All organizations with internet-connected devices face cybersecurity threats, and schools are no exception. However, the nature of those threats is a little different in K–12 and higher ed environments. We’ll break down five of the most common security threats to schools, including real-world examples. We’ll also share what steps you can take to mitigate cybersecurity risks.
Educational institutions often tick off all the boxes on a threat actor’s list of favorite things:
Understaffed IT teams
Untrained users
Unsecured personal devices on the network
Unsecured IoT devices
Now let’s pause for a moment to imagine Julie Andrews singing about them.
1. Phishing
Phishing is the bane of every security-minded sysadmin’s existence. It relies on social engineering to trick users into performing a desired action: click the suspicious link, download the malicious file, hand over your Taylor Swift tickets, etc.
While the tactics are deceptively simple, phishing prevention is remarkably hard. That’s because so much of the weight of protecting against phishing falls on your users. Worse still, many phishing emails look surprisingly legitimate. And when your users consist primarily of weary students and overworked teachers, you can’t expect them to see through phishing emails 100% of the time.
Example
The Adna School District, a small district in rural Washington, lost $346,000 in a phishing scam in 2023. Scammers created an email account in the name of a general contractor that the district worked with and sent a bill. The district paid but found out it was a scam after talking to the real general contractor, the county treasurer’s office, and the treasurer’s bank.
As a result, the school district had to reassess payment methods and processes, perform network diagnostics, ramp up cybersecurity training, institute two-factor authentication, and support law enforcement’s investigation. Oh, yeah — and deal with that gaping hole in the budget.
Solution
Cybersecurity training is your best bet to equip users with the skills they need to recognize and report phishing. But beyond that, consider adding an antiphishing extension to your default browser and using threat detection services that scan files prior to download.
2. Malware
Malware comes in countless forms, each of which can be disastrous. Between keyloggers, Trojans, worms, adware, cryptojackers, and botnet cyberattacks, there’s plenty of malware that goes bump in the night. And the threat of malware continues to grow. In 2022, malware attacks in the education sector grew 157% — that breaks down to 26% in higher ed and a whopping 323% in K–12.
Example
In November 2020, threat actors successfully hacked Baltimore County Public Schools using a phishing email that installed malware. The cybersecurity incident disrupted the school system’s website and remote learning for several days. The resulting damages and system upgrades cost approximately $10 million.
Solution
We’d love to say standing by your router and shouting, "You shall not pass!” should do the trick. Unfortunately, it’s not that simple. You’ll need a more multifaceted approach to keep out the B̶a̶l̶r̶o̶g̶s̶ malware. We suggest antimalware software, regular scanning, strong firewalls, comprehensive user training, and regular software patching.
3. Ransomware
We know, we know — ransomware is a type of malware. But it’s earned its own spot on the list by being a scourge to many schools. In fact, ransomware attacks against schools rose 84% in six months during 2022.
Ransomware effectively takes your school data hostage by encrypting it. If you pay the fee attackers demand, they say they’ll unencrypt it. But the truth is, they may just take your money and run. Still, 47% of K–12 schools and 56% of higher education institutions pay the ransom — which is probably part of why the education sector remains a prime target.
Example
Maryland’s Prince George’s County started the 2023–2024 school year with a ransomware attack that affected approximately 4,500 user accounts. While the district worked with cybersecurity and forensic specialists to restore systems and investigate the incident, it now must also review the potentially compromised data, notify affected users that their personal information may be compromised, and offer access to free credit monitoring.
Solution
The best way to prevent ransomware and minimize its potential damage is just following common cybersecurity best practices. Patch those vulnerabilities. Create offline backups. Incorporate robust monitoring to detect intrusion. You know the drill.
4. Weak credentials
With so many platforms to sign in to, many staff and students are likely to use pretty weak passwords. We get it. It’s hard to be creative when you have to come up with dozens of passwords you’ll actually remember. But the weaker the credentials, the easier it is for hackers.
Using guessable passwords simplifies brute force attacks. Using the same password across platforms means cybercriminals can access countless platforms with just one set of compromised credentials. Using the default password for IoT devices means that just about anyone can access the device if they choose. There are just so many paths to failure.
According to surveys by Bitwarden, 19% of respondents admitted to having used “password” as their password, and 84% reuse passwords. The odds of users choosing exclusively strong passwords are not in your favor.
Example
In perhaps the creepiest example of a cyberattack we’ve ever shared, intruders gained unauthorized access to the CCTV of four schools in the U.K., streaming live video online. Reportedly, the affected cameras lacked any password protection, so we can’t even call this one a hack.
Solution
You’re probably sick of hearing it. We are. But we gotta mention security awareness training again. Sure, some users will still use weak credentials. If you train them, though, at least few more might hop on the cybersecurity bandwagon. And that’s a step in the right direction.
While you’re at it, establish a clear password policy and enforce it (if you don’t already). A written policy clarifies your expectations and sets consequences if someone routinely fails to meet them. For staff, you might also consider adopting a password manager to make life easier.
5. Distributed denial-of-service attacks
A distributed denial-of-service attack (DDoS) floods the network with traffic and requests from multiple sources, often with the use of botnets (malware-infected computers). The combination of easy-to-access school networks and outdated assets makes schools a prime target for DDoS attacks. Plus, orchestrating a DDoS attack is simple enough that even a tech-savvy middle schooler can do it (or pay someone else to for a remarkably budget-friendly price).
Example
In Greece, a large-scale DDoS attack against the Education Ministry caused outages and delays in a centralized high school examination platform. Students ended up waiting hours to take the exam, and a political dispute ensued.
Solution
While backup internet service would be a nice touch, we know that’s probably not in the budget. Otherwise, high-quality firewalls, intrusion detection and prevention systems (IDPS), and traffic analysis tools can help identify and filter out abnormal traffic associated with a DDoS attack. Cloud-based DDoS protection is also available to redirect traffic to a cloud-based scrubbing center to filter out malicious traffic during an attack.
Securing a fleet of hundreds (or thousands) of devices is no easy task, especially if you don’t have the support of a fully staffed IT team or well-funded budget. Such are the sacrifices sysadmins make to work in education.
But you don’t have to whittle your sleep schedule down to two hours a night just to get by. PDQ’s product suite helps you maintain up-to-date devices with less manual work, thereby improving the posture of your school’s fleet. Try PDQ to see how easy it is to do more with your limited staff and budget.
