How Independent School Districts (ISDs) Can Prevent Data Breaches

Independent school districts (ISDs) are the perfect target for cybercriminals because their networks are typically poorly secured. Many schools have inadequate security practices due to the lack of education, training, or funding. ISDs are publicly funded primary and secondary educational institutions, including elementary, middle, and high schools.

A study by Microsoft Security Intelligence found that 61% of malware attacks occur in the education sector, making it the most heavily affected industry by a large margin. As school districts continue to transition into a digital learning environment with a heavy reliance on technology after the COVID-19 pandemic, they must learn the best practices to prevent data breaches and cyber attacks from happening.

This article will discuss how ISDs can start building their security posture and begin implementing strong data security and data privacy practices.

Why Are Independent School Districts (ISDs) Being Targeted?

ISDs are easy targets for cybercriminals and hackers because there is currently no federal law for districts to protect their data or report data breaches. Under FERPA (Family Educational Rights and Privacy Act), the act does not require schools to notify students or parents of a data breach if their information was stolen.

Many public schools also operate with minimal funding, meaning cybersecurity is often the first area to cut to instead focus on staffing, resources, and events. In many cases, schools don't employ an IT professional or team to oversee network security.

School systems often hold large amounts of sensitive data in their computer systems like:

• Student data
• Parent and guardian contact information
• Employee and staff records
• Healthcare data
• Proposed plans

Anyone who gets their hands on important school district information or personally identifiable information (PII) of students could hold the data for ransom, sell it directly to third parties, or post it on the dark web. Students can also become victims of child identity theft if sensitive information like Social Security numbers (SSN), dates of birth, and addresses are leaked.

The most common types of cyber attacks that affect ISDs are:

• Phishing email attacks
• Ransomware attacks
• Malware attacks
• DDoS (distributed denial of service) attacks

How Can Independent School Districts (ISDs) Prevent Data Breaches?

Most cyber attacks begin with poor security training and human error. Unfortunately, this issue persists throughout the country, and many school districts lack the security framework to deal with these attacks. By taking the following actions, ISDs can mitigate their risk of a data breach and prevent threat actors from stealing personal data.

1. Establish a Cybersecurity Training Program

The first step to any strong security plan is to educate teaching staff, district employees, and even students about safe data security practices. By learning different attack vectors and vulnerabilities, each endpoint user can help strengthen the overall cybersecurity of their school district.

A training program can include:

• Recognizing phishing scams
• Practicing safe web surfing
• Creating strong passwords
• Using only secure Wi-Fi networks
• Keeping all systems and applications updated
• How to setup firewalls or VPNs

The state of Texas implemented one early example of a successful training program in 2019. After a record number of cyber attacks and data breaches the previous school year, the Texas legislature mandated ISD employees to complete an annual cybersecurity training program certified by the state's Department of Information Resources.

In addition, each school district is required to hire a designated cybersecurity coordinator to manage and report all cyber incidents. The coordinator must oversee the entire district's security plan and report any cyber incidents to law enforcement.

2. Perform a Cyber Risk Assessment

Before implementing any cybersecurity policy, your school board needs to perform a cyber risk assessment to identify all vulnerabilities and potential cyber threats within the school's security and network infrastructure. Risk assessments should be performed annually to keep systems updated and protected against the changing cyber threat landscape.

Some questions that should be brought up during the process include:

• What are the internal and external vulnerabilities?
• What is the impact if those vulnerabilities are exploited?
• How likely are those vulnerabilities going to be exploited?
• Which sets of data are our most important assets?
• Which functions, if impacted, directly affects the school's ability to function or operate?

Learn more about how to perform a cyber risk assessment here.

3. Create a Cybersecurity Incident Response Plan

Should a data breach occur, it's important to have a cybersecurity incident response plan ready. An incident response plan helps outline a specific set of instructions in the event of an attack. Once a security plan is set in place, the district should incorporate it into the onboarding and training process to ensure all involved staff and employees know the exact steps to take.

Because there isn't just one form of cyber attack, schools should implement multiple incident response plans to address different mitigation actions. For example, implementing data loss protection (DLP) solutions can provide real-time remediation, traffic monitoring, and incident reporting.

Learn more about how to create a cybersecurity incident response plan here.

4. Upgrade Legacy Systems & Technology

Many K-12 schools still use outdated hardware and software with limited functions and increased security risks. Because many ISDs are underfunded, they have no option but to use old computers and operating systems (OS). However, this presents major security risks should a bad actor decide to attack the school networks and steal school district data.

School boards need to find a way to prioritize spending on technology not only to provide stronger cybersecurity solutions but for students to work more efficiently. Although many schools upgraded their systems during the pandemic, there are still schools falling behind the curve.

5. Implement Best Security Practices

Poor security practices can still put the entire school computer network at risk even with strong security protocols, a cybersecurity training program, and an incident response plan.

• Layered network security - A school district's network should have multiple layers of security to prevent easy access to different data sets. A flat network allows hackers to roam freely within the system once they're in, making it nearly impossible to detect or stop before it's too late.
• 2FA or MFA Authentication - One of the easiest ways to improve security is to require two-factor or multi-factor authentication for user accounts. Authentication processes require users to verify their identity before accessing any data and can filter out unauthorized users.
• Antivirus or anti-malware software - Antivirus software is often the first line of defense when detecting and removing malicious programs. With young students surfing the internet freely, antivirus software can help protect their browsing practices.
• Data backups - When it comes to important data like student information, it is good practice to back up data consistently. By having multiple data backups, if the network or servers become compromised, schools can wipe the server clean and reboot from a backup source to continue operating and not risk losing everything.

Notable ISD Data Breaches

• In 2021,  a major data breach at  Dallas Independent School District exposed employees’ SSNs and personal information. Personal data from over 230 schools and 145,000 students was compromised, which led to the resignation of the Dallas ISD CISO.
• In March of 2022, information from over 820,000 current and former students in the New York City area was exposed due to a compromised third-party vendor. The vendor, Illuminate Education, failed to put any security measures into place, providing an easy attack vector for hackers.
• Because Illuminate Education also worked with Chicago and Los Angeles school districts, by June of 2022, schools from these two school districts were also affected by data breaches. Los Angeles, New York, and Chicago are the country's three largest ISDs.