CALIFORNIA, USA — This story was originally published by CalMatters.
From potential fires to active shooters, schools usually have a plan for emergencies. Tasked with guarding society’s youngest members, administrators don’t usually leave a lot to chance.
But an increase in ransomware attacks in the education sector — which threaten to hold schools’ online systems hostage until they pay a ransom — has left many California schools without a playbook for this new problem.
Nearly 1,700 schools across the country were affected by ransomware attacks last year, according to New Zealand-based software company Emsisoft. In California, at least 26 schools have experienced a ransomware attack since 2019, often with harsh consequences: Sierra College had some systems shut down during finals week; Newhall School District’s 10 elementary schools went a week without online school during the pandemic; and UC San Francisco paid a $1.14 million ransom.
Emsisoft and the U.S.-based non-profit K-12 Cybersecurity Resource Center published reports showing an increase in the number and severity of ransomware attacks against schools across the United States. In March, the FBI published a bulletin warning schools about an increase in ransomware.
“People just don’t think it’s ever going to happen to them,” said Mary Nicely, point person for cybersecurity at the California Department of Education.
But if it does happen, the consequences can be extensive, according to experts and administrators who have suffered an attack.
So, what should schools — or you, a regular person — do to prepare for ransomware attacks? CalMatters spoke with over a dozen cybersecurity experts to help answer how schools and readers can help protect themselves.
The first step to good cybersecurity, they said, might be a mindset shift.
Schools shouldn’t ever assume they’re protected, according to Eric Grosse, former vice president for security and privacy engineering at Google. In the tech industry, this philosophy is called “zero trust networking.” It’s the idea that even with VPNs, firewalls and other preventative measures, hackers can still infiltrate your networks.
“Don’t figure you’re gonna have a safe network where you can be sloppy,” Grosse said. “Figure that all of your networks are liable to compromise and configure all of your machines, your servers, your endpoints, to assume that a hostile, skilled intruder is able to (harm) them.”
Schools should also be weary of products that guarantee protection from cyberthreats. Doug Levin, national director for the K12 Security Information Exchange, warned schools about “solutionism” via product. He said there are steps many schools can take to better protect their networks even without additional resources, such as improving cyber hygiene.
“It’s very important for folks in school districts and even superintendents in particular not to fall in the trap of thinking that … if they only bought x service that they could completely protect their school community,” he said. “There’s no such product like that that exists … protecting school districts from security risk is a complicated endeavor, it is continually shifting, and much of the risk comes from internal risk and risks with their vendors, as much as it does with protecting their network with a better firewall.”
Cybersecurity can be expensive — but schools should make sure to calculate their risk before deciding they can’t afford to pay for software and hardware upgrades or cyber insurance, according to Nick Merrill, a cybersecurity researcher at UC Berkeley.
“If you’re saying we’ve assessed all those harms and we’re sure that it’s just better for us to get hit by ransomware and have to deal with that than it is for us to go through this backup process, fine, that’s a calculation,” Merrill said. “What we’re trying to prevent against are organizations that haven’t made the calculation, that wouldn’t have made that decision, that just weren’t aware, or even worse, maybe thought they were protected and really haven’t been protected.”
And cybersecurity isn’t just an IT problem. School administrators need to understand it and ask the right questions of their IT departments.
“There’s a massive disconnect between the administration — superintendents, boards, the local principals — and IT,” said Kevin McDonald, an expert in ransomware attacks and chief information security officer at Alvaka Networks, an Irvine-based cybersecurity company. “It’s a delta that’s so large, it’s going to take effort to split it.”
The good news is that a few simple preventative measures can lower schools’ risk of getting attacked.
“These attackers go after the easy and the open,” McDonald said. “Every step you make it harder, you become less likely to be a target.”
Cybersecurity experts recommend:
#1: Use multi-factor authentication
Multi-factor authentication is when users present multiple credentials to log into an account. For example, if you log in to your bank account with your username and password, and then have to enter a code the bank texts to your phone, that’s multi-factor authentication. This means that even if hackers get your password they can’t access your account or systems.
Multi-factor authentication is the best way to prevent bad guys from getting into your systems, according to Andrew Brandt, a malware researcher at SophosLabs. Almost every expert CalMatters spoke with cited multi-factor authentication as one of the strongest cybersecurity measures.
#2: Patch often
Patching — a tech term for fixing security vulnerabilities in software — is also a strong preventative measure. When software researchers or companies find glitches, they usually send out a fix in the form of a software update. The update will prevent hackers from further exploiting the glitch. But there’s a catch: Soon after security updates are released, cybercriminals can reverse engineer the update to figure out the glitch and exploit it in systems that aren’t patched quickly enough. That means that you should make sure to patch and update all software as soon as possible or set automatic updates.
