Securing Our Schools: The Urgent Need for Cybersecurity in K12 Education

Cybersecurity is often at the bottom of the list of concerns for schools, but recent events demonstrate that it must be urgently prioritized. Cybercriminals are targeting schools at an alarming rate. 

A CBS news investigation found that only one out of fifty school districts had a policy for tracking and reporting cyber data breaches, while two were still developing a plan. This was despite the fact that there had been over a hundred publicly reported cybersecurity attacks against schools in California alone, including a dozen ransomware attacks. 

Cybersecurity analysts have identified over 1,600 ransomware attacks on school districts across the US in 2020 alone, and the number is rising. Student information from these breaches is being sold on the dark web at premium prices. Children's clean credit histories make them perfect targets for identity thieves, and victims may not even realize that they've been targeted until years later when they join the workforce and start applying for credit cards. In Diego, more than 500,000 students and staff in the Unified School District had their data stolen in 2018. 

Government and industry bodies are already calling for stricter cybersecurity regulation and mandated reporting of cyber breaches for schools, which means that school systems will not only be forced to report incidents publicly (leading to reputational damage) but will be required to sharpen their cyber defenses. 

Let's take a closer look at why schools are being targeted, how they are being targeted, and how they can strengthen their defensive posture against these incidents. 

Why Are Schools Being Targeted? 

There are a few reasons why schools are being targeted with far greater frequency: 

  • Schools collect and store a lot of sensitive data about their students, including their names, addresses, social security numbers, and medical records. Cybercriminals can use this data to commit identity theft, fraud, and other crimes.
  • Many schools have limited resources to invest in cybersecurity, so they may be using outdated security systems that are more vulnerable to attack. Cybercriminals believe that schools are less likely to be prepared for cyberattacks and may be more likely to respond to ransom demands, which is why they are being targeted far more than ever before. 
  • Teachers, administrators, IT staff, and school board members may need more training or guidance to protect their networks. In some cases, tech-savvy students may even circumvent existing cybersecurity controls or may be lured into providing access to school IT systems to others. 
  • School suppliers and vendors are often being onboarded without considering their cybersecurity posture, compromising the entire network.

Schools also lack guidance, as there are no meaningful cybersecurity risk management standards for schools at either a state or federal level and very few resources that schools can apply to meet any standards, even if they did exist. 

Schools that want to strengthen their security posture have to get a third-party specialist involved to provide the guidance and technical expertise they need.

What Kind of Attacks Do Schools Face? 

The three most common forms of attack that schools face are phishing attacks, ransomware attacks, data breaches, and DDoS attacks.


Phishing is a social engineering attack where cybercriminals send emails or text messages that appear to be from a legitimate source, such as a bank or credit card company. The emails or text messages often contain a link or attachment that, when clicked or opened, installs malware on the victim's computer. Once the malware is installed, it can steal personal information, such as passwords, credit card numbers, and Social Security numbers, or infiltrate the rest of the network to access student data. 

Data breaches

Data breaches occur when cybercriminals gain unauthorized access to a computer system or network. Once they have access, they can steal sensitive data, such as customer records, financial information, or intellectual property. In a data breach, cybercriminals steal sensitive data from the school, such as student records or financial information. This data can be used to commit identity theft, fraud, or other crimes.

Ransomware is malware that encrypts a victim's files and demands a ransom payment in exchange for the decryption key. If the ransom is not paid, the victim may permanently lose access to their files. Ransomware attacks can be devastating for businesses, as they can disrupt operations and cause financial losses. A ransomware attack hit the Atlanta Public Schools in March 2019. The attack forced the district to shut down its computer systems and cancel classes for two days. The district eventually paid a ransom of $110,000 to regain access to its data.

In a ransomware attack, cybercriminals encrypt the school's data and demand a ransom payment in exchange for the decryption key. If the school does not pay the ransom, they may lose access to their data, which can disrupt operations and cause financial losses.

DDoS attack

In a DDoS attack, cybercriminals flood the school's network with traffic, making it unavailable to users. DDoS attacks flood a target with more traffic than it can handle. This can be done by using a botnet, which is a network of infected computers that the attacker controls. The botnet can send large requests to the target, which can overwhelm the target's servers and make them unavailable to legitimate users.

There are two main types of DDoS attacks: volumetric and application-layer attacks. Volumetric attacks flood the target with large amounts of traffic, while application-layer attacks target specific applications or services.

Volumetric attacks are the most common type of DDoS attack. They work by flooding the target with large amounts of traffic, such as HTTP requests, UDP packets, or ICMP packets. This can overwhelm the target's servers and make them unavailable to legitimate users.

