K-12 School Systems Colleges and Universities

Cybersecurity for K-12 School Systems Colleges and Universities

USA Cybersecurity is a veteran owned small business located in Washington, D.C. certified to deliver cybersecurity and digital forensic services to government agencies, government contractors and commercial businesses.  

K-12 School Systems, Colleges and Universities are vulnerable to cyberattacks because they store personal and sensitive information for thousands of students and faculty through hundreds of digital access points within their primary and remote locations. Many types of cyber crimes are perpetrated against U.S. businesses. K-12 School Systems, Colleges and Universities are vulnerable to:

  • Software virus's that damages or disables computers
  • Email phishing scams resulting in financial or information loss
  • Human error by well-intentioned employees
  • Ransomware incidents, electronic fraud or misrepresentation of information for financial gain

Don't become a victim: Secure your networks today

Our managed services and regulatory compliance offerings include using the brightest security-cleared minds and the most sophisticated equipment available. Our primary focus is to secure the infrastructure of the Continental United States (CONUS). Our secondary focus is to secure the infrastructure of our allies and friends Outside Continental United States (OCONUS). All services are provided remotely or in-person.

During the 2019 – 2020 Academic year, seven universities received ransomware attacks and/or security breaches. The most notable hacks were Michigan State University (MSU) and the University of California San Francisco (UCSF). The Michigan State hackers reportedly began publishing their stolen data available to download from the internet after their ransomware was ignored by University officials. On June 1, 2020, the UCSF School of Medicine IT department was hacked; UCSF is one of the research institutions leading efforts in the U.S. to find possible treatments for COVID-19. 

In response to cybersecurity threats the U.S. Federal Government has published Post-Pandemic National Security Action Items under the oversight of the United States Department of Defense (DoD) Instructions & Cybersecurity Maturity Model Certification (CMMC). DOD is migrating to the new CMMC framework to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). The CMMC will serve as the most current verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to provide basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks. All Government contractors will be required to follow CMMC guidelines. USA Cybersecurity provides everything needed to be compliant and pass the CMMC assessments and FERPA. The Family Educational Rights and Privacy Act (FERPA) is a federal law enacted in 1974 that protects the privacy of student education records.

Cybersecurity needs to be a Priority for the Education Sector
Education institutions need to make cybersecurity a priority. Despite the sector facing major challenges such as a lack of staffing and a lack of funding and resources, cyberattacks are no less frequent or less severe in Education. In fact, they seem to be gaining ground in prevalence year-on-year as instances of breaches in schools and higher Education are widely reported. In recent years we’ve seen news of ransom attacks causing financial damage – like that on the University of Calgary where the institution allegedly handed over $20k to cybercriminals, and malware attacks causing mass disruption – similar to the disruption which, apparently, caused the Minnesota School District to shut down for a day while IT professionals rebuilt the system.

The more worrying breaches are where student safety is compromised. Educational institutions are entrusted to safeguard their students, many of whom are minors, but a weak cybersecurity infrastructure can put them at risk. This was made all too clear when the CCTV in several schools in Blackpool was allegedly breached, and the footage reportedly live-streamed on the internet. It’s an unfortunate fact that, while cybersecurity in Education is necessary to protect against financial loss and prevent disruption, it’s also crucial to protect students from harm. Which is why the sector needs to do everything it can to ensure their applications and systems are protected, and work to overcome any challenges.

Education is a target for cybercriminals
There are four key reasons why Education is a target for cybercriminals. With Education venues varying in size, purpose, and stature, the motives for attack can vary too. For example, what might be a common threat for world-renowned Universities and Colleges might not be an issue for schools or school districts. So, institutions need to evaluate the risk and understand what data is vulnerable to unauthorized access.

DDoS attacks – Distributed Denial of Service, or DDoS attacks are a common type of attack on all levels of Education venue. This is where the attacker’s motive is to cause widespread disruption to the institute’s network, having a negative effect on productivity. This can be a relatively easy attack for amateur cybercriminals to carry out, especially if the target network is poorly protected. There have been instances of students or teachers successfully carrying out a DDoS attack, with motives ranging from simply wanting a day off, to protesting the way a complaint was handled.

Data theft – This is another attack affecting all levels of Education because all institutions hold student and staff data, including sensitive details like names and addresses. This type of information can be valuable to cybercriminals for several reasons, whether they plan to sell the information to a third party or use it as a bargaining tool and extort money. The concerning aspect of this type of attack is that hackers can go unnoticed for long periods of time. As was the case at Berkeley, where at least 160,000 medical records were allegedly stolen from University computers over a number of months.

