The coronavirus has been a huge setback for just about everyone. Except cybercriminals. The FBI reported a fourfold increase in daily online crime complaints in the months following the start of the pandemic compared to before it, reports Government Technology contributor Daniel Castro. It's easy to see why this is happening.
“Many individuals are working from home for the first time, so the traditional approach of keeping untrusted devices off organizations’ networks is ill-suited for the new wave of threats from unpatched home computers running on unsecure home networks," he writes. "In addition, with staff no longer working in proximity to one another, employees are more susceptible to phishing attacks because they are less likely to confirm a suspicious email with a colleague or have access to in-person IT support." Finally, with more activities moving online, IT has become mission-critical, which means organizations are more willing to pay ransomware attackers so that their systems remain operational.
While any individual, government or business is a potential victim, school systems are particularly vulnerable, according to Castro, who spells out why. First, schools have been a ripe target for criminals. The education sector accounted for 60 percent of all reported enterprise malware in June. Second, schools continue to rely on old technology, such as Microsoft Windows 7, which is no longer supported by the firm, meaning users no longer receive vital security patches, leaving them exposed to possible attacks. Third, schools must support many inexperienced users. Both educators and students are often unfamiliar with many of the online tools they are now using for distance learning. That leaves them more susceptible to possible malware attacks.
To counter these problems, Castro calls for more money to purchase new technology as well as training and resources that can mitigate security breaches, such as ransomware. He also wants to see states develop and share best practices for education cybersecurity, perhaps through organizations like the National Association of State Chief Information Officers or the Council of Chief State School Officers.
Illustrating the problem outlined by Castro is the steady stream of news reports about schools that have been hit by ransomware in recent months. And it’s not just school systems. Colleges and universities across the nation have been the targets of ransomware and malware attacks in recent months. The University of Utah and University of California, San Francisco even paid ransoms of $457,000 and $1.14 million, respectively, to get systems back online and have any stolen data recovered.
But public schools remain the most vulnerable because a robust cybersecurity system costs lots of money, something few school district have, according to Tony Coulson, a professor and director of the cybersecurity center at Cal State San Bernardino, who said institutions below the college level are the ones most vulnerable to a breach.
“It’s just a matter of economics in those cases,” Coulson told the San Bernardino County Sun. “Launching a cyberattack is cheap, but it can take millions of dollars to prevent them or recover from them. There are multi-billion-dollar corporations that spend millions of dollars when it comes to cybersecurity, and some still get attacked. Many school districts just don’t have the resources, whether budgetary or personnel, to handle a sophisticated attack.”
The school districts affected by online criminal activity include some of the biggest in the nation. In the first two days of digital instruction last week, Miami-Dade County Public Schools suffered from software malfunctions and a cyberattack against the school district that impeded access for thousands of teachers and students.
The world of academia is taking measures to reduce the onslaught of cyberthreats. The University of Redlands, for example, has stepped up cybersecurity measures since distance learning started during the spring. The university’s IT department was reorganized to allow more staff to focus solely on network security. The department also received grant funding to train additional interns who will assist with various tasks inside the department.
Prior to the start of the school year, the Laguna Beach Unified School District added more layers of protection to its system and digital devices. The district conducted an extensive security review provided by the Orange County Department of Education, including real-time testing to expose any vulnerabilities.
But more will need to be done on a broad scale throughout K-12 and higher education as the pandemic continues to force the academic sector to rely on technology, not classrooms, to educate students.