Keeping student data safe and maintaining information security in education are part of living in today’s world for educators. Why is it important to include data security in their work? Find an example of how to set up a school cybersecurity policy and more below.

School Cyberattacks On the Rise

There’s no sign that digital attacks are slowing down in this sector. On the contrary, schools suffered a combined total of 348 publicly disclosed malware infections, phishing scams, denial-of-service attacks and other attacks in 2019. That’s more than triple the number of attacks in the sector a year earlier.

Things didn’t get better in 2020. In April, the FBI’s Internet Crime Complaint Center (IC3) warned that threat actors could take advantage of the world’s rapid transition to remote learning to undermine students’ safety and privacy online. A summer 2020 report found that the weekly number of digital attacks per school had risen from 368 in May and June to 608 in July and August. Many of those digital attacks consisted of distributed denial-of-service (DDoS) attacks.

But that wasn’t the only problem. In the months that followed, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert in which it revealed that threat actors were targeting K-12 schools to steal information, disrupt distance learning services and install ransomware. Threat actors assumed all kinds of disguises to boost their chances of success. In one attack, they even pretended to be parents in an attempt to target teachers with crypto-malware.

Why This Rise in School Cybersecurity Attacks?

Running on public funding could make it difficult for schools to find the money for consistent cybersecurity investments from year to year. At the same time, schools need to make their networks open to everyone they serve. That includes teachers, administrators, students, staff and parents — all of whom have varying levels of security awareness.

Take teachers, for example. Another report said nearly half (44%) of K-12 and college educators had not received even basic security awareness training around the digital threats facing them. Another 8% said that they weren’t even sure if they had received training. These results help to explain why so many aren’t familiar with some of today’s common digital threats.

That being said, a rise in digital attacks is what happens when schools also spend years thinking that they don’t have anything worth stealing. If there’s nothing worth stealing, then there’s no threat. And if there’s no threat, there’s no need to invest in school cybersecurity measures.

That’s a problem, given the speed with which schools are adding video conferencing apps and other remote access tools. These tools could provide attackers with a means to infiltrate schools’ networks and deploy malware. They can also gain access to sensitive data and use it to conduct phishing scams, identity theft and other attacks.

How to Improve School Cybersecurity

One of the best ways to boost school cybersecurity is to create an incident response plan. This lets personnel use defined roles to delegate essential response functions. It also enables them to test those processes so that they’re prepared in the event of a problem. That plan needs to work not only within the school’s workforce but also with external groups, including local law enforcement and the FBI.

Schools can also try to prevent an incident from occurring in the first place. They can do that by creating an effective security awareness training program. It should consist of the following three components:

  • leaders prepared for real-world digital attacks,
  • robust digital security skills, and
  • training by roles to keep the group protected against targeted attacks.

That last point is important. Teachers face different threats than students do, and those threats aren’t the same as those confronting parents and administration. Therefore, schools need to create a program that provides training to all of their different groups. It should let people know the exact actions they can take and focus on relevant security topics. It needs to go beyond just email.

School Cybersecurity Training for Students

Schools can concentrate the content of their security awareness training programs on threats that affect their teachers and staff. But they need a different strategy for students, more so those in K-12 facilities. Just as they cultivate students’ language, reading, writing and other skills, so too should they foster their pupils’ digital hygiene.

One of the most effective means to do this is to make it hands-on and fun. The Center for Internet Security and the Multi-State Information Sharing & Analysis Center hosts the National Kids Safe Online Poster Contest every year, in which kids create posters that educate their peers about staying safe online, including password hygiene, safe web browsing habits and identity theft. With programs like this, kids can be one of the many defenses against attacks on school cybersecurity.

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today