NAIS - Cyber Crime: A Growing Risk for Independent Schools

On New Year’s Eve, I was headed out for a quiet dinner when I checked my email and noticed 600 messages on my email app. Immediately, I knew there was a serious problem—someone was attempting to hack my account. I was no stranger to hacking as these attempts had become a daily occurrence over the past few years, but nothing of this magnitude. Soon, I heard from our senior IT director that he was defending an attack on our network. We survived that attack thanks to his diligence, the implementation of numerous network safeguards, our use of two-factor authentication, and staff education.

The previous year, our book vendor had undergone a ransomware attack. That prompted us to engage in a cybersecurity risk assessment to ensure that we were aware of risks and prepared to deal with them. The assessment focused on “the three most important factors in determining information risk”:

an evaluation of natural and man-made threats;
the existence and operational state of reasonably expected cybersecurity controls; and
the overall maturity of the IT security program that focuses on the current capabilities of people, processes, and technologies relied on to protect an organization.

Schools should consider conducting cyber risk assessments to focus strategies and resources to their situations. For NAIS, the assessment was crucial in pinpointing work that needed to happen quickly.

Why Education is a Top Target

Nonprofits, like NAIS and its member schools, have become attractive targets for cyber criminals. According to the annual Allianz Risk Barometer, “cyber perils are the biggest concern for companies globally in 2022.” As well-resourced businesses devote more attention to cybersecurity, smaller, less-well-resourced but data-rich environments like schools become the focus for cyber criminals. With concerns about COVID-19 still front and center, along with issues around mental health and learning loss, it is hard to consider making time to focus on cyber risks. But if we don’t, we open our environments to risks that can have long-term consequences.

According to an article in Forbes, “Cybersecurity in 2022—A Fresh Look at Some Very Alarming Stats,” the education/research sector sustained the most cyberattacks in 2021. Of particular concern is the increase in ransomware attacks spawned by the pandemic. According to ISACA, an international professional association focused on information technology governance, ransomware attacks on U.S. educational institutions will not slow down anytime soon. Now is the time for schools to prepare. Among one of the most important but not costly measures is faculty/staff education. ISACA suggests that every school engage in security awareness training to ensure that everyone knows how to identify phishing emails and suspicious links. Backups of school data at off-site locations also are crucial so that those files are not compromised in the event of an attack.

Ransomware attacks have been so effective in halting an organization’s operations that many pay the ransom as they think they have no other choice. A May 2022 article in MIT Sloan Management Review, “The Ransomware Dilemma,” reported that, in a recent study of 300 companies, “64% revealed that they had experienced a ransomware attack within the previous 12 months, and a staggering 83% of those paid the ransom. On average, only 8% of organizations that paid up recovered all of their data, while 63% got about half of it back.” To ensure organizations are prepared, article authors—all cyber specialists—suggest that there are six questions leaders should ask to guide a strategy to safeguard their data:

Are you technically prepared? For ransomware attacks, they suggest that understanding the status of backups is step one in preparedness.
Do you have access to threat intelligence? Researchers who study ransomware strains now post open access resources online.
Do you have cyber insurance, and what does it cover? Cyber insurance is essential today, but it may not cover all risk areas, particularly ransomware. “Because ransomware attacks currently account for 75% of all cyber insurance claims, several major insurers will no longer cover ransom payments, only the cost of lost business.”
What is your financial exposure? Schools should calculate how much the potential business fallout and recovery of lost data would cost. Doing so will provide a good understanding of the trade-offs of not investing in information security.
What are the legal implications of paying a ransom? In September 2021, the U.S. Department of the Treasury issued a reminder that “making or facilitating ransom payments to cybercriminals on which it has imposed sanctions is illegal and can result in criminal prosecution.”

If you are not yet convinced that the potential of a ransomware attack is a real threat, consider a recent advisory from Microsoft. The company notes that just as the gig economy is growing in the U.S. in many sectors, it is also creating a gig economy for cyber criminals to rent or sell their tools/skills for a portion of the profits. This is likely to increase the number of ransomware attacks in the years ahead.

What Is Reasonable for Schools?

In 2018, Jamie Britto, who is now the director of technology at Lakeside School (WA), wrote an Independent School magazine article, “Trend Lines: What Independent Schools Need to Know About Cybersecurity.” He made some key recommendations for schools at that time, including the adoption of two-factor authentication and the creation of a school cybersecurity team. I recently chatted with him to discuss what advice he has for schools today. He underscored that the trends he described in 2018 are still present and will continue to grow in number and sophistication. Given the potential impact of a cyberattack, he suggested that schools need to approach cybersecurity as a risk management issue not merely a technical one. I asked him, given the differing levels of resources at schools, where should schools, particularly those with minimal resources, make investments. He suggested using a three Rs approach: risks, resources, and what’s reasonable for your school.

Conducting a risk assessment is important work for schools. Every school is situated differently, so taking the time to identify potential risks, the likelihood of their occurrence, and the impact on the school and its community is an important first step. This is the foundation for building a strategy. Next, what resources are available? There are many organizations that provide free or low-cost resources. The Association of Technology Leaders in Independent Schools (ATLiS) has many resources customized to our community. Its 2022 ATLiS Cybersecurity Recommendations outline current threats and steps for protecting the school and mitigating the damage should the unimaginable occur. It also outlines state data laws that schools should be aware of. NAIS also offers a legal advisory on cybersecurity worth reviewing as well as other resources.

Finally, what is reasonable for your school? Given that protecting against cyberthreats can be an expensive proposition, every school must decide what is reasonable given the likelihood of a specific type of attack and the potential impact. And don’t forget that most attacks originate with human error, so the least expensive approaches—educating faculty and staff—may be the most important investments.

Sadly, we are moving into an era when the question may not be if a cyberattack will occur, but when. As we have learned from the COVID-19 pandemic, we can’t predict crises, but we can prepare for them and thus mitigate harmful effects.

Looking Ahead

NAIS President Donna Orem writes Looking Ahead, a monthly email designed to help heads of school make sense of major issues that will affect independent schools in the near future. Each edition includes a PowerPoint that heads can share with staff, faculty, and/or boards of trustees. PowerPoints are available to all NAIS member schools.

In this month's edition of Looking Ahead, find more information about cybersecurity in independent schools.