Just after the school year commenced, Steve Bradshaw, superintendent of the Columbia Falls, Montana, schools got a menacing text from a number he didn’t recognize. The cyber thug behind the message made a myriad of threats – including physical harm to district students and staff and releasing their personal information – unless a ransom was paid in Bitcoin. The community was thrust into a panic, and the district closed its 30 schools for three days.  Was this response warranted or appropriate?


Until recently, cyber attackers mostly targeted businesses and nonprofits large and small. But this celebrated case, which was eventually solved, shows that K-12 schools need much of the same cybersafety practices and policies as enterprises.

In fact, Education Week just reported how there has been a spike in ransomware targeting K-12 schools. 


Why Hackers Target Schools

Schools are compelling targets for cybercriminals because they have lots of data that are valuable on the black market, according to Matthew Gardiner, senior product marketing manager. That includes Social Security Numbers, addresses, medical information and, in some cases, financial information, as well as connections to municipalities and vendors. “There are a lot of people coming through schools and they all have personal information held by the school – even one school can be made up of thousands of people.”


Capitalizing on the human impulse to protect our children and to panic when they are threatened, the attackers chose language specifically designed to frighten recipients into action. And panic is one of a cybercriminals best friends.

“Cybercriminals aren’t above trying to scare you to get paid,” Gardiner adds, “and they’ll do whatever’s necessary.” Whether it is ransoming your data and systems back to you or threatening to dump sensitive communications into the public domain.  Whatever it is you don’t want them to do is what they will threaten to do – and sometimes actually do – to increase a school systems willingness to pay up.


Schools also get targeted because “their networks tend to be quite open in order to facilitate the free flow of information. This can make them somewhat easy to compromise,” notes Jason McNew, CEO of Stronghold Cybersecurity and a former school board director. “To a cybercriminal, this equates to low barrier to entry, with medium returns. If a hacker needs to make a few bucks, it makes sense to target schools.” In addition, most school systems have nowhere near the security sophistication or personnel as a bank or telecommunications company might have.


The takeaway for district administrators? Don’t assume that because you’re a school you’re not at risk from a cyberattack.


How to Be Better Prepared for School Cyber Attacks

School districts need to become as vigilant about cybercrime as they are about cyberbullying and physical threats.

“Even though it’s not mandated by law, schools need to voluntarily create and implement a comprehensive cybersecurity program based on one of the well-known frameworks such as NIST 800 or ISO 27000,” notes McNew, who previously worked for the White House Communications Agency / Camp David and held one of highest security clearances.

Part of that plan must include email. Why? “Email is the dominant attack vector, so if someone’s going to come at you, it’s most likely going to be through email,” Gardiner explains.


  1. Develop a set of district email best practices. While your district or state IT team can be helpful here, it’s best to work with external experts who live and breathe cybersecurity every day.Look for a partner who wants to collaborate with you, rather completely outsourcing the plan.Learn how to prepare for and respond to an email-based attack.
  2. Train students, staff, and teachers on these cybersecurity practices. It’s important to involve everyone who has access to email and other computer applications, from top administrators to teachers’ aides and including students and PTAs. Outside experts like law enforcement or information security consultants are great resources for this training. You can even blend this with the school cyber safety and anti-bullying training. See how to structure your cybersecurity training.
  3. Strengthen defenses with cybersecurity solutions. Use technology to support strong authentication practices, provide antivirus protection and ensure email security as part of your basic security program. Look for a solution with a fraud defense system that blocks and quarantines suspect emails and a detection function that analyzes links and attachments and removes malicious emails in real time when an attack is occurring. Get more details on email security solutions.
  4. Integrate a cybercrime response into your school crisis plan. In addition to the response plan and team you have for physical threats, you need another for cyber threats. First, you need some technical expertise on the cyber team. Second, as we saw in Montana, sometimes the threats of physical violence coincide with a cyber attack – and one team can’t manage both. Read about how to create crisis response and communications plans.


Use this information to address school cyber threats as effectively as you treat physical ones.


Thanks to our partners at Mimecast for sharing this blog post.