Opinion Blog

Rick Hess Straight Up

Education policy maven Rick Hess of the American Enterprise Institute think tank offers straight talk on matters of policy, politics, research, and reform. Read more from this blog.

Privacy & Security Opinion

What Can Be Done About K-12’s Looming Tech Nightmare?

By Rick Hess — January 24, 2022 4 min read
Image shows a multi-tailed arrow hitting the bullseye of a target.
  • Save to favorites
  • Print

School closures fueled by COVID and staffing shortages have been well documented of late. Far less attention has been paid to the spate of major school districts shuttered by cyberattacks.

Earlier this month, the Albuquerque public schools were forced to cancel classes due to a cyberattack that locked district staff out of the student-information database they use to record attendance, determine who is permitted to pick students up from school, and store student emergency contacts. Last March, the Buffalo, N.Y., district canceled classes for two days in response to a ransomware attack. Since the start of the pandemic, cyberattacks have also prompted school closures in districts including Hartford, Conn.; Newhall, Calif.; and Somerset Hills, N.J.

What can be done about this growing threat? Well, Eileen Belastock, the director of technology and information for the Nauset public schools in Massachusetts, tackles that issue in a fascinating, deeply troubling article for Education Next (remember, I’m an editor at Ed Next). In “Our Biggest Nightmare Is Here,” Belastock explores the cybersecurity risks facing America’s schools and just how ill-prepared many systems are for the challenge. At a time when schools have become extraordinarily reliant on vulnerable technology, it’s hard to think of a more important topic that gets less day-to-day attention (although Education Week’s own Alyson Klein deserves a hat tip for paying more than a little attention to it in stories like this and this).

As Belastock explains, “Of the 17 industries studied by information-security company SecurityScorecard, the education sector ranked as the least secure in 2018.” The explosion in online learning during the pandemic only exacerbated these challenges. In 2020, there were a record-breaking number of publicly reported cybersecurity incidents—“408 across 377 school districts in 40 states, according to the K–12 Cybersecurity Center,” or “a rate of more than two incidents per school day throughout 2020.”

Ransomware poses a particular danger to schools. First, hackers engage in “distributed denial-of-service attacks,” where a flood of internet traffic disrupts a district’s network and presents users from accessing payroll platforms, student schedules, or email applications. Then, while school networks are offline, they use malware to take control of a district’s data and demand a ransom to restore access.

As of this past August, Politico has reported that ransomware attacks have hit 58 education organizations and school districts, including 830 individual schools. Last March, the Broward County, Fla., district didn’t pay a $40 million ransom, leading the hackers to publish 26,000 stolen files online (these included student and staff Social Security numbers and addresses).

Things may only get worse, Belastock fears. The Consortium for School Networking has reported that hackers are shifting from companies “which are devoting increased resources to cyber defenses,” to more vulnerable sectors like “school districts, universities, and nonprofits.”

You’re not alone if you’re thinking, “Aren’t schools already wrestling with enough challenges?” I’m with you. But the reality is that the pandemic has yielded massive shifts to remote learning, with huge new outlays for hardware and software. Given the speed with which this all occurred, it’s no great surprise that much of this happened without a lot of attention to cybersecurity. And it’s not like K-12 was doing especially well on this score even before March 2020.

So, what now?

See Also

Belastock offers several practical suggestions, all of which seem wholly sensible. Since more than 90 percent of school-based cyberattacks start with phishing campaigns, in which cybercrooks try to get a user to reveal personal information or install malicious software on their computer or else impersonate a trusted party to obtain payments or financial information, she recommends cybersecurity training. Surveys suggest that educational administrators have not yet been prepared for these challenges, so such trainings could go a long way toward eliminating attacks that are the consequence of human error.

In an admonition that sounds all-too-familiar to those of us who’ve wrestled with less cataclysmic computer crashes, she also argues: “A robust backup system is the best protection against an attack, and the most effective backup systems are a) cloud-hosted or offline, b) not tied to a district’s domain, and c) inaccessible from the district network.” So, schools need to take backup seriously and do it pronto.

Finally, Belastock strongly urges school systems to obtain cyber liability insurance, which most insurance companies now offer to school districts—some for only $1,600 a year. The insurance typically covers not only any ransom itself but also experts to help analyze the breach, manage the district’s response, and recover lost revenue. Belastock argues that building this into a district budget is just accountable management and can potentially save millions.

This problem isn’t going away. Indeed, it’s a safe bet that it’s only going to get worse, as schools become ever more reliant on tech. Educational leaders and policymakers have spent the last two years investing heavily in education technology. It’s time to take aggressive steps to protect that investment.

Related Tags:

The opinions expressed in Rick Hess Straight Up are strictly those of the author(s) and do not reflect the opinions or endorsement of Editorial Projects in Education, or any of its publications.


English-Language Learners Webinar AI and English Learners: What Teachers Need to Know
Explore the role of AI in multilingual education and its potential limitations.
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Mathematics Webinar
Pave the Path to Excellence in Math
Empower your students' math journey with Sue O'Connell, author of “Math in Practice” and “Navigating Numeracy.”
Content provided by hand2mind
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Recruitment & Retention Webinar
Combatting Teacher Shortages: Strategies for Classroom Balance and Learning Success
Learn from leaders in education as they share insights and strategies to support teachers and students.
Content provided by DreamBox Learning

EdWeek Top School Jobs

Teacher Jobs
Search over ten thousand teaching jobs nationwide — elementary, middle, high school and more.
View Jobs
Principal Jobs
Find hundreds of jobs for principals, assistant principals, and other school leadership roles.
View Jobs
Administrator Jobs
Over a thousand district-level jobs: superintendents, directors, more.
View Jobs
Support Staff Jobs
Search thousands of jobs, from paraprofessionals to counselors and more.
View Jobs

Read Next

Privacy & Security 7 Data Breaches That Left Schools in the Lurch
K-12 schools are increasingly vulnerable to cyberattacks.
3 min read
Conceptual photo of blue locks and red locks that are "unlocked" and each placed in a honeycomb grid.
Privacy & Security Schools Are a Top Target of Ransomware Attacks, and It's Getting Worse
Eighty percent of school IT professionals reported that their schools were hit by ransomware in the last year, according to a Sophos survey.
3 min read
Conceptual illustration of computer with a pixelated lock on screen.
Nanzeeba Ibnat/iStock/Getty Images Plus
Privacy & Security Biden Administration Announces Cybersecurity Initiative for K-12 Schools
K-12 schools have become a big target for hackers in recent years and the cyberattacks are more sophisticated than ever.
4 min read
Special Report Cybersecurity
Privacy & Security Districts, Take Note: Privacy Is Rare in Apps Used in Schools
Not protecting students' data privacy can cause real-world harms.
4 min read
PC tablet with cloud of application icons floating from off the screen.