock icon showing vulnerable access.
Nicolas Herrbach/iStock/Getty