By Todd Miller - January 17, 2019
There is evidence to suggest the volume of cyberattacks on K-12 schools is increasing. Not only do successful attacks result in the unauthorized disclosure of personal data or a lack of access to school networks, the impact of cybersecurity threats in K-12 schools can also compromise emergency communication systems.
Nobody really knows the scale of cyberattacks on K-12 schools. Although every state has breach notification laws relating to the unauthorized disclosure of personal data, not every successful cyberattack has to be notified if a risk assessment determines there is little likelihood of the accessed data being misused. Therefore, if a school district network is disabled in a ransomware attack, and a ransom is paid to unencrypt the system, the likelihood is it will never get reported.
According to InsureTrust.com, schools, colleges, and universities account for 20% of all reported non-governmental data breaches since 2005. The insurance provider comments that not all breaches are attributable to cyberattacks - a significant number are due to user error and rogue employees. Nonetheless, there is evidence to suggest the volume of cyberattacks on K-12 schools is increasing, and further evidence to suggest some school districts are failing to learn from previous events.
The most commonly-reported cybersecurity attacks on schools fall into three categories - phishing attacks, ransomware attacks, and Distributed Denial of Service (DDoS) attacks. Ransomware attacks and DDoS attacks only have one motive - to disable a school network until a ransom is paid, at which point the system is unencrypted or the DDoS attack withdrawn. Phishing attacks can have a variety of motives but generally have the objective of obtaining login credentials or installing malware.
The complexity of phishing attacks varies enormously. Whereas some phishing emails are instantly recognizable, an increasing number of cybercriminals use social engineering techniques to convince their intended victims the phishing emails are genuine. The most difficult phishing attacks to detect occur when an email account within the school district has been compromised and then used to send phishing emails to other accounts within the network, as these appear to be sent by a trusted source.
Once a cybercriminal has the login credentials they require, they can access personal data that can be used to commit health insurance fraud, payment data to commit bank fraud, and tax data to defraud the IRS of tax revenue. There have been attempts to access confidential research papers via phishing, and also attempts to execute Business Email Compromise scams which - in one case - resulted in a Texas school district sending $609,000 to a fraudulent account instead of to a legitimate vendor.
The impact of cybersecurity threats in K-12 schools varies according to the nature of the attack and how successful it is. It is often in the cybercriminal´s best interests to keep their attack undetected for as long as possible. The longer the attack goes undetected, the more data they can exfiltrate. It is therefore possible that the assumed underreporting of data breaches may be attributable to breaches not being identified at all.
The exception to this is ransomware attacks, DDoS attacks, and other attacks involving malicious software that compromise the integrity of the school district´s network. In addition to the impact of these cybersecurity threats in K-12 schools being the financial cost of restoring the network, there is a potentially more critical implication when school district emergency notification systems are reliant on an operating IT infrastructure.
For example, paging systems and other notification systems that function via desktop apps will be inoperable. Similarly some Bluetooth-reliant panic buttons can also fail to work during DDoS attacks, while VoIP solutions will naturally fail to work. Consequently, if your school district´s emergency notification system is reliant on an operating IT infrastructure, you may be risking a failure of your emergency communication plan if an emergency coincides with a cybersecurity event.
The solution to this potentially critical impact is a network-independent emergency notification system that can still be operated remotely if the network is inaccessible or compromised. A suite of powerful data and communication tools achieves this by being accessible from any Internet-connected device (i.e. smartphone, tablet, etc.) to send and receive emergency notifications at any time from any location.
Mobile app panic buttons do not have to be reliant on network or Bluetooth connections, and with improved E911 tracking, emergency personnel can respond faster to all types of emergency situation with more information available at their fingertips to enhance situational awareness on their arrival.
Todd Miller manages all field operations at Rave. Prior to joining Rave, Todd managed the self-service consulting Practice at Oracle where he was responsible for the delivery of customized software solutions for clients in North America, supporting millions of users. At Oracle he was awarded recognition as a member of Oracle’s top 10% in Consulting. Todd’s previous experience includes leading consulting teams for Siebel and edocs in North America, Europe, and Australia. Todd is a graduate of Babson College.
Red collar crime is a subgroup of white collar crime in which the perpetrator uses violence to avoid detection or...