Report: Cybercrimes at K-12 schools tripled over the pandemic

One of the many lessons learned from the COVID-19 pandemic is that public elementary, middle and high schools are vulnerable to cyberattacks — and the number of attacks is rising.

What do cyber attacks on K-12 institutions look like? It can range from common phishing to disrupting online classrooms and includes:

• Data breaches involving information regarding students, teachers or school community members
• Ransomware attacks
• Denial of service attacks
• Business email compromise scams
• Defacing website and social media
• Invasions of online classes and school meetings

This week, the Cybersecurity and Infrastructure Security Agency (CISA) released a report, “Partnering to Safeguard K-12 Organizations from Cybersecurity Threats,” in an effort to help schools strengthen their protection from cybersecurity threats.

Cyber attacks are on the rise

The report found a huge increase in reported cyber attacks on K-12 schools in the last five years, with the number of reported incidents rising from 400 in 2018 to over 1,300 in 2021.

(Graph via CISA’s “Partnering to Safeguard K-12 Organizations from Cybersecurity Threats” report)

In all of those years, the biggest proportion of attacks were data breaches, followed by ransomware attacks. Invasions — for example, breaking into a Zoom class or teacher meeting — was a nonexistent threat in 2018, but started popping up in 2019. It became one of the most common types of school cyberattacks in 2020, when K-12 students were locked down and attending classes virtually.

“We must ensure that our K-12 schools are better prepared to confront a complex threat environment,” CISA Director Jen Easterly said in a press statement. “As K-12 institutions employ technology to make education more accessible and effective, malicious cyber actors are hard at work trying to exploit vulnerabilities in these systems, threatening our nation’s ability to educate our children.”

How do these attacks impact schools, students and teachers? A Government Accountability Office report from October 2022 found that cyber attacks caused monetary losses due to recovery resources and downtime. Two million K-12 students were affected by ransomware attacks. And, perhaps most pressing, loss of learning following a cyber attack can last weeks, with full recovery sometimes taking as much as nine months.

Despite the impact, CISA found that many K-12 school districts employ no full-time cybersecurity expert, and the few that are employed by a school district often face a lack of resources to implement stronger security. Schools with the tightest budgets, often serving low-income children and children of color, are the most likely to have little to no cybersecurity support.

Key findings and recommendations

CISA made three key findings:

• Implementing small changes can greatly reduce the number of successful cyber attacks on K-12 schools
• K-12 schools struggle with IT resources
• K-12 schools can’t single-handedly prevent all cyber attacks

These were used as the basis of these recommendations:

• Put the highest priority controls in place, invest in cybersecurity as possible, and make a long-term cybersecurity plan.
• Apply for the State and Local Cybersecurity Grant Program, use free or low-cost services to make immediate improvements, and call for technology providers to enable stronger security controls for schools at no charge.
• Join collaboration groups like MS-ISAC and information-sharing organizations like state school safety centers, and build relationships with CISA cybersecurity personnel.

To help schools follow the recommendations, CISA also released a toolkit that includes actionable guides, examples and resources, including a list of free cybersecurity tools.