82% of schools suffered recent cyber breaches, report says
Watchara Piriyaputtanapun via Getty Images
By
Chris Teale
The Center for Internet Security said it observed nearly 14,000 security events and confirmed 9,300 cyber incidents, which tend to surge during high-stakes periods like exams.
Another of the nation’s largest public-school systems has been impacted by a cyberattack and data breach, as Chicago Public Schools last week notified families it had been hit.
CPS said one of its technology vendors suffered a cyberattack on a server it uses to store student data. Hackers gained access to current and some former students’ personal information, including their Medicaid ID number, although CPS said no Social Security numbers, financial information or health data were impacted. The school system said it is assisting the Federal Bureau of Investigation and the Illinois Attorney General with their investigations, as well as other agencies.
The data breach in Chicago represents yet another cybersecurity incident for the nation’s largest public school systems, just two-and-a-half years after the Los Angeles Unified School District suffered an attack. And recent research from the Center for Internet Security highlighted the numerous cybersecurity challenges that school systems nationwide face.
CIS found that 82% of K-12 organizations suffered what it called a “cyber incident,” based on an 18-month study of 5,000 institutions. The organization observed nearly 14,000 security events and confirmed that 9,300 were cyber incidents. CIS found that threats targeting humans exceeded other techniques by 45%. That includes phishing emails and other social engineering techniques, which cyber specialists have said remain one of the biggest vulnerabilities in educational institutions. The effects can be enormous if a school is hit.
“When a cyberattack hits a school, it’s not just about lost emails and data; it’s about lost meals, lost childcare, and lost opportunities for students,” Randy Rose, vice president of security operations and intelligence at CIS, said in a statement. “Schools provide critical services beyond education, and cyber incidents create a ripple effect. Parents miss work, vulnerable students lose support, and entire communities suffer.”
One aspect of the report’s findings that CIS called “particularly troubling” is that threat actors have increased the “sophistication and timing” of the attacks and recognize that schools provide far more services than just education. That includes nutrition, safe spaces for children of working parents, mental health and counseling, special education and developmental support and community gathering spaces and resources. “When cyberattacks disrupt these services, the effects ripple throughout the community,” the report says.
Activity also seems to intensify around various high-stakes periods in the school year, especially during examinations, when access to school systems and technology is crucial. CIS said it saw an uptick in cyber events “across multiple academic terms” when exams came around. And it leaves school administrators with a “seemingly impossible choice,” the report says: pay the ransom, or potentially compromise their students’ futures.
Help is at hand, however, even given the country’s decentralized education system. CIS recommended that schools join its Multi-State Information Sharing and Analysis Center, a no-cost service that provides threat intelligence, incident response services, advice and a network of peers. CIS also found that K-12 organizations that have taken the Nationwide Cybersecurity Review assessment increased their cyber maturity by an average of 26%.
CIS also recommended that schools create what it described as a “culture of cyber empowerment” where everyone who accesses a school’s network “feels they are a crucial part of the security team.” That includes having open lines of communication, ensuring that everyone understands their role in cybersecurity and recognizing when staff identify and report potential security vulnerabilities.
The organization also called on schools to use essential security controls like multifactor authentication, endpoint protection and backups, and have a plan in place to ensure continuity of service in the event of a breach. CIS urged schools to help foster a more resilient community, including by building better relationships with parents and partner organizations who could provide support in the event of an incident.
Those strategies would all represent a “seismic shift,” as it means seeing people as essential parts of cyber defense, rather than as liabilities. Combined with technical controls, CIS said people committing to be good stewards of cybersecurity can help make schools better defended than ever before.
“When staff members feel valued and understand their crucial role in protecting their school community, they are more likely to become active participants in security rather than passive recipients of compliance-focused training,” the report says. “They develop the confidence to identify threats, the knowledge to respond effectively, and the understanding that their actions directly protect students, families, and essential services that extend far beyond the classroom.”