The recent ransomware attack targeting Los Angeles Unified School District is another frightening reminder school districts are especially vulnerable to hackers and must continuously assess all of the individual systems interfacing with district data.

The attack placed the information of more than 600,000 students and 50,000 employees at risk and was the latest in a series of cyber breaches in the education sector. In May, the Chicago public school system suffered a massive data breach, and, in January, Albuquerque, New Mexico schools closed for two days after a ransomware extortion attack.

Cyberattacks in December and January on Illuminate Education, a California-based company providing grade and attendance software, exposed private information from both the New York and Los Angeles school districts, as well as other districts across the country.

Details are scarce about the LA attack, as well as what information is at risk. The attack is believed to have originated in a foreign country.

The FBI and Department of Homeland Security are investigating the LA district’s attack. In an advisory to school districts in 2021, the FBI recommended increased training for employees to monitor suspicious activity.

School Districts are Easy Targets for Cyberattacks

School districts are particularly vulnerable to hackers because they operate with limited budgets and students and teachers use unapproved apps without firewalls while accessing information from individual, unsecured devices. Districts also share information with a multitude of vendors.

2020 Nationwide Cybersecurity Review measures maturity of a government’s information security programs and ranks them among peer government agencies. Entities are rated on their ability to identify, protect, detect, respond and recover regarding cybersecurity threats. The report scores each entity in each category on a 7-point scale. The minimum recommended maturity level is 5, corresponding to the government having documented policies and procedures for cybersecurity, as well implementation in process.

K-12 school districts scored the lowest among 19 peer local government groups, including cities, counties, public utilities, port and airport authorities, etc. K-12 schools scored 3.45 overall. The peer group average overall score was 3.8.

The top five security concerns for all groups were:

  • Lack of sufficient funding
  • Increasing sophistication of threats
  • Emerging technologies
  • Lack of documented processes
  • Inadequate availability of cybersecurity professionals

Cybersecurity Must Be a Priority for School Districts

Districts must be vigilant about continuously assessing their systems and determining where information can be lost or stolen. Breaches happen not because the overall security program is defective, but because one vulnerable system is exposed, providing a small hole for hackers to gain entrance. It is important all systems are individually assessed to ensure all required controls are in place and functioning as expected.

Many school districts do not have the experience on staff to handle highly sophisticated cyberattacks. Harris Beach has an experienced legal team monitoring the industry, regulation and threats, and provides a full range of data privacy and cybersecurity services – from compliance counseling and legal risk assessments to defense in litigation and regulatory investigations, as well as advisement on following the National Institute of Standards and Technology protocols. Harris Beach even offers a rapid response team in the event of a breach.

Harris Beach goes beyond the law and offers technical support, including compliance tools that support risk management. Caetor.io, a wholly-owned subsidiary of Harris Beach, offers a first-of-its-kind solution: software that integrates the law. Not only does it incorporate industry-standard security frameworks to ensure your policies meet or exceed regulatory requirements, it distills cybersecurity regulations into detailed controls to deliver policies that fit your risk tolerance and compliance requirements. This reduces dependency on legal counsel to provide regulatory mapping and cybersecurity compliance policies.

For more information on how your school district can protect itself against cyberthreats and stay in compliance with regulations, contact Harris Beach attorney Alan M. Winchester at (212) 313-5403 or awinchester@harrisbeach.com.