Many say that it is not a matter of if you will be the victim of a cyber incident but when. Given the prevalence of cyberattacks directed at K-12 schools, including in New Jersey, this is not a bad mindset. No matter the size or location of your district, you are a possible target. This news may be alarming, but now is the time to assess your cybersecurity posture.

Like other aspects of district operations, school board members should not be involved in daily operations. However, as a board member, there is an important role to play when it comes to cyber, including in oversight, ensuring there are adequate resources to increase preparedness and asking the right questions. It’s not essential to be a technical or cyber expert to do this. This article provides an overview of current threats facing districts, key considerations and additional resources. 

Threats and Trends Schools can be impacted by cyber incidents because they hold sensitive staff and student data, disruptions and downtime could impact instruction and resources are often limited. In addition, schools and public sector entities are generally less prepared and knowledgeable than private sector entities, so they are seen as easy targets by bad actors. There are multiple barriers to information technology security, but the top ones include budget constraints, competing priorities, complexity of the internal environment and a lack of top-level direction and leadership, according to the SolarWinds Public Sector Cybersecurity Survey Report. Most if not all of these can be impacted by a board of education.

The education services sector has seen 1,241 incidents with 282 breaches over the past year, according to the 2022 Verizon Data Breach Investigations Report. As the report notes, 95% of actors were motivated by financial gain, 75% were external to the organization. The two main attack patterns are system intrusions — like those that leverage stolen credentials and malware — and basic web application attacks — like those that target web servers. The number of incidents is likely even higher because they often go unreported or the data is not complete.

Ransomware usually gets the most attention among threats, but it is only one of many types. This is justified because these attacks cost schools and colleges about $3.56 billion in 2021 and over 1,000 schools were affected. Ransomware attacks can result in data being exposed publicly and/or permanently lost, along with financial expenses in potentially paying to retrieve information.

Recent Examples School districts becoming victims of cyber incidents is not new. New Jersey has seen a number of incidents that received media attention, including cyberattacks that occurred around the time of scheduled state testing using ransomware, employee data being disclosed and hacking by students to change grades.

The most prominent recent example involved Los Angeles Unified School District, the country’s second-largest school district, which was hit by a ransomware attack in September 2022. Hackers claimed to have stolen 500 gigabytes of data, which is roughly the size of 250 to 500 full-length movies. This incident caused operations to be disrupted and data to be released publicly, but the district refused to pay the ransom demanded. This was reportedly carried out by the Vice Society, a hacking group that is disproportionately targeting the education sector. In response, the district set up an IT task force and the school board gave the superintendent emergency power to bypass typical public bidding processes required when contracting with vendors or consultants.

Key Considerations There is no single solution to cyberattacks. Preparedness, response and recovery measures should be tailored to a district in consultation with district professionals, including the board attorney, IT specialists and district leadership. These measures should account for district vulnerabilities and capabilities. Seven general considerations are shared below, but there are many more.

Resources Fortunately, resources exist to aid school districts.

On the financial side, the federal government launched a $1 billion grant program spanning four years to support cybersecurity projects at the local, tribal and state levels. This will not be enough for every district, but it is a start that is worth exploring. The main areas that states want local governments to spend money on are training, risk assessments and security monitoring.

It’s understood that budgets are a huge barrier and that it might come down to buying new textbooks or implementing a cyber solution. While there is a time and place for hiring professionals and purchasing security products, there are also many free or low-cost solutions. However, spending money on cybersecurity should not be shortchanged.

On the implementation and analysis side, many state and federal agencies have resources outside of those already named. For example, the New Jersey Cybersecurity and Communications Integration Cell is a one-stop-shop for cyber threat analysis, incident reporting and information sharing. Their threat landscape data is worth following. In addition, is a collaboration between multiple federal agencies and offers an array of security resources.

If you have read this as a board member, it is fair to ask your superintendent where your district is with cybersecurity. The best recommendation is creating an environment that prioritizes the threat, being supportive with resources as appropriate and looking at potential policy options. Conversely, if you have read this as a superintendent or administrator, the best recommendation is to take a deep dive into your plans, processes and specific vulnerabilities.

The threat to K-12 schools is not going away. It is imperative that you protect your students and staff while ensuring your district is prepared for learning to continue in the event of a cyber incident. Now is the time to act.

Featured Publications