In the 30+ years since Ferris Bueller memorably hacked into his high school's attendance system and reduced his absences from nine times to two, cyber threats faced by school districts have increased by orders of magnitude. While every business and non-profit organization is confronted with risks such as ransomware, phishing, and denial of service attacks, school districts must exercise even greater caution, often with fewer resources, then other entities.
One expert compiled a list of 122 publicly reported cyberattacks on schools in 2018. Last year, that number increased almost threefold to 348. The majority of these incidents involved unauthorized disclosure of student data and a significant number of involved ransomware or other malware. Alarmingly, over half of the breach incidents were due to actions or inactions of people or entities known to the school district.
Phishing and Spear-Phishing
Phishing and spear-phishing, in which a cybercriminal impersonates someone known to the recipient of an email in order to obtain information – or even payment – are not threats unique to school districts; however, unlike attacking businesses, where cybercriminals first have to commit a cybercrime in order to learn the identities of their target's business contacts, the identities of most vendors and contractors servicing school districts are publicly known. Therefore, the first step in a phishing or spear-phishing attack is often done without the cybercriminal having had to commit a crime.
Phishing and spear-phishing can be very costly. Last year, a district in Kentucky thought it was paying a vendor $3.7 million. In reality, a cybercriminal sent the district a fraudulent email and documentation, resulting in the district paying the criminal, not the vendor. Thankfully, the district acted quickly and, with the assistance of state and federal law enforcement officials, was able to recover all $3.7 million. Not all districts are as lucky; two different districts in Texas were recently defrauded out of $2.3 million and almost $2 million by various phishing scams.
Phishing can also lead to cybercriminals accessing data, such as students' personally identifiable information ("PII"), as happened in San Diego, California, when the Social Security numbers and addresses of over 500,000 students were wrongfully obtained.
Less frequent incidents involve ransomware, in which educators are unable to access data until a ransom is paid, and denial of service attacks, in which cybercriminals cut off educators' access to one or more of their networks.
The common thread among all of these cyberattacks is the manner in which cybercriminals access school districts' data. With increasing frequency, cybercriminals are using actions or inactions of district users to gain access to the district's data. Going back to Ferris Bueller accessing his attendance records, it's not too hard to image Ferris tricking either Dean Rooney or his assistant Grace into granting him access to that information – without knowing that's what they were doing. The modern equivalent would be replying to an email, or even clicking on a hyperlink in a message, that looks somewhat suspicious. Believe it or not, that's all it takes for a cybercriminal to have sufficient access to a school district's entire network.
While governmental immunity tends to inoculate school districts from many civil lawsuits, it is not absolute. therefore, to protect the district's resources from both cybercriminals and litigation arising from cybercriminals accessing students' PII, districts are strongly encouraged to work with outside advisors (legal and information technology) to formulate and implement data security policies and incident response plans – and to make sure that all users follow these policies. In addition, education and training, such as on what links to follow, what makes a strong password, and what Wi-Fi network to not use, can significantly reduce the likelihood that your district will be the next victim of a cybercrime.
Originally published by School District Cybersecurity.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.