Imagine going for an outing at sea in a boat in choppy waters. The boat is stocked only with life vests designed for leisurely cruises around a lake; their power to provide buoyancy is easily overwhelmed by strong currents. Those life vests did the trick back in the 1980s, when the boat was used to putz around a lake. It would cost a lot to replace them with ocean-ready upgrades. Surely, no one would take such a ride in such a boat. Or so you would think. And yet….
A majority of US school boards secure their data as if they occupied a far safer environment than they actually do. Only 42% of school boards in the US store their digital board materials on a board portal. The rest store their data on the wholly unsecured repositories of school websites, file-sharing servers or local hard drives. (Survey of 428 school board officials conducted by Diligent and the NSBA, July 2017) And not all of those 42% are using fully secure portals: Their cheaper counterparts may offer no encryption, low encryption (156-bit) or unsecured cloud storage. School boards using inadequately secured board portals put all of their district’s data in dire danger: Real cyber risk makes these waters choppier than they realize.
The waters are rough indeed, and school boards notoriously underestimate their exposure. Midway through 2017, the Wall Street Journal reported that more than 36 school districts had been hacked so far that year. Inadequate board portal security leaves district data susceptible to ransomware schemes and identity theft.
According to leading security consulting firm Aon Cyber Solutions, ransomware schemes increased in 2017 and show every sign of continuing their meteoric rise. (Aon, “Aon’s Cybersecurity 2018 Predictions: Companies Will Make Major Enterprise-Wide Changes to Address Cyber Risk” 01/08/2018, press release). International criminal rings like the notorious SamSam insert cryptoworms into a district’s operating system, garbling all the data. They then demand ransom to restore it. Such a scam brought Atlanta to its knees in March of this year, costing over $2 million to address. The rise of cryptocurrencies promotes the proliferation of these schemes by wedding the anonymity of cash with the long-distance reach of online payments.
Ransomware rings love school districts. Unlike “whalers” that go for a few attacks on large entities, the business model for ransomware rings relies on a large volume of soft targets that meet a certain profile: (1) Corruption of data would interrupt mission-essential operations; and (2) the victim could access the $52,000 that is the average ransom. That business model puts school boards squarely in their crosshairs.
School districts are low-hanging fruit because their data includes bank account numbers, Social Security numbers and the medical records of staff, students and vendors. Identity thieves may use a victim’s credit card. They sometimes hold private data hostage, demanding a ransom in exchange for not publicizing it. Imagine receiving a note that reads: “I have the medical histories of all your eighth graders, and I’ll post them online unless you pay me $100,000.” In October 2017, the US Department of Education issued a warning that cybercriminals were targeting US schools in an attempt to steal confidential student data, which they would then hold hostage.
Chinks in the Armor
While ransomware in its pure form corrupts operating systems, classic identity theft snatches data. Both rely on an outsider’s penetrating the documents or operating system that the school board is responsible for keeping safe. Subpar security leaves many openings by which a district’s data can be attacked:
School boards can protect themselves from such attacks by requiring full security from their board portal. That means 256-bit encryption and data storage on a private cloud-based server (not simply “the cloud”). Sitting on mounds of FERPA-protected student information and confidential staff records, they are prime targets for the growing swarm of cybercriminals. Skimping on portal security makes them penny wise and pound foolish.
Aon Corporation, “Aon’s Cybersecurity 2018 Predictions: Companies Will Make Major Enterprise-Wide Changes to Address Cyber Risk” 01/08/2018, press release
BoardDocs blog, “What Is Your School Board Risking by Using Google Docs?”
Cloudfindhq.com, “How Secure Is Google Drive? 10 Things You Need to Know about Cloud Security
Prinzlau, Mauricio, “Six Security Risks of Enterprises Using Cloud Storage and File Sharing Apps,” Data Insider March 22, 2016
NSBA and Diligent Corp., Survey of 428 school boards, July 2017
Villino, Bob. “The Dirty Dozen: 12 Top Cloud Security Threats for 2018,” CSOonline Jan. 5, 2018