Cyber Risks on the Rise for US K-12 School Districts

K-12 school districts across the US are becoming increasingly targeted by cybercriminals. They are a prime vector of attack due to the large amount of sensitive data available in the form of staff and student personally identifiable information (PII), a particularly attractive target. Education currently tops the list of “most attacked” industries not only due to the prized PII data but also the ease at which it is to acquire since most educational institutions have IT departments that are frequently understaffed and always overworked when it comes to Cybersecurity support personnel; this is combined, in many cases, with a lack of key technology tools to combat the bad actors.

The pandemic, in particular, had a significant impact on the cyber threat risk level due to the increased dependence on third-party learning platforms and personal student devices as school districts shifted to remote and hybrid learning options. These rapid changes to the education technology infrastructure deployed across the country dramatically increased the threat surface that is vulnerable to cyberattacks. While the threat landscape continues to broaden, many school districts are finding that their resources, already stretched thin, are not able to allocate enough assets to effectively combat this new reality in cybersecurity.

Ransomware is still the most common attack amongst K-12 school districts, accounting for nearly 40% of all reported attacks in 2021, and the cost of these attacks is not limited to the ransom paid. There are additional costs for downtime and remediation, which can even escalate to legal costs, and these costs are often not covered with cyber insurance.

Another issue facing administrators is that adequate cybersecurity insurance protection is becoming increasingly difficult for school districts to obtain; annual premiums have climbed as much as 300%; and while requirements for coverage are becoming more stringent the levels of coverage are shrinking.

According to Fitchratings.com, "Districts will face greater financial risks from cyberattacks without the ability to adequately transfer risk. Fitch considers the impact of cyberattacks as part of its assessment of management, which is an asymmetric credit factor where evidence of significantly weaker characteristics may negatively affect the rating."

A reactive-only approach to cybersecurity leaves school districts across the US at risk. Unknown vulnerabilities across internal and external networks, along with the significant number of endpoints within a remote learning environment are easily exploitable by cybercriminals. Often, by the time an attack is identified, the damage is done.

In this climate, a proactive approach is imperative. Has your organization taken steps to manage cybersecurity risk?