Learning Cybersecurity. PHOTO: Cybercrime Magazine.

Will Schools Ever Learn Cybersecurity?

Three schools hit by ransomware daily, but cyber education is still lagging

David Braue

Melbourne, Australia – Jul.14, 2022

The recent compromise of Iowa’s Cedar Rapids Community School District (CRCSD) — which sent around 750 students home after a major cybersecurity incident downed systems and forced the suspension of summer school classes — highlights the severe exposure of individual schools to an ongoing barrage of cybercriminal attacks.

Cybersecurity experts and incident responders converged on the district to analyze the breach, which struck over the Jul. 4 holiday weekend and took a week to resolve as cybercriminals chalked up yet another win in their relentless campaigns of disruption.

Whether as direct targets or collateral damage in blunt cyber attacks across bigger areas, cybercriminal attacks pose particular problems for schools that have long struggled to get enough money for basic supplies — much less the sophisticated cybersecurity tools and expertise to support a modern defense.

Verizon’s 2022 Data Breach Investigations Report, for one, identified 1,241 cyber incidents involving educational institutions last year alone — with 112 known attacks on bodies, typically small school districts, with 100 or fewer employees.

The relatively small size of many schools can magnify the effect of a cybersecurity attack, with ransomware attacks likely to bring down the entire network — sending students home, throwing parents’ working days into chaos, and threatening financial losses far larger than what can be recovered from a fund-raising bake sale.

Cybercrime Radio: Schools need to learn cybersecurity

Rampant attacks on K-12, higher ed

Even as CRCSD staff and supporting incident responders fought to restore services, the district’s phone services had still been compromised — directly impeding the schools’ ability to co-ordinate essential summer school programs or alternative plans.

Stolen credentials and ransomware attacks were by far the most common attack vectors used against educational institutions, Verizon’s analysis found, with 63 percent of incidents involving the compromise of personal data, 41 percent involving credentials, and 10 percent attributed to internal actors.

And while some ransomware artists had purported to have social consciences by, for example, promising to not attack healthcare facilities during the early days of the COVID-19 pandemic, those short-lived promises never extended to schools despite their social importance and limited financial means.

That exacerbates the challenges of recovery for the 954 schools and colleges that were, by one count, hit by ransomware last year — affecting over 950,000 students and costing $3.56 billion in downtime.

Still struggling to learn cyber

Ongoing ransomware attacks on schools come as no surprise to cybersecurity experts like KnowBe4 data-driven defense evangelist Roger Grimes, who notes that schools remain favored targets of unscrupulous cybercriminals

“Any time cybercriminals think they can get some leverage… they want to get paid [and they’ll do] anything they can do to cause immense pain,” Grimes told Cybercrime Magazine.

“It’s unfortunate that these unethical, illegal miscreants feel like they need to attack people, and cause pain, and illegally take money and things of value,” he continued. “In trying to prepare ourselves for all this, education has to do the same as everyone — which is to look at the ways that we are most likely to be attacked.”

Schools are extremely vulnerable to social engineering, unpatched software, and password attacks, he said — yet for all their experience in teaching students the three Rs, the fact that schools are supposed to be educating students for lives in the digital world makes their ongoing compromise doubly frustrating.

“We’ve got 30 years of evidence that social engineering is what’s causing most of the compromises,” Grimes said, “and you’d think [educational institutions] would be on the forefront of educating themselves and everyone else about the threats. But they’re not.”

“It’s amazing how little time and focus we give something that’s responsible for almost all cybercrime.”

Despite the pervasiveness of digital technologies and the importance of teaching good cyber hygiene to the next generation of workers, most schools are still failing to educate their students, staff and administrators with the kind of urgency that is regularly conveyed in other contexts — such as teaching student drivers the risks of speeding and drunk or distracted driving.

Schools “may mention social engineering as one of the 15 things you should do” to stay secure,” he said, “but it isn’t one out of 15 things — it is the number one thing that you can [address] to prevent being compromised.”

“We’re still not giving the amount of focus to social engineering and unpatched software and password issues that we should, and that’s why they continue to be successful.”

“As long as we keep focusing on social engineering and unpatched software as nice-to-haves, we’re going to continue to be attacked.”

David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.