- K-12 schools remain a major target for malicious cyberattacks, according to a report released Monday from the Multi-State Information Sharing and Analysis Center. Schools are a potentially lucrative target for stealing data and financial gain but largely unprepared to mitigate such activity.
- The average school spends about 8% of its IT budget on cybersecurity, the report found. But 20% of schools spend less than 1% of their IT budgets on security.
- K-12 schools have an average maturity score of 3.55, based on the Nationwide Cybersecurity Review risk-based scale of 1 through 7.
The report comes weeks after the Cybersecurity and Infrastructure Security Agency announced a plan to enhance the implementation of cybersecurity basics in local communities, with a focus on hospitals, local utilities and schools.
CISA Director Jen Easterly said that many of these organizations are target rich and resource poor; they present lucrative sources of personal data that can be used by threat actors, but lack the necessary expertise, modern technology and funding to protect themselves against increasingly sophisticated threat actors.
Schools tend to be the targets of both financially motivated and hacktivist-type threat actors and they often target schools with ransomware attacks, according to Karen Sorady, MS-ISAC VP of member engagement.
Ransomware is the most damaging type of attack in terms of downtime and total cost for schools — it can take months to remediate, with costs easily surpassing $1 million.
“These types of attacks can lead to disruption of education as well as access to private data on thousands of teachers, staff and students, including health records, home addresses and dates of birth,” Sorady said via email.
The emphasis on K-12 schools comes as many of these facilities are hosting full-time, in-person education for the first time since before the coronavirus pandemic began in 2020 and students can ill afford a major disruption of classes.
In September, the Los Angeles Unified School District was targeted by a ransomware attack that researchers and authorities linked to the Vice Society, a group that leaked stolen data on the dark web.