Key points:

• K-12 cybersecurity is of paramount importance in digital classrooms
• A secure by design approach can help reduce cybersecurity risks
• See related article: Reading, writing, and cybersecurity: Practicing good cyber hygiene
• Get the latest news on K-12 cybersecurity by visiting eSN’s IT Leadership page

In early September, the Cybersecurity and Infrastructure Security Agency (CISA) announced a voluntary pledge for K-12 education technology software manufacturers to commit to designing products with a greater focus on security. In the announcement, CISA mentioned that six leaders in the education software industry had already committed to the pledge: PowerSchool, ClassLink, Clever, GG4L, Instructure, and D2L.

“We need to address K-12 cybersecurity issues at its foundation by ensuring schools and administrators have access to technology and software that is safe and secure right out of the box,” said CISA director Jen Easterly. “I want to thank ClassLink, Clever, D2L, GG4L, Instructure, and PowerSchool, who have already signed this pledge and for their leadership in this area. We need all K-12 software manufacturers to help us improve cybersecurity for the education sector by committing to prioritize security as a critical element of product development.”

CISA’s principles for K-12 cybersecurity

This action brings a spotlight to the ongoing issue of K-12 cybersecurity. CISA’s goal is to persuade more K-12 software and hardware manufacturers to commit to its pledge. Signing the pledge demonstrates that the manufacturer is committing to three principles:

• Taking ownership of customer security outcomes: Includes offering Single Sign On (SSO) and security audit logs and no extra charge
• Embracing radical transparency and accountability: Includes publishing a secure by design roadmap, a vulnerability disclosure policy and security-relevant statistics and trends
• Leading from the top by making secure technology a key priority for company leadership: Includes naming a C-level leader at the company who is charged with overseeing security

Secure by design explained

What does secure by design mean? In typical software design and manufacturing, the focus is on the product’s reason for being. For example, the developers of reading improvement software are focused on building a product that delivers measurable improvements to student reading speed and comprehension. The security of the software and its user data are an afterthought. Any security considerations are made late in the development process or bolted on afterward.

In contrast, a secure by design approach means that developers bake security into the design of the product from the beginning. This has proven to be a much more effective approach to protecting software than trying to patch security holes after the fact. Secure by design was popularized by the European Union’s General Data Protection Regulation (GDPR), which went into effect in May 2018. Today, this is a more common approach to software design, but it is relatively new to K-12 education.

Ongoing K-12 cybersecurity threats

While the K-12 education industry strives for improved protection in its schools, fresh examples of security holes continue to appear on a regular basis. Most recently, Prince George’s County Public Schools was the victim of a ransomware attack on August 14 that impacted about 4,500 user accounts, mostly staff, according to the district. Cybersecurity breaches such as this can have a detrimental impact on K-12 schools, threatening both reputation and financial well-being.

Unfortunately, successful ransomware attacks can hinge on exploiting a single vulnerability hidden among the dozens of software applications running in most school districts. By following CISA’s guidance and committing to a secure by design approach to software development, developers can further reduce potential vulnerabilities and keep staff and student data more secure.

Related: Education suffers the highest rate of ransomware attacks

Key points:

• Education institutions are prime targets for hackers because they hold valuable data and often lack strong cybersecurity protections
• A crucial part of staying ahead of ransomware is staying informed
• See related article: Education suffers the highest rate of ransomware attacks

As the 2023-2024 school year commences, focus on education is accompanied by a pressing concern for better cybersecurity. Cybercriminals are poised to exploit educational institutions, seeking access to personal, financial, and health records. Recent incidents, such as New Haven School System’s $6 million breach and Prince George County schools attack, highlight potential risks facing schools today. There is a critical need for robust cybersecurity measures for protection against attacks, inclusive of a comprehensive plan to keep hackers at bay.

What’s sending hackers to schools for the ultimate ransomware field day? Educational institutions hold a wealth of valuable information but lack IT budgets and updated cybersecurity tools, making them prime targets. In a perfect world, ransomware could always be stopped at the “front door” before it enters a school’s network premises, but this is hardly the case. Detection and prevention measures such as monitoring network traffic, establishing strict permission guidelines, and implementing multi-factor authentication (MFA) to confirm identities are continuously evolving, but attackers are becoming increasingly sophisticated, often finding ways to bypass these defense measures.