Application-layer attacks target specific applications or services. They send requests to the target designed to exploit vulnerabilities in the application or service. This can cause the application or service to crash or become unavailable to legitimate users.

This can disrupt classes, prevent students from accessing their work, and cause other problems. In 2016, the University of California, Berkeley, was hit by a DDoS attack that took down the university's website and email servers. The attack was believed to be the work of a group of hackers who were protesting the university's tuition policies.

The Impact of Distance Learning

Until a few years ago, security incidents at schools followed common patterns, but the COVID-19 pandemic has introduced new methods of attack that changed the entire security landscape, and many schools were woefully unprepared for the shift. 

Adopting remote learning introduced new cyber incidents, including malicious actors that interrupt classes, staff or PTA meetings, or virtual graduations by breaching the security measures of meeting software like Zoom or Google. There was also an increase in email invasions, where closed email systems (like faculty emails) were compromised and used to share malicious links or photos. 

According to the 2021 K-12 Cyber Incident Map, more than 166 school cyber incidents occurred as schools struggled to shift to remote learning. 

What Are Some Ways Schools Can Improve Cybersecurity?

Schools clearly need strong cybersecurity. Money and resources can be difficult to access, and security can be expensive, but alternative solutions can offer comprehensive protection at a low price. Schools can also take several security measures to protect themselves and their students, like simple endpoint antivirus solutions or implementing multi-factor authentication. 

Remember that providing security to school systems isn't a static or simple process. Your vendor has to be able to implement a dynamic solution adapted to the school's unique needs and should change as new threats emerge. 

Antivirus Software

Antivirus programs can protect schools by detecting and removing malware, viruses, and other threats. They can also help to prevent unauthorized access to school networks and systems.

Antivirus programs work by using a variety of methods to detect threats, including:

  • Signature-based detection: This method uses a database of known malware signatures to identify and block malware.
  • Heuristic detection: This method uses algorithms to identify suspicious behavior that may be indicative of malware.
  • Behavioral detection: This method monitors the behavior of programs and files to identify and block malware that may be trying to evade signature-based or heuristic detection.

Antivirus programs can be effective against a wide range of threats, including:

  • Malware: any software that is designed to harm a computer system, like viruses, worms, trojans, and spyware.
  • Viruses:  malware that can replicate themselves and spread from one computer to another.
  • Worms: malware that can spread from one computer to another without the need for human interaction.
  • Trojans:  malware that disguises itself as legitimate software. Once installed, trojans can steal personal information, damage files, or take control of a computer system.
  • Spyware: malware that collects personal information about a user without their knowledge or consent. This information can then be used to track the user's online activity or to commit identity theft.

Antivirus programs will only do so much, however, and have to be combined with other security measures, such as firewalls, strong passwords, and security awareness training, to protect schools from cyberattacks.

Hardware-Based Firewalls

A solid firewall and network filters can also provide essential protection, especially for schools that offer hybrid, remote, and on-site classes.

A firewall is a network security device that monitors and controls incoming and outgoing network traffic based on a set of rules. Firewalls are used to protect networks from unauthorized access, unwanted traffic, and malicious attacks. There are two main types of firewalls, namely hardware firewalls, which are physical devices that are installed between a network and the internet, and software firewalls or software programs that are installed on individual computers or servers.

Firewalls work by examining network traffic and comparing it to a set of rules. If the traffic matches a rule, the firewall will allow it to pass through. If the traffic does not match a rule, the firewall will block it.

Firewalls can be used to protect networks from a variety of threats, including unauthorized access, unwanted traffic (like spam), and malicious attacks (like viruses and worms). 

DNS Quality

Domain name systems link domain names with IP addresses. By updating DNS, you can close the gaps in exploits that could lead to hackers extracting data like usernames, passwords, or personal information. 

By implementing DNS quality measures, schools can block access to known phishing websites and prevent users from clicking on malicious links present in phishing emails. DNS security solutions can also analyze and categorize websites in real time, identifying and blocking phishing sites before they can reach school networks.

Schools can identify and block connections to known malicious domains and prevent malware-infected devices from communicating with command-and-control servers. This proactive approach helps prevent the infiltration of malware and reduces the risk of ransomware attacks, safeguarding critical data and systems within the school network.

By using DNS-based filtering, schools can restrict access to inappropriate or malicious websites, ensuring a safe online environment for students and staff. DNS quality solutions can also provide granular control over website categories, allowing schools to tailor web access policies. By monitoring DNS queries and responses, DNS quality solutions can detect suspicious patterns and behaviors indicative of botnets or other malicious activities. This helps schools identify compromised devices and take appropriate remedial actions to mitigate the threat.

