A few examples on the “hit list” include public Schools in Arlington, VA who had staff social security numbers exposed in a data breach, followed by a vendor’s unauthorized access of student files.
In Texas, a hacker was able to use unsecured remote access to a desktop and gain control of a shared files for 1,300 staff and students, while two districts had names and social security numbers of staff made public on a website managed by the Texas Association of School Boards.
Email phishing attacks have heavily targeted schools, and have been able to gain user credentials to exfiltrate data, reroute electronic deposits, and spread ransomware forcing payment to the hackers to recover files.
Schools are at high risk as they store personal information on staff and students that has value when sold on the Dark Web, and often do not allocate sufficient budget to protect this data, or have access to cybersecurity expertise. This makes K-12 a prime target for hackers.
States have responded by passing student data privacy bills and laws to protect student data, and Districts now have a responsibility to implement protective security measures, as well as to validate their compliance with the new protections. Requirements include monitoring, encryption, risk assessment, and consistent testing and remediation of vulnerabilities, based on the National Institute of Standards & Technology Cyber Security Framework (NIST CSF).
NIST CSF is a framework provided by the Federal Government and recommended for schools to establish a Cyber Security Program. Foresite can assist Districts through cybersecurity and compliance consulting, NIST CSF gap assessment, as a resource for incident response, and providing a monitoring solution that addresses the top reasons many monitoring tools fail – especially in schools with tight budgets and few internal technical resources.