Internet Explorer 11 is not supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Cyber Attacks on Schools in 2020 Were Record Breaking: Report

2020 marked a "record-breaking" year for cyber attacks against schools, according to a recent report. Now, education policy organizations are asking policymakers to step up to help mitigate security threats.

K-12 Graph
A graphic from the K-12 Cybersecurity Resource Center and K12 Security Information Exchange report titled, "The State of K-12 Cybersecurity: 2020 Year in Review."
Parents, students and teachers have had to navigate a minefield of cyber threats over the past year as schools continue to invest in ed-tech tools and devices needed for remote learning during COVID-19 school closures. At the same time, cyber criminals found new avenues for data breaches and phishing scams, as well as ransomware and malware attacks targeting school districts in 2020.

According to a report released earlier this month by a public data resource called the K-12 Cybersecurity Resource Center, in association with the nonprofit K12 Security Information Exchange, 2020 marked a “record-breaking” year for cyber attacks against public schools in the U.S. The report includes data from the center's K-12 Cyber Incident Map, which recorded 408 publicized school cyber attacks in 2020, representing an 18 percent increase over 2019.

The problem has only intensified due to vulnerabilities found in the American public school system, according to the report, which notes that many districts still lack the IT staff and security protocols needed for modern cybersecurity systems. For sophisticated cyber criminals, this means easier access to financial documents and sensitive data about students, parents, educators and others involved in school operations.

cyberincidents.PNG
Nearly 40 percent of K-12 cyber incidents included data breaches and leaks, while approximately 12 percent involved ransomware. Others included denial-of-access attacks, which impeded access to programs widely used for remote learning.

Schools also reported an emerging threat of "cyber invasions," where unauthorized users gain access to online classes and video conference meetings, often disrupting them with hate speech, threats of violence and obscene images, sounds and videos.

Larger or higher-income districts with more access to technology are often among the most vulnerable to cyber threats due to their size and reliance on technology for instruction and communication, according to the report. Students and teachers engaged in remote learning during COVID-19 school closures remain especially vulnerable to cyber attacks on personal devices and networks.

Keith Krueger, CEO of the ed-tech advocacy group the Consortium for School Networking (CoSN), said CoSN's surveys have found cybersecurity a top concern among chief technology officers across the nation. The consortium, along with other education policy organizations, submitted a petition in February asking the Federal Communications Commission to invest in cybersecurity protections for public K-12 school districts through the FCC's E-rate program. The petition estimated the annual cost for recommended next-generation firewalls, endpoint protection and advanced security features for nationwide K-12 districts at $2.389 billion.

“There’s very little money for districts on the human side. In fact, our surveys show only one in every five school districts has a full-time staff person dedicated to cybersecurity,” Krueger said, adding that the FBI and other federal agencies have designated K-12 schools as the most-targeted public sector for cyber threats.

“We’ve got multiple problems, but this problem hasn't gotten the serious attention that it needs from policymakers." 

With little standing in the way of cyber criminals targeting schools and gaining access to sensitive information on administrative systems, CoSN Cybersecurity Project Director Amy McLaughlin said malicious actors can target high school students approaching adulthood for identity theft.

“The first time a student finds out about that is when they go to apply for things like financial aid for college, and then finding out their credit has been destroyed,” she said of these data breaches.

What's more, cyber criminals are getting better at their methods, according to Krueger and McLaughlin. Phishing scams targeting remote students and educators often appear to come from recognizable email addresses at first glance.

“In a school environment, about 3 percent of teachers click inappropriately on phishing scams,” Krueger said. “That was jumping to 15 to 20 percent from home, so a lot of cyber criminals are getting into the network.”

Cyber criminals have not let up their attacks against public schools in 2021. Ransomware attacks against schools have continued, including one major incident in Buffalo Public Schools this month that forced the district to cancel virtual classes entirely. These threats have continually increased in numbers and severity, according to the report.

“It isn't just Buffalo,” Krueger warned, adding that ransomware extortion attacks have disrupted day-to-day operations in several other districts, including Clark County, Nev. and Baltimore County schools, among others.

CoSN and other education policy organizations have pushed for legislative solutions to the problem, urging support for the Enhancing K-12 Cybersecurity Act, recently reintroduced by Reps. Jim Langevin, D-RI, and Doris Matsui, D-CA, to bolster school cybersecurity funding and data tracking of cyber incidents in schools.

“We’re concerned that there isn’t [enough] data collected by the federal government,” Krueger said. “We think that Homeland Security should collect good data that’s actionable.”

Aside from policies, the report also called on digital learning platform companies and device providers “to differentiate themselves in the education market by focusing on meaningful security features," and it encouraged schools to promote digital literacy.

McLaughlin believes promoting cybersecurity awareness among students, in particular, remains critical in the fight against cyber criminals.

“You need teachers to model good digital literacy and good digital hygiene,” she said.


Government Technology is a sister site to Governing. Both are divisions of e.Republic.

Government Technology is Governing's sister e.Republic publication, offering in-depth coverage of IT case studies, emerging technologies and the implications of digital technology on the policies and management of public sector organizations.
Special Projects
Sponsored Stories
Sponsored
In this episode, Marianne Steger explains why health care for Pre-Medicare retirees and active employees just got easier.
Sponsored
Government organizations around the world are experiencing the consequences of plagiarism firsthand. A simple mistake can lead to loss of reputation, loss of trust and even lawsuits. It’s important to avoid plagiarism at all costs, and government organizations are held to a particularly high standard. Fortunately, technological solutions such as iThenticate allow government organizations to avoid instances of text plagiarism in an efficient manner.
Sponsored
Creating meaningful citizen experiences in a post-COVID world requires embracing digital initiatives like secure and ethical data sharing, artificial intelligence and more.
Sponsored
GHD identified four themes critical for municipalities to address to reach net-zero by 2050. Will you be ready?
Sponsored
As more state and local jurisdictions have placed a priority on creating sustainable and resilient communities, many have set strong targets to reduce the energy use and greenhouse gases (GHGs) associated with commercial and residential buildings.
Sponsored
As more people get vaccinated and states begin to roll back some of the restrictions put in place due to the COVID-19 pandemic — schools, agencies and workplaces are working on a plan on how to safely return to normal.
Sponsored
The solutions will be a permanent part of government even after the pandemic is over.
Sponsored
See simple ways agencies can improve the citizen engagement experience and make online work environments safer without busting the budget.
Sponsored
Whether your agency is already a well-oiled DevOps machine, or whether you’re just in the beginning stages of adopting a new software development methodology, one thing is certain: The security of your product is a top-of-mind concern.