Originally published in THE Journal.

Just as the school year kicked off, families on opposite sides of the U.S. faced temporary school closures. Mother Nature was responsible for some. But not all. While several southeastern states dealt with the effects of Hurricane Dorian, across the country, one Arizona city encountered a very different type of scare. Cybercriminals waged a ransomware attack on the Flagstaff Unified School District, forcing a two-day shut down for 15 schools serving almost 10,000 students.

Flagstaff is far from alone. In July and August, 2019, the number of publicly disclosed security incidents in K-12 schools reached 160 — exceeding the total of all incidents experienced in 2018 by an incredible 30 percent. Nearly 50 school districts and colleges have been hit with ransomware so far in 2019 ranging in nature from disruptive, as in the case of the Flagstaff two-day closure, to catastrophic, which describes the scene in Louisiana when the governor recently declared a state of emergency following “severe, intentional security breaches” on school computer systems.

The Education Sector is Facing a Crisis

It’s one thing for impassible roads to hit pause on a school schedule. It’s an entirely different and unacceptable scenario when cyber extortion not only gets in the way of educating our youth but puts data pertaining to their health, academics and social development at risk of exposure and compromise — not to mention the public funds that are flushed away to ransom payments and cleanup efforts. Yet here we are, co-existing with cybercrime as the new normal and witnessing escalating ransomware attacks turn schools into the second-largest victims of all sectors.

The pace of growth of the “digital school district” continues to climb given the many benefits technology brings to students and educators. Funding for educational technology has increased by 62 percent in the last three years, and the new U.S. Digital Equity Act proposes to commit federal dollars to bring even more tech to the classroom. And while the many benefits of the digital classroom are clear, this rapid growth, combined with complexity and the continued restricted budgets for management, make our schools and our students increasingly vulnerable.

When Complexity and Risk Plague Today’s Digital Classroom, Resilience Matters

Technology is no doubt an asset, though we need to acknowledge not just the risks to student safety and privacy it poses, but also the complexity that IT folks have to wrangle. Education IT leaders once responsible for a few hundred devices, a few dozen apps and a single network have now found themselves managing tens of thousands of devices (as 82 percent of schools now provide students with them), hundreds of apps, and a distributed set of users accessing unknown networks — all with limited resources and budget in most cases. Meanwhile, by clicking on one bad link on a school-issued device, a student can become a conduit for a ransomware attack.

As endpoint and environmental complexities increase, and risk alongside them, it’s no surprise that 68 percent of education IT leaders in the U.S. list cybersecurity as their top priority. In tandem, several state governments, including Louisiana, Texas and North Dakota, have stepped up their efforts to safeguard schools against cyberattacks with various measures such as cyber policy mandates, cyber commission formation and state IT department oversight for schools.

For policymakers, educational institutions and their IT leaders, and even concerned parents, collaborative cybersecurity efforts should rally around the concept of resilience, or the ability to bounce back. Here are three steps to get on the path to cyber resiliency:

  1. Battle the false sense of security. Millions of dollars of public funds are invested in applying security controls in schools — giving parents and educators a false sense of security. Many of these controls are fragile or by-passable — meaning that without consistent monitoring, you may be more exposed than you think. Make the most of the tools you already have and spend your budget on more impactful projects. Ask the question, “Are the controls we already have in place functioning at all times?”. Security controls cannot protect you when they are taken offline by wiley students, or bypassed. Foundational device controls include, at a minimum, anti-malware, encryption, authorized VPN, patch/client management, and web-filtering/firewalling on the client — and all need to be based on a platform that enable visibility and resilience for IT.
  2. Strengthen your immune system. In the complex world of endpoint security, increased security spending does not equate to increased safety any more than taking more vitamins guarantees you will never get the flu. In fact, every additional security tool, while adding protection, also increases the complexity on the endpoint and therefore the probability of failure as agents. A recent Absolute study reveals that schools that have encryption in place experience agent failures on an average of nine devices per day — almost half of which never recover, leaving students and staff at risk of potential data breaches. In order to protect your students, your data and your investment, ensure you have fundamental controls activated to gain a persistent connection to each device — on or off the school network. It’s only then that you can repair or replace critical apps that have been disabled or removed.
  3. Make cybersecurity the air students breathe. Creating a culture of online security and open communication about online threats is not just good practice, it’s an ethical responsibility. Turn it into a game; teach students what attackers do, test them on practical examples, and give each of them a sense of achievement when they win. Yammering on about ransomware crippling the school or how awful an attack would be for their district is unlikely to stop an 11-year-old trying to circumvent security policies. Let them know what villains may try to do, and challenge them to step up and help stop them. Provide a means for them to report suspicious online behavior without fear of punishment. Make them the hero of the cyber resilience story.

The pace of ransomware attacks on schools in 2019 suggests another victim will feel imminent pain and, as such, the urgency to heed these steps cannot be overstated. It’s a tricky balance but doable to enable the digital classroom to thrive, while also protecting student safety and privacy.