Education technology researcher Doug Levin noted that “the number of charter schools that experienced [cyber] incidents reached an all-time high during 2020 (equating to 11 percent of all incidents experienced during 2020).”
Projected losses from ransomware attacks in 2020 are expected to top $20 billion dollars. Schools are a popular target for ransomware attacks because their data is valuable, and their cyber security is often lax.
In December, the FBI and other federal agencies sounded the alarm. “Adopting tactics previously leveraged against business and industry, ransomware actors have … stolen—and threatened to leak–confidential student data to the public unless institutions pay a ransom,” they warned.
At nonprofit CharterSAFE, we have helped our charter school members resolve ransomware demands up to $400,000, and we are seeing trends in the scholastic sector of even higher demands. Then, there’s the additional costs of expert negotiation with the hackers and all the investigative work afterwards on what data was accessed and its sensitivity.
Leaders should take the following steps to protect their school data from black hat hackers.
- Use Multi-Factor Authentication (MFA). You’ve likely used this extra layer of protection before. MFA is an effective way to require additional pieces of evidence to prove your identity. Let’s say that someone figured out the password to access staff emails. Before the hackers could fully log in, MFA would require the hackers to go through an added step and input a real-time code to a system that only staff have access to.
- Duplicate Data. What would happen if you suddenly lost access to your online gradebook, attendance records, parent and guardian contact information, or employee payment records? To avoid that scenario, schools and networks can duplicate their critical data daily and protect that data from criminals by keeping it off the web. An example could be using two different networks, servers, or domains with different credentials and access to segregate the data and store it in two separate places in case something happens.
- Train Your Staff. Would your office manager recognize that thumb drive labeled “Teacher Cutbacks” as an attempt at social engineering, possibly leading to the transfer of malware onto your network’s computers? The State of California offers free staff training in combating social engineering and phishing for all public schools.
- Get Cyber Liability Coverage. How would your school or network handle a six-figure ransomware loss? You can make sure your school has cyber liability coverage. However, as the cost of ransomware attacks rises, coverage of cyber incidents available to schools becomes significantly limited. The insurance market will only provide coverage if there are safety precautions–like those outlined above – in place to reduce the chance and cost of ransomware.
The truth is, as ransomware and cyberattacks become increasingly more aggressive, so too must our protective measures. By taking the steps outlined above, school leaders will immediately make accessing their data much harder for the hacker and will strengthen the safety of their school community’s data for years to come.
CharterSAFE is the Diamond Sponsor of the 2022 CSDC Conference. Registrants are encouraged to stop by Booth #500 to learn more about how CharterSAFE is helping their member schools enact effective risk management and obtain adequate coverage for cyber liability threats.