Understanding why schools are prime targets is the first step to building a healthy cybersecurity ecosystem. The next step is looking at what tools are in place and considering how to optimize their performance and functionality–not only for security, but recoverability and restoration. Emphasizing backup as a key component of security strategy may be the low-effort, cost-effective solution schools need to achieve cyber-resiliency.

Stay aware: Students aren’t the only ones preparing to go back to school

We’ve witnessed an alarming surge in ransomware attacks on educational institutions. At least 120 schools have suffered a ransomware attack compared to 188 in all of 2022. Despite their crucial role in shaping the future, schools often grapple with small IT budgets, limited staff, and outdated technology, making them lucrative targets for threat actors.

With these obstacles in mind, schools are more likely to endure consequences of an attack stemming from human error from students and overly complex tech that IT staff are too strapped to manage properly. This often opens them up to the possibility of data theft, followed by extremely long recovery times. For instance, in April, Alabama-based Jefferson County Schools suffered prolonged disruptions from an attack that occurred during the end of spring break in March, and an incident at Colorado public schools in June led to data exposure of student mental health records.

Stay prepared to stay protected

A crucial part of staying ahead of ransomware is staying informed. Currently, there are types of ransomware that are intelligent enough to commit an acoustic attack by listening to your keystrokes and predicting what someone is typing with 95 percent accuracy. Hackers can listen in to text chats or leak sensitive information, which is tough to manage in a school setting given the multitude of devices and connectivity options.

Though backup typically falls second to other defense measures, its impact can be outstanding. Consider The New Haven School system, which tried to alleviate getting data back up and running by paying ransom to the attackers. The biggest concern here is there is no guarantee that stolen data will be returned post-payment.

Veeam’s 2023 Ransomware Trends Report found that while 59 percent of organizations paid the ransom and were able to recover data, 21 percent that paid the ransom still didn’t get their data back. Additionally, only 16 percent of organizations avoided paying ransom because they were able to recover from backups. The truth is, no security plan is foolproof, and schools should consider quality versus quantity when it comes to which tools to bring to the battle against cyber threats. While implementing standard security measures is highly encouraged, the reality is that nothing will keep schools completely void of ransomware attacks.

This is where data backup comes to the forefront of cybersecurity strategies. This includes conducting regular backups of school data and following the 3-2-1-1-0 strategy, comprised of three copies of data saved on two types of media, with one copy offsite and one copy offline. Should a disruption occur, this makes the difference in guaranteed availability. Incorporating strong security measures like these into backup and management practices boosts the overall resilience of a school’s data infrastructure.

Stay ahead with immutable backup storage

It’s worth noting, targeting primary data and backups is well within the realm of possibility as ransomware rises. Although criminal hackers actively target backups, these remain the best defense against ransomware. Schools must ensure they take regular backups that are immutable, stored off-site, or, ideally, both. Immutable backup storage is a type of data storage system designed to prevent unauthorized or accidental modifications, deletions, or alterations to backed-up data for a specified period. Therefore, once data is written or stored, it cannot be changed or deleted until the predefined retention period expires.

Object storage is a great partner for education as it enables versioning and object lock, rendering itself ransomware-proof. Schools should incorporate backups with hardened security and an appropriate level of redundancy for constrained IT. What’s more, it’s a simple, powerful, and secure tool that schools can use to guarantee recovery. It is generally affordable compared to file or block storage solutions, further accommodating a limited budget for school IT.

Back to school with better protection

To prepare for potential attacks, schools must establish clear roles and responsibilities for key stakeholders. With the value of data continually on the rise, it’s not a question of if a school will face an attack, but when. Cybersecurity awareness among students and staff is paramount in keeping our leaders of tomorrow and their data safe. Furthermore, aligning with the U.S. Department of Education’s Cybersecurity Resilience Efforts can provide additional resources and support.

Data should be stored in a separate system to ensure availability in case of disruption. Combat attacks on primary storage with built-in immunity as an extra layer of protection against tampering. Keep school in session with a low-effort and cost-efficient solution like on-premises object-based backup storage–a tool built for low maintenance and constrained IT.