Back to School, Back to Crime?

Schools See Rise in Cyberthreats With Online Learning

By Samantha Cleaver

This fall, back to school means back on defense.

Schools in Haywood County, N.C., started remote learning last month. They then closed abruptly because of a cyberattack.

Later in the month, Palm Springs Unified Schools in California, also virtual, reported having to clear a hacking attack. The district addressed it with teacher, student and parent training.

This is the landscape for schools for the 2020-21 year. With networks branching out into households, and hackers well aware of the value of education data, phishing and ransomware attacks are expected to be a common occurrence, experts told Digital Privacy News.

“We have the most-valuable data, but it is the least-protected.”

Libbi Garrett, California IT in Education.

In late August, according to the Microsoft Global Threat Activity Tracker, education was the sector most targeted by malware, with more than 4.9 million attacks in the previous 30 days.

“We have the most-valuable data, but it is the least-protected,” said Libbi Garrett, resource program specialist with California IT in Education (CITE).

Familiar Threat, New Networks 

In 2018, the FBI put out a public service announcement warning about cyberthreats in the education space.

Cybersecurity also has been the number one issue for school technology officers over the past three years, said Keith Krueger, CEO of the Consortium for School Networking (CoSN) in Washington.

Cyberattacks, he told Digital Privacy News, “are only going to intensify in the era of remote learning and distance education.” 

Cyberattacks “are only going to intensify in the era of remote learning and distance education.”

Keith Krueger, Consortium for School Networking.

Education is a key target for cybercriminals because the data — personally identifiable information, biometric data, medical information — is so valuable.

Kids’ data is some of the most-valuable information people can get, said Vincent Scheivert, assistant superintendent for digital innovation with Loudoun County Public Schools in Northern Virginia, “because there is so much time before they turn 18 and realize that their identity has been compromised.”

Despite the value of the data, even prior to COVID-19 school districts were not fully prepared to fend off cyberattacks.

“School systems are very under-resourced with human capacity around dealing with the cybercriminal problem,” Krueger said.

When schools went online because of the pandemic, district networks expanded to include all the at-home networks connecting to the district.

With kids, “there is so much time before they turn 18 and realize that their identity has been compromised.”

Vincent Scheivert, Loudoun County Public Schools, Va.

Jeffrey Billings, director of IT with the Paradise Valley Unified School District in Phoenix, Ariz., has seen an increase in phishing and has had to block a lot of malware since online learning started.

“We’ve gone from one managed district network to 16,000 home networks,” Billings said.

When students work from home, district devices are connecting to less-secure networks.

“It is often true that home networks are less secure than business or school networks,” said Amelia Vance, director of youth and education privacy with the Future of Privacy Forum (FPF) in Washington, “and for so many people working from home, most people have never thought deeply about security.”

More Phishing, Ransomware

Besides more phishing schemes, attacks are getting more sophisticated, experts said.

“Phishing is getting more and more intelligent,” said Paradise Valley’s Billings.

Hackers are pulling information from many sources, including district web sites, to make phishing emails ever more personalized.

For example, Billings already has had to respond to a phishing scam that used a profile picture as part of the spear-phishing.

“For so many people working from home, most people have never thought deeply about security.”

Amelia Vance, Future of Privacy Forum.

“People are getting smart,” said Alun Baker, CEO of Clario, a digital and privacy security firm in London. “They can look like they are from the IRS or school district.”

In the past, phishing schemes were more obviously from false email accounts.

Now, “we are seeing people being a lot smarter in the way that they are hacking into people’s worlds,” Baker said.

Phishing also is moving into the social engineering space, Billings told Digital Privacy News.

Attacks are targeting individuals and using open-source information to scrape web sites and learn about a school’s teachers and administrators.

When districts add more information web sites because of online learning, said Amy McLaughlin, project director for CoSN’s cybersecurity initiative, that’s the information hackers can use to make phishing schemes even more targeted.

Further, when phishing is a concern, ransomware will continue to be an issue. The challenge here, said McLaughlin, is what districts will have to do if a student or teacher gets ransomware on their device as they are remote-learning.

“Phishing is getting more and more intelligent.”

Jeffrey Billings, Paradise Valley Unified School District, Phoenix.

“This year is going to be more of a challenge,” McLaughlin told Digital Privacy News, “because anytime they have to solve a problem, they have to solve it remotely — and that is an art within itself.”

How well districts can prevent attacks remains to be seen. A lot of districts spent the summer switching from on-site filters to putting filters on individual school devices, said McLaughlin. This provides some security.

Still, the focus for many districts has not been securing home networks, FPF’s Vance said, but on the digital divide and other concerns.

Cybersafety Is a Community Effort

Schools are at risk because the data is so valuable — and because the people who work in education are trained to be helpful and responsive.

“Culturally, it is challenging to be responsive and suspicious at the same time,” CoSN’s McLaughlin told Digital Privacy News.

Combined with the exhaustion from teaching remotely, it’s not a surprise why someone might mistakenly click on a phishing email.

As such, school districts have to be more diligent this year.

“If you actually undermine the infrastructure,” said Clario’s Baker, “then you are attacking parents where they hurt, and attacking a whole generation of young people in a really bad way.”

“We are seeing people being a lot smarter in the way that they are hacking into people’s worlds.”

Alun Baker, Clario privacy security firm, London.

This year in particular, protecting school networks against cyberattacks involves the entire community. Right now, the concern is bigger than a district’s IT department, said Billings of Paradise Valley Schools.

It requires parents. 

“Districts should be looking at continuing ongoing short-messaging out to students, staff and parents around cybersafety,” McLaughlin said.

When it comes to online crime, said Vance of the FPF, “The criminals are much smarter — and it could have concrete consequences for your kids.”

Samantha Cleaver is an education writer in Charlotte, N.C.

Sources (all external links):