Why Hackers Target K-12 Schools

According to a 2022 EdTech Leadership Survey Report, cybersecurity is the top concern of school IT personnel, yet only 8% of IT leaders considered their district to be at high risk. Why the disconnect? Perhaps schools seem still seem like unlikely targets for hackers? After all, compared to financial institutions and corporations, K-12 schools may seem to offer hackers limited rewards.

But, in fact, schools don’t just contain a wealth of personal data about both students and staff: K-12 schools are backed by state and local governments which may pay up rather than let highly sensitive data be made public or lose the ability to access email, networks, or files.

Robust cybersecurity practices and systems can help protect your network. Understanding the nature of the threat is the first step toward keeping your district’s data—along with your students and staff—safe.

Since 2016, there have been 775 publicly disclosed occurrences of cybercrime against schools, with 408 in 2020 alone. That was more than twice the number reported the year before, and experts note that these numbers represent only cases that were made known. Many more attacks against school networks have likely occurred, hidden from the public eye.

Widespread changes in education due to the COVID-19 pandemic may be partly to blame. Distance learning opened many more access points for potential attacks, as students, teachers, and administrators logged on from devices at multiple off-site locations and networks.

But many of those changes—such as greater adoption of 1-to-1 devices, widespread use of new software and apps, and increased pressure on small school IT staffs—look to be here to stay even as students have returned to in-person schooling. It is therefore a perfect time for districts to improve their cybersecurity strategies.

While schools may not have the financial resources of larger institutions, their networks contain a wealth of sensitive personal information for both teachers and students, such as names, addresses, and social security numbers. Emails addresses ending in “edu” are also especially appealing to hackers because these are useful in future attacks on other locations.

But one of the main reasons K-12 schools are popular targets for hackers is simple: they’re easy marks. Most schools have limited security protections. School IT departments are often small, and teams are often stretched thin with the normal day-to-day functioning of a large, complex network of users and visitors.

With the proliferation of devices to support remote learning, IT teams’ management functions became still more intense. Worse, many schools don’t offer cybersecurity training for teachers and staff, and many school IT departments have no one dedicated solely to cybersecurity. These conditions make it more likely that an overworked teacher will click on a phishing link from a hacker without realizing the risk.

K-12 networks can also be overloaded with programs that haven’t passed through security protocols. This risk is often intensified because IT department backlogs of updates and patches hinder a team’s ability to recognize and block threats.

The pandemic also posed a threat to cybersecurity through the proliferation of new software and apps that aid in teaching. Many programs were offered for free and directly to teachers, who may have downloaded them outside the purview of their school’s normal IT operating procedures. Similarly, it was all too easy for students to bring unvetted apps onto the network via their own devices during lockdown (and personal devices remain an easy entry point for dangerous malware). Those programs may remain on school and student devices—allowing hackers entry into your network.

Your district needs to assume hackers will continue to grow more sophisticated in their methods to exploit weaknesses in your networks. Knowing the risks and how best to protect your students and staff—and what to do in case of an attack—has never been more important.