It's a good place to start for any school that wants to be proactive in terms of its threat intelligence and incident response capabilities. DNS quality solutions often incorporate threat intelligence capabilities, leveraging global threat feeds and machine learning algorithms to identify emerging threats. By analyzing DNS traffic patterns and correlating them with threat intelligence data, schools can proactively identify and respond to potential cyber threats, minimizing the impact of attacks and reducing the time to detect and mitigate incidents.

Network Detection and Response (NDR) Systems

NDR systems play a vital role in safeguarding school computer networks. NDR systems work by collecting and analyzing network traffic data, and looking for signs of malicious activity. It can detect malware, data breaches, and DDoS attacks by looking for patterns of malicious activity. Once a threat is detected, NDR systems can be used to block the threat, quarantine the affected systems, and investigate the incident.

By leveraging AI and machine learning, NDR systems can autonomously assess the risk level of detected issues and differentiate between genuine threats and false alarms, and IT teams can focus their attention on the most critical and urgent security concerns.

Endpoint Protection

Endpoint protection is a type of security software that helps to protect individual devices, such as laptops, desktops, and mobile devices within the school network, from malware, viruses, and other threats. Endpoint protection solutions can be deployed on individual devices or on a network. Network-based endpoint protection solutions can provide more comprehensive protection than device-based solutions, as they can protect all devices on the network, regardless of whether they are connected to the network at the time of a threat. By deploying reliable endpoint protection software, schools can proactively detect and block malware, unauthorized access attempts, and other security threats targeting individual endpoints.

Regular patches and updates

Keeping software up-to-date is crucial for maintaining a secure network environment. Schools should ensure that all software, including operating systems and applications, receive timely updates and patches from their respective vendors. These updates often address vulnerabilities and security flaws that can be exploited by attackers. By regularly applying updates or choosing tools that can automatically update software, schools can close potential entry points for cyber threats and minimize the risk of successful attacks.

Two-Factor Authentication (2FA)

Implementing two-factor authentication adds an extra layer of security to sensitive information access. With 2FA, users are required to provide additional verification, such as a unique code sent to their mobile device, in addition to their regular login credentials. This prevents unauthorized access even if passwords are compromised. Schools can enforce 2FA for accessing critical systems, administrative portals, and other sensitive resources, reducing the risk of unauthorized access and data breaches.

Segregation and Individual Strong Passwords

Schools should implement segregation measures, such as Virtual Local Area Networks (VLANs), to separate different types of network traffic, such as guests, BYOD (Bring Your Own Device), staff, and school laptops. Using strong and unique passwords for sensitive accounts, especially those containing important and vulnerable data, adds an extra layer of protection. Authentication protocols can be employed to limit risks associated with password sharing and make it easier to change passwords when necessary.

Pruning Active Directory

It is essential for schools to regularly update and prune their Active Directory. When students leave the school, their access privileges should be promptly revoked to prevent unauthorized access. By removing former students' access rights, schools reduce the risk of internal threats and potential misuse of the system.

Patching and Updating Equipment

Keeping all equipment, including servers and network devices, patched and up to date is crucial for maintaining a secure network environment. Developers and manufacturers frequently release updates that address security vulnerabilities and improve the overall resilience of software and hardware. Regularly checking for updates and installing them promptly ensures that schools benefit from the latest security patches, bug fixes, performance improvements, and new features. Following best practices, such as implementing a management VLAN and enabling only necessary protocols, further strengthens network security.

Security Awareness Training

Finally, schools should provide cybersecurity training to administrators, teachers, and students. Knowledge can be your best defense when it comes to cybersecurity. Professional security companies or IT staff can conduct training sessions to educate the school community about common threats, such as phishing attacks. By increasing awareness and knowledge about cybersecurity, individuals are less likely to fall victim to scams and malware links, thus enhancing overall security.

How Coro Can Help

The list of protective measures feels extremely long - and complicated. Thankfully, there is a company that can help you implement every security measure you need without breaking the bank.
Coro Cybersecurity lets you manage multiple security domains in one, unified dashboard.

Coro is a powerful cybersecurity solution that can greatly benefit schools in fortifying their digital defenses. With a focus on network security, workstation protection, WiFi security, and seamless integration with platforms like Microsoft Office 365 and Google Workspace, Coro offers comprehensive and effective security measures tailored to the needs of educational institutions.

Coro relieves the burden on IT teams by automatically handling over 80% of threats through AI and automation. This capability is particularly valuable for schools with limited resources and budgets. 

If you would like to know more, get in touch with Coro. It's a complete solution for your entire network at an affordable rate.