How does your school combat cyber threats? You can’t afford to wait.:
Why old tech makes schools prime targets for cybercrime

 In |

Reading Time: 5 minutes

Institutions of higher education and K-12 school districts across the country are facing an escalating crisis: Cyberattacks threaten to disrupt learning, compromise critical data, and cause millions of dollars in damage.

Between 2016 and 2022, U.S. K-12 public schools and districts reported over 1,600 cybersecurity-related incidents. In 2022, 89 education sector organizations — 44 colleges and universities and 45 school districts operating 1,981 schools — were impacted by ransomware, while at least eight K-12 school districts, including Los Angeles Unified, were affected by significant cyberattacks in the 2022-23 academic year alone.

Educational organizations are prime targets for cybercriminals because of the sensitive student records, financial data, intellectual property, and proprietary research housed within their networks. A successful breach at a university or K-12 school can have devastating consequences.

According to a U.S. Government Accountability Office (GAO) report, the loss of learning time after a cyberattack ranged from three days to three weeks, and recovery time can take anywhere from two to nine months. School districts have lost between $50,000 to $1 million per cyberattack, the report says.

The question becomes: How did we arrive at a point where the data of millions of students and staff at learning institutions is under constant threat? And what must be done to secure our schools in an increasingly treacherous digital landscape?

Limited resources result in overreliance on aging technologies

Unlike large enterprises, K-12 school districts operate under tight budget constraints with limited IT staff, making it difficult to fund large security initiatives.

The average school spends less than 8% of its IT budget on cybersecurity. Twenty percent of schools commit less than 1%. Many districts get by with just one or two IT employees tasked with managing networks that support thousands of users across dozens of school sites. As a result, cybersecurity solutions often lose out to more visible needs like instructional tools, facilities, and transportation.

With limited resources, schools often rely on legacy hardware and software well past their prime. Even basic security upkeep like patching and upgrades falls by the wayside. All of this translates to antiquated systems with major security lapses. Coupled with the fact that these institutions must compete with a growing skills gap, it’s no wonder they’re prime targets for threat actors.

New federal initiatives seek to strengthen defenses

Recognizing the urgency to combat escalating attacks on schools, the federal government is building momentum around strengthening K-12 cybersecurity postures.

In August 2023, the Biden administration announced a new “Government Coordinating Council (GCC) that will coordinate activities, policy, and communications between and amongst federal, state, local, tribal, and territorial education leaders to strengthen the cyber defenses and resilience of K-12 schools.” The White House also plans to launch a $200 million FCC pilot program under the Universal Service Fund “to strengthen cyber defenses in K-12 schools and libraries in tandem with other federal agencies that have deep expertise in cybersecurity.”

Additionally, the Department of Education, the Cybersecurity and Infrastructure Security Agency (CISA), and other agencies are releasing tailored best practice guides to help school IT teams improve security.

While federal assistance is welcome, it remains limited in scope and funding compared to the enormous scale of IT infrastructure spanning over 13,000 school districts nationwide. Ultimately, the bulk of the cybersecurity burden still falls to state and local education departments.

Urgent need to modernize security posture

More than ever, IT leaders at institutions of learning need to take action to protect their environments. Here are critical steps every school district and university should prioritize:

  • Replace unsupported hardware and software: Take stock of aging infrastructure, including servers, routers, firewalls, endpoints, and operating systems that are no longer supported. Phase out and replace these unsupported technologies with on-premises equipment or secure cloud services.
  • Install updated security tools: Deploy basic protections like next-generation antivirus, firewalls, intrusion prevention, and threat intelligence feeds across networks, especially as perimeter models shift with remote learning.
  • Automate patching and updates: Rather than relying on manual efforts, implement patch management systems to continuously scan for and deploy the latest critical software updates across endpoints and servers.
  • Deliver ongoing user awareness training: Implement regular security training tailored to staff and students, giving them the skills to better identify and report phishing attempts, weak passwords, suspicious behavior, and other vulnerabilities.
  • Conduct security posture assessments: Perform in-depth security posture assessments using an outside firm to uncover vulnerabilities and plan security roadmaps tailored to your environment.

By taking advantage of today’s security solutions and expertise, you can create an effective cybersecurity program.

Expert guidance to strengthen education cybersecurity

While the threat landscape is daunting, you don’t have to tackle it alone.

SHI offers a wide range of solutions to address the vulnerabilities in educational institutions. From refreshing hardware to upgrading operating systems and exploring cloud options, SHI can help you craft tailored solutions to secure your learning environments effectively.

But it doesn’t stop there.

We offer a broad portfolio of security solutions from partners like Palo Alto, Fortinet, and Proofpoint to help you find the right fit. SHI has proven methodologies and experts to assist you in selecting, deploying, and managing complex security architectures. We offer incident response services to assist in responding to and recovering from cyberattacks, security awareness training and phishing simulations explicitly designed for the education sector, managed security services to augment your internal teams, and more.

If you’re concerned about cost, don’t be. SHI has a grants team that can work with you to find the best paths for funding your cybersecurity projects — and you can take our free Security Posture Review to understand your cyber risks and readiness better.

Strengthening education’s cybersecurity foundation

The growing number of cyber threats targeting educational organizations is alarming and underscores the critical need for improved security. These attacks are not just statistics; they have real and lasting impacts on students, educators, and institutions.

While schools often have limited resources, IT leaders must prioritize cybersecurity. Upgrading outdated technologies, enhanced training, and managed security services can strengthen defenses. New federal initiatives also bolster security over the long term.

Addressing these challenges requires a collective effort, practical solutions, and a long-term commitment from all parties. It’s tough, but by pulling together and strengthening and improving your defenses, you can make schools safer and more secure.

To learn more about modernizing your outdated hardware and technology and improving the security posture of your K-12 and higher education institutions, contact SHI today.