Schools to prepare for the worst as cyberattacks increase
(S.C.) Panic set in after a third school called its district office to report that staff couldn’t access email, online digital content, assessment tools or network and cloud-based storage. The decision was made to shut down the district’s 600 servers in an attempt to stop the spread of malware spreading through 52 schools, but it was too late.
Hackers had breached the system and demanded $8,500 in Bitcoin within one week to unlock the district’s files.
“February 8, 2016 started as just another Monday in Horry County Schools,” Charles Hucks, executive director of technology for Horry County Schools in South Carolina, told U.S. lawmakers at a Senate Judiciary Committee meeting. “Little did we know that one of the most disruptive events in recent history was already well underway throughout our district.”
Like many businesses and government agencies, schools are increasingly the target of cyberattacks, and experts say they are often woefully unprepared to handle a breach in data security, even as lawmakers and the public are putting more emphasis on student privacy policies.
Officials at Horry County Schools eventually paid $8,500 ransom to decrypt their information, but Ann Flynn, director of education technology for the National School Boards Association, said schools should be proactive and have a strategy in place prior to there being any sort of widespread breach in security.
“Schools are not living in a bubble, and they’re just as vulnerable as other businesses and organizations,” Flynn said. “That’s something I think a lot of school districts are just starting to do – thinking about putting a plan in place for the eventuality that a denial of service or data hacking could occur.”
What happened in Horry County Schools is not uncommon. A district in New York faced a similar, albeit brief, situation last month that did not result in the loss of any data or files. Districts in New Jersey, Tennessee, Delaware and Michigan have not always been so lucky in recent years.
In each case, districts were affected by “ransomware,” which locks stored files until a ransom is paid, and then the files are unlocked. Almost 2,500 complaints about ransomware were received last year, costing the victims more than $24 million, according to the FBI.
For schools, this may mean spending weeks with students and faculty unable to access their files while servers are restored from backup, or paying the ransom to get the data back online more quickly.
Despite the increase in the number of cyberattacks—half of all malware analyses performed in March involved encryption ransomware, according to information-security firm PhishMe—many schools remain unprepared.
In South Carolina, hackers found access to the district’s network through an old server that was used by the facility department but no longer was maintained or supported by its developer.
In many cases, the FBI has been unable to do anything once a system has been affected by ransomware, and victims often decide the best move is to simply pay to retrieve their data.
The Department of Homeland Security released an alert in March with additional suggestions, including regularly updating software and operating systems, restricting users’ ability to install software applications and reminding employees to never click unsolicited links in emails.
Experts also recommend use of cloud storage backed up in real time in addition to standard file backups so students, teachers and administrators can access their files from devices outside of the network while the system is restored internally.
Regardless of how a school chooses to go about protecting itself from a security breach, Flynn said it is pertinent that policies and procedures be worked out before one is in the middle of a crisis, should one occur.
“I would liken it to a family with an escape plan for a fire in the home,” Flynn said. “You don’t want to wait until the night you see flames to figure out what the plan is going to look like.”