In recent years, cyberattacks on K-12 schools have increased. Not only do these attacks disrupt educational instruction and school operations, they also impact students, their families, and teachers. The scale and number of attacks increased during COVID-19 as more schools moved to remote learning and increased their reliance on Cybersecurity. Today’s WatchBlog blog post looks at the growing risks and impacts of cyberattacks in schools, and our work on federal efforts to assist K-12 schools.
For our new report, we spoke with school districts and other stakeholders about the impacts cyberattacks have had on their schools, students, and community. Local and state officials told us that the loss of learning following a cyberattack ranged from 3 days to 3 weeks, and recovery time could take anywhere from 2 to 9 months. The financial impacts on schools can be broad. Officials reported monetary losses to school districts ranging from $50,000 to $1 million due to expenses caused by a cyber incident. These costs included, for example, replacement of computer hardware and enhancing cybersecurity to prevent future attacks.
Cyberattacks can also result in the disclosure and theft of students’ and school employees’ (like teachers’) personal information. Schools and school districts collect and store a lot of personal information about students and employees. In a 2020 report, we found that information compromised as the result of a data breach included things like students’ grades, bullying reports, and social security numbers—leaving students vulnerable to emotional, physical and financial harm.
Individuals carrying out cyberattacks on schools can use several techniques. These include:
There is a national strategy for combatting cyberattacks led by the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA). As part of that strategy, the Department of Education (Education) is responsible for coordinating and collaborating K-12 public school cybersecurity efforts with other federal entities—such as the FBI and DHS, as well as state, local and tribal entities.
Education and CISA provide cybersecurity-related products and services to schools, such as online safety guidance. But beyond that, we found that these two federal entities otherwise have little-to-no interaction with other federal partners or the K-12 community regarding cyberattacks. This limits the federal role and ability to help schools.
We recommended that Education and DHS improve its coordination, enhance schools’ awareness of the federal services available to them, and measure the effectiveness of products and services used by schools. Learn more about cyberattacks and cybersecurity and their impact on K-12 schools.