According to the report “The State of K-12 Cybersecurity: 2019 Year in Review,” the 2019 calendar year brought with it a series of rising cybersecurity challenges to K-12 schools. The overall number of publicly-reported incidents tripled year over year, due largely to a spike (1) in ransomware incidents targeting school districts (along with other local government agencies) and (2) in incidents experienced by 3rd parties with whom school districts share data and/or license IT services.
So far, 2020 is shaping up to tell its own unique story – one that highlights some of the unique cybersecurity challenges facing the K-12 sector. Some observations:
- The overall number of cybersecurity incidents experienced by K-12 schools remains significant (84 as of today), which equates to roughly a rate of one incident every two days. It is too early in the calendar year to make predictions about whether or not 2020 will be worse than 2019, but I feel safe in predicting that there will be more publicly-disclosed incidents in 2020 than there were in 2018.
- K-12 leaders and IT professionals continue to underestimate the cybersecurity risks they are incurring through the use of technology for school. This finding comes courtesy of a non-representative survey published by the Consortium for School Networking (CoSN). From the report:
“Cybersecurity remains the number one technology priority for IT Leaders, yet the threat is generally underestimated. For the third straight year, cybersecurity has ranked as the top priority….Despite this, results also showed an overall trend to underestimate risk—less than a fifth of respondents considered any specific threat as high risk. This runs counter to the reality that school systems are being specifically targeted by cybercriminals with reported cyber incidents tripling in one year.”
- While Windows 7 is no longer supported with security updates by Microsoft, school districts continue to rely on it (and other out-of-support software). The consulting firm FutureSource reports:
“The research also shows that nearly 10% of schools that are using Windows are still running Windows 7 on their desktop machines. As Windows 7 reached End of Life in January 2020, this means Microsoft is no longer providing patches and security updates, potentially leaving schools open to security risks. Nearly two-in-three of these schools say they will upgrade to the latest Windows OS rather than adopt a different operating system, but 20% of them are delaying or postponing the decision until an unspecified future date.”
- While public disclosure of school cybersecurity incidents remains an ongoing challenge, the shift to remote learning in response to the COVID-19 pandemic has exacerbated the issue. All that can be said with 100% certainty is that the type of school cybersecurity incidents reported on the K-12 Cyber Incident Map dramatically shifted once a majority of K-12 schools abandoned face-to-face teaching and learning (roughly since April 1):
In fact, the difference in the nature of publicly-disclosed school cybersecurity incidents before and after the shift to remote learning is like night and day. Up until March 31, the 2020 calendar year seemed to be roughly continuing the trends observed during the prior year. After that time, incidents of ransomware, other malware, and data breaches have plummeted. In their place are a spike of incidents of unauthorized access to online classes and school meetings (largely, but not exclusively involving the Zoom videoconferencing platform).
Some commentators – myself included – predicted that the large-scale shift to remote learning would lead to a greater incidence of K-12 cybersecurity incidents. As of yet, beyond incidents of Zoom-bombing, we are still waiting for the (proverbial) other shoe to drop. While there have been anecdotal reports of increased phishing attempts – and some emerging evidence of new sophisticated identity theft campaigns involving school employees (“School districts in Washington are seeing fraudulent claims for unemployment benefits“) – one can only conclude that some combination of a disruption to the normal public incident disclosure process and a shift in the school threat landscape due to remote learning is responsible for the stark changes in publicly-disclosed incident frequency and type.
- There will likely be significant cybersecurity challenges to school districts when students and teachers return to schools, bringing with them devices used during remote learning. One reason that the nature of K-12 cyber incidents shifted with the move to remote learning is that most student and teacher devices may no longer be regularly connecting to school networks. When these devices connect back to internal school networks, I expect they’ll introduce the malware they’ve managed to accumulate (via phishing, compromised home routers, etc.) in the weeks and months since they last connected. As I suggest:
Levin noted that it will be crucial to ensure vigilance remains high when educators and students return to buildings, as he tends to see an uptick in incidents at the beginning of the school year when people might not be as careful while trying to clear a backlog of emails.
“I’ve been kind of waiting for a shoe to drop, and I just haven’t really seen it outside of Zoom,” he said. “I think it’s just a matter of when, and that back-to-school timeframe may be the when.”
Taken together, I remain convinced that the need for K-12-specific threat intelligence sharing remains critical. Many of the incidents affecting school districts follow the same pattern and the timely sharing of lessons learned by forward-leaning districts would make all the difference in helping peer districts from falling victim to similar threats. The lack of a mechanism for the trusted sharing of K-12 cybersecurity information and advice remains a major barrier to meaningful improvements in the risk management practices of school districts. It is for that reason I have endorsed a new organization, K12 SIX, to address this very need. If you are interested in learning more, joining, or contributing in some way, I strongly encourage you to reach out and share your thoughts, questions, and ideas. Expect to hear more about this emergent effort soon.
In the mean time, be sure to take care of yourself. Stay healthy and safe (online and off)!