蜜桃影视

Get stories like this delivered straight to your inbox. Sign up for 蜜桃影视 Newsletter

After years of targeting and extorting high-value corporate targets, ransomware attackers have turned to more vulnerable prey 鈥� school districts. With less funding, less-than-mature cybersecurity defenses and limited (or even nonexistent) controls over an abundance of sensitive data, educational institutions are prime targets for cybercriminals.

As a number of attacks against school systems across the country demonstrate, schools are relatively low-hanging fruit for those who steal data and sell it or hold it for ransom. While corporations have been able to harden their defenses, boost spending on resilience measures, enhance their cybersecurity programs and evaluate risks, school systems 鈥� K-12 and higher education alike 鈥� haven鈥檛 been able to keep up. 

In part, their vulnerability stems from the fact that school boards don鈥檛 tend to allocate funding to these risks. Focused on pressing priorities 鈥� everything from closing achievement gaps and catching kids up from COVID-related learning setbacks to ensuring schools’ physical safety 鈥� cybersecurity isn鈥檛 at the top of most school agendas. 

When ransomware is discussed, it鈥檚 considered an IT issue 鈥� something that only the information technology department needs to worry about. Yet, in many instances, these departments are scarce in funding and staffing, so the initiatives are outsourced to third-party contractors without considering what internal staffing is needed to assign and oversee their work.

School boards fail to see cybersecurity investment as risk mitigation and often do not prioritize allocating budget dollars to beef up IT resources. 

That said, school officials should not throw up their hands in despair and figure that they鈥檙e doomed when it comes to ransomware attacks. While no one can avoid being a target, a few crucial steps can go a long way toward minimizing the potential impact. 

As a first step, school leaders should ask themselves: What data are we trying to protect? Schools maintain student records, personnel records, health care information and more. They have a variety of systems, from email to attendance tracking to e-learning, that contribute to daily operations. Wrapping their arms around what needs to be protected is the first piece of the puzzle. 

Then, schools should take a 鈥減eople, process and technology鈥� approach to securing their infrastructure and building up resiliency. 

From a people perspective, everyone in a school district 鈥� the superintendent, principals, teachers, students and parents 鈥� should know they鈥檙e responsible for helping to maintain good cyber hygiene. Then comes process: District policies should require things like end-user cybersecurity education and awareness, the use of strong passwords and mandates for regular anti-virus scanning. Technology is the third leg of the approach. It should be used to automate certain things like password length and reset periods, as well as keeping software and systems up to date to eliminate vulnerabilities in district computers, tablets, network devices and even learning management tools.

The final step is to have a plan for what to do if any of the school鈥檚 information or systems are attacked. Schools should have a crisis management plan for any kind of disruption, whether it鈥檚 an earthquake, a pandemic, a hurricane, a power outage or, yes, a ransomware attack. Surprisingly, few school systems actually do. They should have cyber incident response plans and test them 鈥� just as they conduct fire drills. 

Without a well-rehearsed playbook for responding to a ransomware attack, the odds increase dramatically that getting back to normal will require paying ransom. Well-prepared, resilient organizations, by contrast, will have contingency plans that allow them to quickly revert to data backups and resume operations with minimal disruption. 

A bit of good news for schools looking to reach that level of resiliency: In addition to the $190 billion in Elementary and Secondary School Emergency Relief (ESSER) funds that were issued last year for schools to use as they see fit, there鈥檚 a $1 billion in the pipeline specifically earmarked to help state and local institutions upgrade their cyber protection. 

No school district enjoys spending time or money on cybersecurity, but the consequences of a ransomware attack are too dire to ignore.聽By giving this threat the attention it deserves, schools will better be able to focus on their real priorities of teaching and learning.

Did you use this article in your work?

We鈥檇 love to hear how 蜜桃影视鈥檚 reporting is helping educators, researchers, and policymakers.