Financial gain – Another motive for hackers carrying out an attack on an Education institution is for financial gain. This might not be as high a risk for public schools, but with private institutions and Universities/Colleges handling a large number of student fees, they’re a prime target for cybercriminals. Today, it’s usual for students or parents to pay fees via an online portal, often transferring large sums of money to cover a whole term or year of tuition. Without proper protection or preparation on the part of education institutions, this presents a weak spot for cybercriminals to intercept.

Espionage – The fourth reason why Education is a target for cybercrime is espionage. In the case of higher education institutes like Universities/Colleges, they’re often centers for research and hold valuable intellectual property. Universities/Colleges need to be suitably protected, as it’s thought that scientific, engineering and medical research by UK Universities has been previously compromised by hackers, and with plenty of time and money to fund them professionals are often at the lead of these attacks.

Top reasons hackers carry out an attack on Education networks:
"Education is targeted" JISC’s 2018 Cybersecurity Posture Survey questioned IT professionals within further and higher Education. They were asked to name the top cyber threats facing their institutions, and the top three answers give us insight into the most common ways Education networks are breached. Here are the top answers:

  1. Phishing – Phishing scams often take the form of an email or instant message and are designed to trick the user into trusting the source in a fraudulent attempt to access their credentials – whether that’s sensitive student data or confidential research. This type of attack is highlighted as the top threat facing higher Education venues, suggesting hackers regularly target the sector using the method.

  2. Ransomware and Malware – Also in the top three cyber threats highlighted by the report, ransomware and malware attacks prevent users from accessing the network or files and cause disruption. More advanced forms of this threat can see attackers hold files to ransom. Ransomware or malware typically infects devices using a trojan, a file or attachment disguised to look legitimate. However, some ransomware (like the WannaCry attack) have been shown to travel between devices without user interaction.

  3. Lack of awareness – The third threat listed by professionals in both further and higher Education is a lack of awareness or accidents. This could be on the part of staff or students who aren’t sufficiently trained to practice good cyber hygiene or accidentally compromise the network.

Despite taking on different appearances, human error plays a key part in each of these three Education sector cybersecurity threats. However, with better overall cybersecurity training, and awareness on the motives and method of attackers, Education venues could better protect themselves against cyberattacks. However, the Education sector is also facing challenges which hinders progress.

Challenges facing online Education
The JISC report also investigates the challenges facing IT professionals when it comes to protecting Education networks. When asked to rate how well their institution is protected on a scale from 1 (not at all) to 10 (very well), further Education scored lower overall than higher education. The mean score for further Education institutions was 5.9, while higher Education scored 7.1.

The rationale behind lower scores included:

  • A lack of resources and budget – potentially pointing to the lack of finances to invest in cybersecurity, be it software or staff.

  • Cultural issues – a ‘Bring Your Own Device’ culture is common in Educational institutions and can present difficulties in securing the wider network, particularly with IT staff already facing stretched resources.

  • An absence of policy – setting out policies for using the network and making sure they’re adhered to can be difficult in large institutions with a dynamic user population.

Despite these challenges, the Education sector is still expected to secure their networks against unauthorized access and cyber threats. Repercussions can be as severe. Critical steps every institution should undertake to lay the foundations for a secure IT network.

K-12 School Systems Colleges and Universities digital infrastructure is poorly funded. Securing your Education IT network is challenging with poor funding and lack of resources. The Education sector should focus their efforts on minimizing the risk of a cyberattack, rather than a reactive attitude after one has happened.

  1. Training
    Providing basic training for all users of your network is one way to mitigate the effects of a lack of funding and resource.
    This can be something as simple as sharing a handbook with staff and students including information about what to look out for, and tips for practicing good cybersecurity hygiene. Giving people the necessary information to protect the network at all access points, could reduce the number of incidents caused by human error.

  2. Authentication
    Another cost-effective way to protect the safety of your institution and its students is to implement a user-friendly multi-factor authentication (MFA) tool. Including that extra security step for users who are logging onto the network will help prevent unauthorized access. An easy-to-use platform should be high on your list of things to look for in an MFA provider.

If users can use a platform self-sufficiently, there’s less likely to be a need for administrative support, so Education facilities can save on overhead costs without compromising network security.

These are just some of the cost-effective ways to protect your School, University or College from any form of unauthorized access. With the increasing frequency and potential severity cyberattacks pose to the Education sector, it’s crucial that IT professionals can work to find a solution to challenges like a lack of funding.

K-12 School Systems Colleges and Universities next steps
As online Education continues to gain momentum, Educational enterprises need to consider security threats coming from all endpoints and take steps to protect themselves from harmful and potentially life-threatening cyberattacks: Contact USA Cybersecurity