Parents think schools’ cybersecurity is stronger than reality, report says

The closing months of 2024 saw more cybersecurity issues at some of the nation’s public-school districts, as administrators had to recover from cyberattacks and the exposure of student and staff data.

Students in Providence, Rhode Island, had their personal data exposed in a hack, including their vaccination records and driver’s license information. Meanwhile, an attack in Wayne County, Michigan, shut down one school system’s internet and phone service, leaving officials scrambling to restore it.

The costs are enormous, too. A report from Comparitech last year found that schools and colleges on average lose $500,000 a day from ransomware attacks. Governments have been slowly responding, whether it be some states now requiring that incidents be reported to officials, or the Federal Communications Commission kicking off a $200 million pilot program to provide schools and libraries grants to boost their cybersecurity.

And new research has highlighted the urgent need for schools to improve their cybersecurity posture and the gaps in awareness. A survey by cybersecurity software company Keeper Security released late last year found that while 74% of parents expressed confidence in the cybersecurity measures of their children’s schools, only 21% reported receiving guidance on secure password management and cyber hygiene.

Meanwhile, Keeper found that only 14% of schools mandate security awareness training. And phishing emails remain a constant threat, especially with thousands of staff, students and teachers all getting connected on various devices. The New York City Department of Education thinks of physical and digital safety as the same thing, for example, as phishing attacks continue to proliferate.

The disconnect between parents’ confidence and the reality of schools’ cybersecurity is reflective of wider trends across the public and private sector, where governments and businesses do not invest heavily in protections until an attack happens to them.

“Cybersecurity is an issue that a lot of people don't think about until it happens to them,” said James Scobey, Keeper’s chief information security officer. “That's not unique to parents in this situation, that is across the board, from IT administrators to corporate leaders in boardrooms, to elected officials. It only becomes a problem once it happens to you, and I think that's what we're seeing.”

That “widening gap” between people’s opinions and the on-the-ground reality has become more pronounced since the COVID-19 pandemic, Scobey said. And school districts are so independent from each other, too, that it can be difficult to encourage information sharing between them.

“Particularly in the primary educational environment, the environments are so isolated that a compromise in one place doesn't necessarily raise awareness in another area of the country or another educational area,” Scobey said, “When a Fortune 500 company gets compromised, all the other Fortune 500 companies are looking at it and trying to learn lessons. That kind of communication and dialog isn't happening right now.”

State governments have tried for a long time to tailor their cybersecurity training for their employees, whether it be through continuous evolution or by expanding their curriculum to move away from what Peter Kobak, associate director at the Ohio Cyber Range Institute, last year called the “one-time, annual compliance mindset.”

It could be challenging to tailor cybersecurity training to students, even though they may already be used to technology. But Scobey said it’s doable.

“It's important to engage kids where they are, but not talk down to them about these things, because in a lot of ways, these kids, even eight- or nine-year-olds, are technically savvy in ways that maybe adults aren't sometimes,” he said. “Make it interesting, gamify it, keep the message relatively simple about protecting your passwords and then give them the tools to do it, because that is another part of this component that's lacking.”

The FCC’s grant program is a solid step that shows renewed seriousness within the federal government to get the problem under control. Meanwhile, the Department of Education sets various standards and runs educational campaigns for school districts nationwide, although the agency’s future is uncertain. And the National Institute of Standards and Technology has various standards on cybersecurity, although “you need a master's degree in cybersecurity to understand most of them,” Scobey said.

“There's a translation function, taking the great guidance and research that has been done by parts of the federal government and making that accessible to the local school districts, to the school administrators, engaging at a level that's usable for those functions, as opposed to a NIST white paper that tells you all about how to manage identity, but a layperson couldn't pick it up and implement,” he said.

As for the future, Scobey said cybersecurity training will be crucial, especially on having strong passwords and secure management. Training on those basic cyber hygiene techniques, as well as how to avoid being breached in a phishing attack, “will pay dividends over five or 10 years,” he said.

“It doesn't mean a breach won't happen,” Scobey said. “A determined adversary will always get in, but our role is to make it as hard as possible. Adversaries go after the soft targets, so we have to harden these targets to some degree through education and through getting the appropriate tools out to make that as difficult as possible.”