One of the institutions most affected by this has been the nation’s schools. For years, schools have typically operated as an on-site entity with little-to-no focus on threats to their computer networks, as the computers were not considered distinctly vital to their primary mission, teaching the student. This – obviously – has changed.
I used to work for a company that provided the IT infrastructure for hundreds of schools. As director of security for that company, we were regularly involved in students causing major security incidents. Most frequently, it would be students sending emails with inappropriate content, much of which would have legal concerns, but also with teachers and kids unintentionally (and intentionally sometimes for the latter group) introducing viruses and malware to the network.
Due to the sensitive nature of the privacy of minors, and communications related to those minors, there was only so much we could do once someone caused a major incident. Unlike major corporations where we could scan their emails for issues and act before, with schools we needed to proactively get in front of threats without invading the privacy of students and teachers.
Now, hackers know that if they take out a school via ransomware (the insidious practice of making entire networks unusable without first paying a ransom), they will interrupt the very fabric of education in a region. Recently the Baltimore County School System fell victim to a ransomware attack, shutting down the computer network for nearly 115,000 students, forcing a school shutdown for several days.
The pandemic has increased the cadence and violence of cyberattacks over 400% of the last year, and that will not be slowing down any time soon. Educational institutions have never been a bastion of cybersecurity, focusing – rightfully so – on the protection of students from a physical perspective.
Cybersecurity awareness and practice is paramount to the operations of absolutely any and all institutions in our current times, and education may be one of the most overlooked and important. Just as schools teach their students and teachers how to act during a fire-drill or protect against strangers, schools must now teach and protect against threats to the school via the Internet, not just social media or bullying, but the attacks against the school by actual criminals looking to take the school down for profit.
All schools should be educating their faculty and students on cybersecurity threats, how to recognize them, avoid them, and report them when they think they have seen them. Moreover, the institutions themselves need to take an honest look at their security posture, or lack thereof. It should be assessed by professionals on a regular basis, and the findings of those assessments should be implemented, post haste.