Current Cybersecurity Challenges in Schools
All it takes is somebody opening up an attachment for cybercriminals to infiltrate a school’s data system. And it’s not just educational data at risk of being exposed. Schools collect and store vast amounts of sensitive information about students, employees, and alumni: grades, student behavior notes like suspensions, social security numbers, physical addresses, contact information, health data like allergies, alumni records, and donations. That is why implementing standardized ways of detecting and communicating educational systems’ vulnerabilities is so essential.
Every year, schools across the United States face constant cyber threats like phishing, ransomware, and denial-of-service attacks. The cascading impacts of these attacks are vast. Schools and school districts must address the financial losses of replacing computer hardware and removing students’ data, and the disruptions may cost students lost time learning in the classroom. Moreover, it’s much harder to detect when children’s identity is stolen because parents do not monitor their children’s credit, allowing cybercriminals to exploit their data by setting up loans and bank accounts for years to come.
Schools face unique challenges in protecting their cybersecurity infrastructure. “Humans are considered the weakest link” is a common adage in cybersecurity circles. As more educational activities transition online, there is a greater chance that students, parents, or staff may accidentally click on malicious links or use weak passwords. Moreover, schools frequently rely on multiple third-party educational vendors who process students’ personal information. This reliance contributes to more significant risks of phishing attacks, where cybercriminals use social engineering tactics to access sensitive information or install malware. For example, they may craft an email masquerading as a job offer from a professor or an email asking students to input login credentials to access a service. From 2005 to 2021, there were 2,691 data breaches in U.S. K-12 districts and colleges. Educators fear these numbers will rise since cybercriminals’ messaging tactics have become more sophisticated with artificial intelligence; this risk is why more schools’ IT departments are running fake phishing tests to educate community members and assess the community’s vulnerabilities.
Another challenge schools face is that their technology may not be as up-to-date since they have relatively low IT budgets compared to large corporations or federal government agencies. Cybercriminals exploit these vulnerabilities by targeting schools with ransomware, a form of malware designed to encrypt files on a device and block access to computers or data systems. Cybercriminals then demand ransom in exchange for decryption. According to anit-malware company Emsisoft, in 2021, 62 districts and 26 colleges and universities were impacted by ransomware attacks. In 2022, 45 school districts, as were 44 colleges and universities, were affected. Unfortunately, The rates of attacks continue to rise, prompting the White House and the U.S. Department of Education to launch a “government coordinating council” that will facilitate formal collaboration among all government and school districts to help strengthen schools’ cybersecurity.
Importance of Reporting Schools’ Vulnerability
Schools can strengthen their security defenses by making it easier for researchers and ethical hackers—also known as “white hat” hackers—to report vulnerabilities. This approach mirrors social media platforms’ reporting features, which allow users to help moderate harmful content through crowdsourcing. The more people monitoring the system, the more secure it becomes.
To report a problem for school websites, you first need to know who to report it to. Timing is everything to addressing cybersecurity vulnerabilities and attacks; without a streamlined process, security researchers may need multiple emails and phone calls to the organization, delaying the notification process.
Security.txt File’s Role in Disclosure Process
Fortunately, there is a consistent reporting method that can be added to a school or EDTech vendor’s website. The security.txt file concisely advertises an organization’s vulnerability disclosure process. The security.txt files sets clear guidelines for researchers on how to report security issues. For example, it provides contact information for entities to report security vulnerabilities, such as an email, phone number, or a web page.
However, adoption of the security.txt is alarmingly low- not just for schools but across the board. Researchers at Carleton University discovered that only about half of a percent of the world’s top one million websites publish a security.txt file. United Kingdom government banks possess the highest adoption rate, and large tech companies, including Dropbox, Meta, and Microsoft, are following suit. There is a tremendous opportunity for schools to take advantage of this stand. Only nine (0.06%) U.S. K-12 School Districts and 15 Higher Education institutions (0.65%) possess a valid security file. Organizations that are part of the Future of Privacy Forum’s Student Privacy Pledge represent a slightly higher rate, with 4.68%.
| List/Sector | Count | Valid Security.txt | Percent |
|---|---|---|---|
| U.S. Government Websites | 979 | 12 | 1.23% |
| Fortune 500 | 500 | 31 | 6.20% |
| Student Privacy Pledge | 440 | 18 | 4.09% |
| Common Sense Media Education Privacy Ratings | 1133 | 53 | 4.68% |
| US Higher Education | 2298 | 15 | 0.65% |
| S & P 500 | 500 | 19 | 3.80% |
| K12 School Districts | 15348 | 9 | 0.06% |
| Hospitals | 2282 | 12 | 0.53% |
| UK Banks | 21 | 5 | 23.81% |
| Clever EDTech list | 1191 | 34 | 2.85% |
Spread the Word about Security.txt
The premise of the security.txt file is simple: make it easy for cybersecurity researchers to notify an organization of their security vulnerabilities. We encourage all organizations to adopt this measure, especially K12 School Districts and universities, which already experience many security risks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recommends that all schools implement the “security.txt” standard to streamline the notification process and mitigate cyber threat risks. For more information about steps your school can take to enhance your cybersecurity, visit the CISA’s K-12 Cybersecurity Report and Toolkit.
