The recent ransomware attack targeting Los Angeles Unified School District is another frightening reminder school districts are especially vulnerable to hackers and must continuously assess all of the individual systems interfacing with district data.
The attack placed the information of more than 600,000 students and 50,000 employees at risk and was the latest in a series of cyber breaches in the education sector. In May, the Chicago public school system suffered a massive data breach, and, in January, Albuquerque, New Mexico schools closed for two days after a ransomware extortion attack.
Cyberattacks in December and January on Illuminate Education, a California-based company providing grade and attendance software, exposed private information from both the New York and Los Angeles school districts, as well as other districts across the country.
Details are scarce about the L.A. attack, as well as what information is at risk. The attack is believed to have originated in a foreign country. This is consistent with how we understand many cyber-attacks, on schools and business alike, arise. The FBI and Department of Homeland Security are investigating. More details are sure to follow.
In an advisory to school districts in 2021, the FBI recommended increased training for employees to monitor suspicious activity. More recently, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert regarding ransomware. It is worth reviewing and can be found at https://www.cisa.gov/uscert/ncas/alerts/aa22-249a .
School Districts are Easy Targets for Cyberattacks
School districts are particularly vulnerable to hackers because they operate with limited budgets and students and teachers use unapproved apps without firewalls while accessing information from individual, unsecured devices. Districts also share information with many vendors.
The 2020 Nationwide Cybersecurity Review measures maturity of a government’s information security programs and ranks them among peer government agencies. Entities are rated on their ability to identify, protect, detect, respond and recover regarding cybersecurity threats. The report scores each entity in each category on a 7-point scale. The minimum recommended maturity level is 5, corresponding to the government having documented policies and procedures for cybersecurity, as well implementation in process.
K-12 school districts scored the lowest among 19 peer local government groups, including cities, counties, public utilities, port and airport authorities and others. K-12 schools scored 3.45 overall. The peer group average overall score was 3.8.
The top five security concerns for all groups were:
• Lack of sufficient funding
• Increasing sophistication of threats
• Emerging technologies
• Lack of documented processes
• Inadequate availability of cybersecurity professionals
Cybersecurity must be a priority for school districts
Districts must be vigilant about continuously assessing their systems and determining where information can be lost or stolen. Breaches happen not because the overall security program is defective, but because one vulnerable system is exposed and provides a small hole for hackers to exploit. It is important all systems are individually assessed to ensure all required controls are in place and functioning as expected.
Many school districts do not have the experience on staff to handle highly sophisticated cyberattacks. However, there are many ways a school district can mitigate against ransomware. This includes through training, professional development and enhanced security measures.
For more information on how your school district can protect itself against cyber threats and stay in compliance with regulations, contact Alan M. Winchester at email@example.com / (212) 313-5403, Douglas Gerhardt at firstname.lastname@example.org / (518) 701-2738, Jeffrey J. Weiss at email@example.com / (716) 200-5141 or the Harris Beach attorney with whom you typically work.
This alert is not a substitute for advice of counsel on specific legal issues.
Harris Beach has offices throughout New York state, including Albany, Buffalo, Ithaca, New York City, Rochester, Saratoga Springs, Syracuse, Uniondale and White Plains, as well as Washington D.C., New Haven, Connecticut and Newark, New Jersey.