School cyber teams go back to the drawing board
School IT leaders are revisiting their cybersecurity strategies after trying — and sometimes failing — to fend off a wave of ransomware attacks this past school year.
- So far in 2023, at least 120 schools have faced a ransomware attack, compared to 188 in all of 2022, according to figures compiled by Recorded Future's Allan Liska.
- Ransomware attacks come at a high cost to schools: The Little Rock School District in Arkansas paid almost $692,000 to respond to a 2022 attack, according to records recently obtained by the Arkansas Democrat Gazette.
The big picture: Getting approval for larger cybersecurity budgets can take years, yet IT leaders can't afford to wait that long to protect their networks.
- Some IT leaders have started networking across their districts to brainstorm ways they can beef up their cybersecurity with the limited resources they have.
- And cyber insurers have also put pressure on schools by implementing new baseline requirements to obtain a policy, experts told Axios.
What they're saying: "I always think I'm next, which is probably true," Alex Townsend, director of technology for Eden Prairie Schools in Minnesota, told Axios. "There is no such thing as safety anymore."
- "We do the best that we can until we know better, and then we do better," he added.
Zoom in: At Eden Prairie Schools, 23 employees are on Townsend's team overseeing the IT and cybersecurity needs for the district of roughly 8,600 students.
- His district has also outsourced its security operations center to cybersecurity company Arctic Wolf. Doing this ensures that someone is monitoring the district's networks 24/7, including during the weekend and in the evening.
- Townsend told Axios that his district has also passed "multiple tech levies" in recent years, noting that the school board and voters continue to make tech and cyber funds a priority.
- "We are super fortunate," Townsend said. "I don't think that's true of every school district, specifically in the state of Minnesota and across the country, where passing a tech levy is really difficult stuff."
Between the lines: Across school districts, revised cybersecurity strategies include new employee trainings on best security practices, a review of what applications teachers and students can use, and requirements for multifactor authentication to log in to their accounts.
- For instance, the Cedarburg School District in Wisconsin is spending the summer installing a new firewall and upgrading the internet at one school, among other IT improvements, Kirstin Collins, the district's director of technology, said during a webinar hosted by ManagedMethods last week.
- Britton Smith, director of information technology at the Rosedale Union School District in California, said during the same webinar that his district is preparing to start running simulated cyberattacks on its networks next year after piloting a few cyber vendors.
Yes, but: Districts like these aren't the norm, Doug Levin, national director of the K12 Security Information eXchange, told Axios.
- Contracts for off-site security operations centers are pricey and hard to get, and convincing superintendents to prioritize cybersecurity continues to be difficult, Levin said.
- "We still struggle with the gap between education leaders and IT practitioners who are charged with those responsibilities," he said. "That gap is still creating an unnecessary drag on our defensive postures."
What's next: The Biden administration is eyeing new cybersecurity regulations for the education sector, Anne Neuberger, deputy national security adviser for cyber and emerging tech, said during an event last week.
Sign up for Axios’ cybersecurity newsletter Codebook here