“Don’t dawdle getting that fix applied on your local systems,” Grosse said. “The organizations that are sloppy on that, they think, ‘Oh, but if we make a change, maybe something will break.’ Those people are asking for trouble. Because something will break — they will get hacked, and it will be hard for them to recover.”
#3. Back it up (the right way)
Backups are crucial to cybersecurity.
If a school gets hit with ransomware but has good backups, it probably won’t have to pay the ransom, said privacy and data security attorney Scott Koller. The ideal backup isn’t connected to the Internet and will never be connected to the Internet, often called an “air-gapped backup” (think external hard drive or CD).
Several experts CalMatters spoke with think that if you don’t have the time or resources to backup your files to an external hard drive, the cloud is a good alternative — the companies that run the cloud have the expertise and funding to handle cyberattacks. But with the cloud, you still run the risk of having your accounts compromised if cybercriminals steal your credentials, according to McDonald, who said he regularly sees victims who have had their cloud backups deleted or encrypted. You should also make sure you have an up-to-date inventory of all hardware and software in your environment, because you can’t protect what you don’t know exists, according to Josh Moulin, a senior vice president at the Center for Internet Security.
#4. Run drills, lots of drills
Just like schools run fire drills, it’s important to run cyberattack drills to make sure their plan runs smoothly. Simulate a cyberattack and then try restoring from just your backups. You should test as if you have nothing but your backups. People would be surprised by what they experience running drills, according to experts. Perhaps several teachers’ files are stored on their desktop and haven’t been backed up appropriately, or you discover that some of your backups are connected to the Internet and could be compromised by a ransomware attack. Or maybe, you realize that it would take several months or even years to restore your network from your backups. Schools should also make sure to print their incident response or cyberattack plan on paper or stored in an offline data store in case a cyberattack locks them out of their system files.
#5. Phish your own people
Training users how to recognize phishing attacks — malicious links that cybercriminals often send via email or text message — is also important. Almost all ransomware attacks are first executed through phishing attacks, Merrill said. These emails could be mass produced and generic, or specific — emails that are personalized are called “spear phishing.” One of the most effective ways to train users about phishing attacks is to run phishing campaigns, according to several experts. Schools should send fake phishing emails and see who clicks on the malicious links. Use it as an opportunity to educate the entire school community about phishing attacks and how to detect them.
#6. Think about who needs access to what files
Another measure schools should follow is the tech principle of “least privilege.” This means that users should have access to the files they need to do their jobs, but not more than that.
For example, people who control employee payroll might not need access to student grades. This prevents cybercriminals from gaining access to everything in a network if they hack into one account. Users with more privileges (access to more files in the network) should have stricter cybersecurity than those who don’t. While all users should use multi-factor authentication, it’s absolutely critical for those with more privileges.
By the same token, schools should make sure to “segment” their networks, or control online traffic flow: For example, you can prevent all student traffic from reaching employee payroll by partitioning the networks. Similar to quarantining patients sick with an infectious disease, segmenting your networks helps prevent malicious software from spreading and contaminating all your devices on the network.
What about passwords?
Some experts have taken issue with cybersecurity advice given to administrators, like the focus on digital literacy and changing passwords every few months.
Changing passwords every two to four months is “crazy,” according to Eric Grosse, a former vice president for security and privacy engineering at Google.
Passwords are easy to guess, hard to change and don’t end up offering a lot of security alone, experts said. Some companies, like Microsoft, are banning passwords.
Criminals can also “brute force” their way through passwords. Brandt said that even if passwords aren’t easy to guess, cybercriminals can run programs that will go through thousands of combinations per minute until they figure out the right password.
Grosse recommended using a security key, which requires both a password and a physical key to log into systems.
“What we found at Google was we were in a constant arms race with the Russians and others … in preventing phishing attacks and other ways in which they could somehow get credentials and use that to take over systems,” he said. “When we finally introduced security keys to our employee population, it stopped the arms race cold. We never had another instance of an employee’s account getting taken over.”
Grosse said that organizations should never feel like cybersecurity is accomplished with VPNs, firewalls, or the like. There should be zero trust — don’t assume that your computer is beyond compromise, he said.
“I think the only practical advice for these smaller places is, security is hard,” Grosse said. “You’re up against very capable adversaries who are relentless.”
Even if you’re a school? “ They don’t care.”