Schools are the safest place for children to learn, but they are also one of the most vulnerable institutions in America. As more and more devices connect to the Internet, K-12 schools have become an attractive target for cyberattacks. The result is that hackers can infiltrate school networks and steal student data or hold them hostage until a ransom is paid. This danger has led many parents to worry about their kids’ safety when they head off to school every day.
What are Cyberattacks?
Cyberattacks are deliberate attacks against information technology systems and computer networks, with the intention of causing damage or disruption.
Cybercriminals in search of information they can exploit for a profit carry out these types of attacks. About a quarter of cyberattacks are carried out by organized criminals, but most cyberattacks are conducted by national governments or regional actors who pose threats not just to K-12 school systems, but also to colleges and universities, major corporations, and other organizations.
Why Do Hackers Target Schools?
Burglars don’t break into houses in order to study their architecture. Instead, they are looking for valuables or information that can help them in some way. The same is true of cybercriminals who hack schools, but instead of loot, hackers are looking for data that can be used or sold in some way, such as:
- Student data
- Medical records
- Parent contact information
- Teacher/staff contact information
For cybercriminals, the more people affected by their attacks, the better. And when it comes to school systems, they are in luck because K-12 schools rarely do enough to protect themselves from cyberattacks.
Schools tend to be behind on updating systems and software because of tight budgets and limited resources. This means hackers can target students through vulnerabilities that haven’t been patched instead of having to focus all their energies on trying to break into well-protected corporate networks.
College dorms often have even more vulnerable devices linked to the Internet, but cyberattacks against them are less likely since students have more disposable income and can pay ransoms.
Why Should Schools Be Concerned about Cybersecurity?
When cybersecurity fails in a school, it endangers children’s lives by allowing hackers to gain access to sensitive data that could be used against the adults or kids in the school. Unfortunately, this is already happening.
If these schools had been open about their security issues, then other schools might not have lost valuable time trying to figure out what needed to be done to protect themselves.
The good news is that many schools are learning about the vulnerabilities in their systems by getting hacked and then realizing just how bad it feels to be on the receiving end of an attack.
Once these schools become aware of how important cybersecurity is, they can establish protocols for preventing cyberattacks and practices for making sure that students’ data stays safe even if someone manages to hack into the system.
What Can Schools Do to Prepare for Cyberattacks?
Schools should take cyberthreats seriously by following five steps: 1) create a timeline defining what needs protecting; 2) define what “secure” means; 3) create policies and procedures for securing student data; 4) encrypt all information containing or personal information in schools; and 5) conduct ongoing cybersecurity trainings.
Create a Timeline for Protecting Information
The first step schools should take is to create a timeline of what needs to be secured, how it needs to be protected, and who will protect it.
For example, they might decide that the gym heating system with the highest priority for security upgrades because it controls HVAC air quality in classrooms where students spend most of their time.
They might also discover that the “legacy” document management system they use for student data is out-of-date and becomes obsolete every couple years – an easy target for cybercriminals – so they upgrade their systems or come up with a new way to secure this data
Define What “Secure” Means
Once schools have a timeline for security upgrades, they should define what “secure” means in terms of their data needs.
For example, if their data system has been hacked before and now falls behind on updates, it might not be as secure as they want it to be. While hackers will always find ways to break through any firewall or password system, school administrators should at least do all they can to prevent cyberattacks by keeping systems up-to-date with software patches and by following best practices for passwords.
Create Policies and Procedures for Protecting Student Data
Schools need to create policies so that teachers know what information is sensitive and how to protect it. If the school had an IT committee of teachers who made the decisions in this area, they would be able to keep in touch with teachers’ concerns so that they can prepare accordingly.
Teachers might also want to come up with their own rules for protecting information when working with students or colleagues outside of school. For example, teachers know not to share grades over unsecured email, but sometimes it’s easy to forget when you’re sending an email from your phone on your way home from work.
Having policies in place is just as important as enforcing them when worst comes to worst and data is breached. When cybersecurity fails at schools, it often means losing sensitive student data like social security numbers, grades, class schedules, medical records, test scores and more. Enforcement procedures for cybersecurity policies should include enforcing accountability if the failure was avoidable (e.g., not downloading required updates) and making sure that teachers understand why these policies are important.
Encrypt All Information Containing or Personal Student Data
Besides having encryption procedures in containing or personal should make sure they encrypt all information place to protect data, schools need to make sure that they encrypt all information containing or personal student data. That means everything from emails, test scores, grades to health records should be encrypted.
Conduct Ongoing Cybersecurity Training
Cybersecurity trainings should not just happen when people are first hired or when new systems are implemented at the beginning of the school year. These trainings should happen throughout the year and especially when a new system is implemented.
How Parents Can Help
To make sure your child feels safe at school, take these seven steps:
- Educate yourself on what types of attacks happen.
- Encourage your child not to open suspicious emails or attachments.
- Install anti-virus software on all computers used by students.
- Monitor file-sharing services, such as Dropbox.
- Keep mobile devices up to date with the latest security patches.
- Don’t allow your child to connect their personal mobile device to school computers or networks.
- Use two-factor authentication for all student accounts.