Diving brief:
- K-12 schools remain a major target for malicious cyberattacks, according to a report released Monday of the Multi-State Information Sharing and Analysis Center. Schools are a potentially lucrative target for data theft and financial gain, but they are largely unprepared to mitigate such activity.
- According to the report, an average school spends about 8% of its IT budget on cybersecurity. But 20% of schools spend less than 1% of their IT budget on security.
- K-12 schools have an average maturity score of 3.55, based on the National Cybersecurity Examination’s 1-7 risk scale.
Overview of the dive:
The report comes weeks after the Cybersecurity and Infrastructure Security Agency announced a plan to improve the implementation of cybersecurity basics in local communities, with a focus on hospitals, local utilities and schools.
CISA Director Jen Easterly said many of these organizations are target the resource-rich and resource-poor; they present lucrative sources of personal data that can be used by threat actors, but lack the expertise, modern technology and funding to protect against increasingly sophisticated threat actors.
Schools tend to be targeted by financially motivated and hacktivist-type malicious actors and they often target schools with ransomware attacks, according to Karen Sorady, vice president of member engagement at MS-ISAC.
Ransomware is the most damaging type of attack in terms of downtime and total cost to schools. It can take months to fix, with costs easily exceeding a million dollars.
“These types of attacks can lead to disruption of education as well as access to the private data of thousands of teachers, staff and students, including health records, home addresses and dates. of birth,” Sorady said via email.
The focus on K-12 schools comes as many of these institutions are hosting full-time in-person instruction for the first time since before the coronavirus pandemic began in 2020 and students can ill afford a major disruption to classes.
In September, the Los Angeles Unified School District was the target of a ransomware attack that researchers and authorities linked to the Vice Society, a group that stolen data leak on the dark web.