When thinking of cyber security, one usually thinks of online banking, online shopping, email, or social media. We create various passwords and security questions in an effort to safeguard our information, but a large segment of the population has had their information compromised in one way or another. Credit card numbers have been stolen, money has been drained from bank accounts, and entire identities have been “stolen.” While companies and individuals are constantly looking for ways to strengthen their computer security systems, many school districts remain extremely vulnerable in terms of their cyber security. School district computer systems contain a wealth of personal information and important data that can and do get hacked. Districts need to be as vigilant in their cyber security as any corporation and need to know how to prevent cyber attacks.
Schools are considered “soft targets” to hackers. A soft target is a person or thing that is relatively unprotected and vulnerable. Students or independent hackers may target school files. While a student may be aiming to only cause general chaos, a lone hacker may be looking to extort money from the school. These types of attacks against schools are becoming more frequent and, if schools remain lax in cyber security, they may become even more commonplace.
A common technique is called “phishing.” Phishing focuses on obtaining personal data. Phishing is typically carried out by email spoofing or instant messaging. It often directs user(s) to enter personal information on a fake website (the look and feel of which are similar to a legitimate website) the only difference is the URL of the website of concern. Communications purporting to be from social websites, auction sites, banks, online payment processors or IT administrators are often used to lure victims into providing personal information. Phishing emails may also contain links to websites that distribute malware.
Ransomware enables an attacker to exploit a security breach and has become increasingly popular over the last few years. Ransomware usually arrives as an email attachment and carries a computer virus that tricks the user into downloading or opening. Some of these viruses will lock up a system (which may be easily reversed by a knowledgeable person), while other attacks can encrypt data and make it virtually inaccessible. A message will appear demanding payment for the decryption of the files and a deadline by which the payment must be received. Ransomware can also appear as a denial-of-service attack. This type of attack makes a machine or network resource unavailable to the user by disrupting the network service’s connection to the internet. This is accomplished by flooding a user’s computer with excessive requests in an attempt to overload the system. Paying the ransom may seem like the fastest way to gain access to the information or network again, but there is no guarantee that once the ransom is paid that the hacker will decrypt the data or unlock access. A hacker sometimes simply asks for more money.
Thankfully, preventing cyber attacks is possible, but it does require vigilance. Schools can train staff on how to spot a potential attack they may receive through email. Even if an email contains a familiar name or appears to be from a reputable source, review email closely before opening attachments or responding to the email. Possible red flags for a potential cyber attack via email include a message asking for personal information, an email claiming to be from a government agency (IRS, FBI), an embedded link containing a mismatched URL, and poor spelling or grammar errors.
Schools can create strong password policies by requiring all passwords to be a minimum length and include a special character(s) (!, ?, @). Schools can also use secondary authorization processes by asking an employee the answer to a personal question only the employee would know (name of first pet, make and model of first car). Using special software to protect sensitive data further enhances data protection. If possible, schools should look to hire staff with IT security experience. A separate IT department isn’t necessary, but a staff member with a background in handling cyber security would be a useful addition.
Cyber attacks cause serious and costly disruptions. Schools shouldn’t wait to bolster their security. With student and staff information at risk, the time to act is now. For more information on cyber security pertaining to K–12 schools, visit https://www.edtechstrategies.com. For additional information on risk management, contact your Loss Control Specialist.