Skip to main content

Back to Blog

Tackling Cybersecurity Vulnerabilities in School Systems  

Not Kidding Around

While chalkboards have long seemed artifacts from classrooms of the past, you might be surprised just how dramatically classrooms have changed just within the last ten years. Tablets and Chromebooks have replaced many textbooks and paper hand-in systems, plagiarism and cheating are detected in new ways, and sometimes, the classroom is no longer a physical space–e-learning and digital classrooms are the new standard experience. 

As K-12 institutions across the country invest in new technology, new apps, and new pedagogy, everyone needs to be on high alert about security concerns

Parents, teachers, and students alike are part of the systems we need to take care of. At-home learning combined with the increased numbers of remote workers means highly connected home networks, shared WiFi connections, and blurred boundaries between safe and unsafe digital experiences

As Josh Horwitz writes for eSchool News, there are quite a few security challenges emerging in the connected education age. Here are some of the most daunting, and how educational institutions can best combat them:

1. Phishing Schemes:  

While phishing schemes have been around for decades, cybercriminals have developed more targeted and dangerous tactics over the last few years. 

Often, hackers will create fake email accounts impersonating school employees, making them look authentic by pulling personal information from social media accounts. These addresses are then used to target students and parents, as well as employees and third parties. 

Unfortunately for us, cybercriminals have also made efforts to make much more targeted attacks, known as ‘spear-phishing’ campaigns. By spoofing the email domain as well as the personal information in an email address, bad actors can pose as administrators and K-12 district employees who are in positions of financial relevance. Once they have an email that appears to be from an authority figure, they use phishing emails to change financial information, launch a malware attack in the network, or access sensitive information (either to be used in additional phishing campaigns or sold on to other cybercriminals). 

Any and all of these attack types–whether the rerouting of funds, ransomware, or data theft–can have major financial impact on a school district. 

Defense Strategy: 

To protect their employees, students, and partners from phishing attacks, there are several steps that schools can take: first, ensuring that firewalls, anti-virus and anti-malware are all up and running; and second, to turn on all MFA options that are available in in-use browsers. Thirdly, if possible, training, information, and phishing alerts should be made available to the district network. 

2. Third-party Issues 

As the pandemic forced schools online, everyone had to adapt rapidly to new software and external partners. With many students with varying needs and non-standard technology at home, combined with the rush for lessons to continue, schools were vulnerable almost overnight. In the transition from classrooms to Zoom and Microsoft Teams, security was often an afterthought, providing many opportunities for bad actors to attack the new digital systems. In fact, the K-12 Cybersecurity report found that at least 75% of the data breaches affecting K-12 districts in 2020 stemmed from incidents involving third-party partners. 

Defensive Strategy:  

The vast variety in resources school districts have available to them can make uniform strategies difficult, to say nothing of the resources that K-12 students have available to them at home. However, whether or not they can provide students with approved and controlled devices, schools should at minimum ensure they have an updated list of approved apps and allow only those apps to connect to user accounts. IT teams have a responsibility to thoroughly vet any new technology (hard or software) the school engages with

3. Human Error 

It’s impossible to blame all the issues with cybersecurity within school districts on the technology in use. Human habits and errors are constantly, if unintentionally, introduced by everyone involved with the networks, from principals to students to teachers. One of the most common bad habits is password reuse, where individuals use the same password, or one with a small variation, across multiple accounts and devices–for example, it’s quite likely that some folks are using their school login credentials for their streaming service as well. 

If any one of their accounts was exposed in a previous breach, that password is compromised and can be used by cybercriminals to attack other networks. As we’ve seen over the past few years, even a single compromised email address can lead to devastating repercussions

Defensive Strategy: 

The most efficient method for getting ahead of the credential crisis is for the school district to invest in credential screening solutions, that check for compromised passwords at log-in. This allows schools to ensure that no breacher credentials are actively in use, without introducing additional user friction or imposing complexity requirements. 

While we are all eager to provide students with high quality technology and opportunities for scholastic development, school districts can’t overlook their responsibility to keep students safe.