An Ounce of Prevention

President's Corner

Cyberattacks are a growing threat to school district operations and data privacy. While it is a critical issue for all organizations, it is especially important for public schools, which gather, store and transmit large amounts of sensitive data, including student and staff records, financial information and intellectual property.

This data collection, coupled with the number of devices schools deploy to students and staff, makes our systems a valuable target for cybercriminals in the United States or abroad seeking to commit theft, fraud, extortion or other crimes.

Over the past several years, we have seen the impact of data breaches, phishing, ransomware and other attacks. K-12 education is now the single most-targeted industry. According to Sophos, 80 percent of K-12 systems reported being hit by ransomware in the past year, and just under half paid to recover their stolen data. The education sector is also susceptible to e-mail-based threats, which compromise student or staff credentials through malicious e-mails or phishing attacks.

While the cost of cybersecurity can be high, the cost of not doing enough can be much higher. A cyberattack or data breach can result in the loss or theft of sensitive data, financial losses, service disruption or school closures. According to Campus Safety magazine, the cost of data breaches was $3.65 billion in K-12 education last year. This may include the cost of containment, remediation, recovery, legal counsel and credit monitoring for affected individuals.

You also must remember that any third-party vendor, partner, contractor or service provider who has access to your systems, data or processes also become the school system’s risk. These relationships increase vulnerabilities by providing criminals with another way into your systems. Consequently, we need to consider these groups part of our overall cyber risk, including understanding what agreements specify and who to contact regarding issues. We’ve also seen data breaches of many of the apps or software that schools use.

Investing in IT staff, software, hardware and data backup is important, but so is your stakeholders’ urgency and understanding of their role in data privacy and cybersecurity. Reminding students and staff about immediately reporting suspicious activity, being cautious of clicking on links, and developing good online habits is critical.

Last October’s Cybersecurity Awareness Month focused on four easy ways to keep our systems safe: using strong passwords or a password manager, turning on multifactor authentication, recognizing and reporting phishing attacks and updating software. Here are some additional tips for school district leaders:

Make cybersecurity a priority for the entire district. This includes developing a cybersecurity policy, training staff and students on best practices, and conducting regular security audits. Within my organization, we also send weekly tech tips and host virtual town halls on this topic. It’s also critical to regularly back up data.

Create a cybersecurity incident response plan. Outline how your district will respond to a cyberattack, including steps to mitigate the damage and restore operations. Empower your IT staff to “pull the plug” if you are unavailable and this action is necessary to stop widespread damage or destruction.

Partner with other organizations. School districts can learn from each other and share resources by partnering with other schools, government agencies, and cybersecurity organizations. For example, the Cybersecurity and Infrastructure Security Agency, a partner of AASA, leads the national efforts to understand, manage and reduce risk to our cyber and physical infrastructure.

Cybersecurity is an essential investment for public schools. By protecting our systems and data, we can avoid a cyber attack’s costly and disruptive consequences.

Gladys Cruz is AASA president in 2023-24.