Reporting in 2019 indicates that waves of ransomware attacks continue to hit school districts; one cyber intelligence agency reports that more than 500 schools had been hit by late September. After three Louisiana districts were targeted, the Louisiana governor declared a state of emergency relating to school ransomware attacks during the summer.
Why are schools a target, and what can they do?
DATA-RICH BUT UNDER-FUNDED
Like many cities, which have also been frequent ransomware targets, schools tend to have a trove of data that can be of value to cyber thieves: information about students, their parents, the facilities and operations of the building, and more. This information may be valuable on its own, or it may be useful as background research to target a larger criminal attack. (For instance, knowing a family’s names and school hobbies can help a hacker crack passwords for bank accounts, work email, or other accounts.) Thus, being able to hijack a school’s system to copy or steal information from it is a temptation for many cyber criminals.
In addition, many school districts and independent schools lack a large IT budget that can help make sure systems, devices, and policies are state-of-the-art. Older equipment may be harder to secure; processes and policies may not be designed with current threats in mind; and personnel to carry out upgrades and training may be in short supply. In addition, with the fast proliferation of wireless devices among students and staff, the number of devices attached to the network and the activity on them is hard to police.
WHAT RANSOMWARE DOES
A hacker may penetrate a system and “hang out” for months before being detected, stealing information or using it to research future targets. The primary harm of a ransomware attack, however, is that the hacker will either lock the school out of its data, or threaten to destroy the data, unless and until a ransom is paid. Obviously, losing access to operational data, even temporarily, is a massive threat to any school or school system. So is a ransom demand, which may run into the hundreds of thousands of dollars or more. Moreover, there is no guarantee that a hacker, once paid off, will actually release or restore data it has frozen or deleted: there is indeed no honor among thieves.
STEPS TO PROTECT YOUR SCHOOL
Despite the challenges, and even on a tight budget, there are steps any school can take to protect itself. The first is disallowing the use of certain sites/apps that create or exploit vulnerabilities, such as chat and social media, on the school network (or at least by students). It may also include limiting access to webmail or other sources of the attractive – but harmful – phishing links that steal credentials and allow access to the network and its data.
In addition, staff and personnel should be trained on warning signs of a threat and how to keep their own data and devices safe. This training should be repeated regularly (perhaps at the beginning of the school year) so that it can account for current trends. Finally, having a disaster recovery plan in place can be a life-saver, in the digital sense. Knowing that your facility has regular data backups and a plan to use those if your primary data are compromised can save a lot of money, time, and anguish if your school ever does fall prey to an attack. Each of these steps requires some forethought and the ability to put some budgetary support behind it; but as in so many areas, an ounce of prevention is worth a pound of cure.