On September 13, 2018, the Federal Bureau of Investigation (FBI) released a public service announcement in an effort to increase awareness of the vulnerability of K-12 students to the threat of cyber attacks. According to the FBI, the rapid growth of U.S. schools using educational technologies and digital tools, particularly those connected to networked devices or directly connected to the internet, provide increased opportunities for “cyber-actors to access devices collecting data monitoring children within educational and home environments.” In particular, mobile devices, laptops, and tablets all may be improperly secured and pose additional avenues for exploitation by cybercriminals. The FBI warns that the improper use of sensitive personal data could result in social engineering, bullying, tracking, identity theft, or other means for targeting children.

While the FBI's involvement is certainly welcome, districts across the state have already been working hard to address these exact concerns at the local level. In particular, two of the most popular cyber attack strategies, ransomware attacks and phishing scams, continue to negatively impact school districts statewide.

Ransomware is a type of malware, which once on a device, encrypts the owner’s files and demands a ransom in return for the decryption key. Ransomware is typically expanded through malicious attachments or links sent in emails. 

Phishing scams are typically carried out over email, but may also come from social media or SMS. Attackers will send an email that appears to be from a legitimate source, or from someone the user knows personally, asking users to send along sensitive information or to enter their login credentials on a fake site.

As a reminder, districts should implement the following practices in an effort to minimize any security breach from ransomware and phishing attacks.

1. School districts should have secure email gateways in place to detect and block messages from malicious accounts. Additionally, schools should implement or update firewalls within their networks.
2. Train all staff with access to personally identifying information to protect data confidentiality and preserve system security.
3. Develop an assessment process and checklist followed by the development of a district-wide cybersecurity plan that includes preventative measures and responses for common and known threats.
4. Regularly provide data security to help in creating a culture of security in the district.