K-12 Schools have become a top target for data theft and ransomware by hackers and cyber threat actors. Here is what you need to know to avoid becoming a victim.

An article on Forbes.com titled The Top Target For Ransomware? It’s Now K-12 Schools highlights the findings of a survey done by cybersecurity firm Sophos. The State of Ransomware in Education 2023 provides some frightening statistics about the significant increase in attacks on K-12 schools. The article also provides some sobering quotes from the Center for Internet Security (CIS), a federally-supported organization charged with monitoring and responding to cyber incidents.

A TECH & LEARNING article titled Hackers Are After Student Data. Here’s Why explains why student data is so attractive to hackers.

According to the FBI 2023 Internet Crime Report, “In 2023, IC3 received a record number of complaints from the American public: 880,418 complaints were registered, with potential losses exceeding $12.5 billion. This is a nearly 10% increase in complaints received, and it represents a 22% increase in losses suffered, compared to 2022.”

Fortunately there are extensive resources available for schools to protect themselves from these increasing threats.

CISA.gov is an official website of the U.S. Department of Homeland Security with extensive resources for K-12 and all educational institutions. On their K-12 cybersecurity page is the quote: “For K-12 schools, cyber incidents are so prevalent that, on average, there is more than one incident per school day.”

In January 2023, CISA released Protecting Our Future: Partnering to Safeguard K–12 organizations from Cybersecurity Threats. “The report provides recommendations and resources to help K-12 schools and school districts address systemic cybersecurity risks. It also provides insight into the current threat landscape specific to the K-12 community and offers actionable steps school leaders can take to strengthen their cyber posture. Along with the report, CISA provides an online toolkit which aligns resources and materials to each of CISA’s three recommendations along with guidance on how stakeholders can implement each recommendation based on their current needs.”

In addition to these resources, CISA.gov has a page specific to ransomware with reference material for school IT staff, administrators, teachers, parents, and students.

The Center for Internet Security Inc. (CIS) is a non-profit organization with a mission “to make the connected world a safer place by developing, validating, and promoting timely best practice solutions that help people, businesses, and governments protect themselves against pervasive cyber threats.” U.S. public academic institutions are eligible for a free CIS SecureSuite Membership.

The CIS Multi-State Information Sharing and Analysis Center (MS-ISAC) mission is to improve the overall cybersecurity posture of U.S. State, Local, Tribal, and Territorial (SLTT) government organizations through coordination, collaboration, cooperation, and increased communication.

Launched in 2020, SchoolSafety.gov is a collaborative, inter-agency website created by the Federal government to provide schools and districts with actionable recommendations to create safe and supportive learning environments for students and educators. They provide a comprehensive list of resources about cybersecurity here.

CoSN provides cybersecurity tools and resources that help schools reduce risk. They have created an excellent NIST Cybersecurity Framework Resources Alignment for K-12. The NIST Cybersecurity Framework consists of standards, guidelines, and best practices to manage cybersecurity related risks.

The U.S. Department of Education’s Office of Safe and Supportive Schools has administered the Readiness and Emergency Management for Schools (REMS) Technical Assistance (TA) Center. They offer extensive guidance for K-12 cyber threat prevention and mitigation strategies, and improving cybersecurity posture.

Google has created a K-12 Cybersecurity Guide, and outlines some best practices for schools here.

Established in 2020 by the Global Resilience Federation, K12 SIX is a nonprofit threat intelligence and best practices sharing community for members of the U.S. K-12 education community.

PowerSchool offers best practices for improving K-12 Cybersecurity, promoting digital citizenship, and student data security.

Fortinet, a leading cybersecurity provider, offers a Security Awareness and Training Service free to all U.S. K-12 School Districts and Systems.

The silver lining in the increasing cybersecurity threats cloud is the opportunity for students to pursue a career in cybersecurity.

The U.S. Bureau of Labor Statistics projects “information security analyst” will have an employment growth rate of 32 percent over the next decade with a annual median pay of $120,360. According to Cybersecurity Ventures, “there will be 3.5 million unfilled jobs in the cybersecurity industry through 2025”.

Cybersecurity awareness, Digital Citizenship, and Digital Literacy are crucial skills for preventing cybersecurity incidents. Social Engineering, defined by NIST as “An attempt to trick someone into revealing information (e.g., a password) that can be used to attack systems or networks”, and “The act of deceiving an individual into revealing sensitive information, obtaining unauthorized access, or committing fraud by associating with the individual to gain confidence and trust.”

Splunk, a leading data and digital systems security company, lists a frightening statistic that “98% of cyberattacks rely on social engineering”.

Being aware of, and wise to phishing, smishing, vishing, spearfishing, malware, keyloggers, tailgating, and water hole attacks is paramount to prevention.

This awareness must be made available to include all students, teachers, parents, staff and administrators that use a network or school devices.

There is a substantial amount of training and curriculum available for schools and students.

Cyber.org is the academic Initiative of the Cyber Innovation Center and receives funding from CISA. Cyber.org enables K-12 educators and students to build cybersecurity educational foundations, cyber literacy, cyber career awareness, curricular resources, and teacher professional development. They have developed K-12 Cybersecurity Learning Standards, and an excellent curricula search feature by type, grade level, and subject.

The National Initiative for Cybersecurity Careers and Studies (NICCS) is an official website of CISA. It is an online resource for cybersecurity training, education, and career information. NICCS connects government employees, students, educators, and industry with cybersecurity resources and training providers throughout the Nation.

Code.org has cybersecurity curriculum.

Google offers a Professional Certificate in Cybersecurity. I have personally completed the course, and recommend it for IT Staff, Technology Teachers, and Computer Science track students. There is a modest cost for the course.

Coursera offers free and paid courses from a variety of sources.

Teach Cyber has this extensive list of K-12 Cybersecurity Resources including curriculum, conferences, camps, clubs, competitions and more.

There are cybersecurity competitions for students.

Carnegie Mellon University holds the largest high school hacking contest, picoCTF.

CyberPatriot’s National Youth Cyber Defense Competition is the world’s largest cybersecurity competition and is open to all schools and approved youth organizations. The National Youth Cyber Education Program is a STEM program of the Air & Space Forces Association. It was created to inspire K-12 students toward careers in cybersecurity or other science, technology, engineering, and mathematics (STEM) disciplines critical to our nation’s future.

Cyber attacks are only going to increase for K-12 schools and students. Take advantage of the free resources available to improve cybersecurity awareness, resilience, and incident prevention.