As cybercriminals grow more sophisticated, school districts ramp up system security

On Board Online • February 24, 2025

By Sara Foss
Special Correspondent

When Mattituck-Cutchogue Union Free School District on Long Island was hit by a ransomware attack in 2022, the response was swift. The district's director of technology had prepared staff for just such a moment, and staff knew what to do. Upon receiving a suspicious email, an employee immediately unplugged her computer.

That quick reaction didn't prevent the attack or the damage that ensued.

"Stolen data included names, phone numbers and addresses of certain individuals," said Shawn Petretti, superintendent of schools. "It did not include student data."

He added: "We didn't have to pay any ransom because we used all of our healthy backups."

But that was a lot of work. The district rebuilt its technology systems from the ground up, installed a more aggressive antivirus software program and tapped an outside company to provide 24-7 monitoring of its systems in the process.

"As bad actors continue to evolve, we need to evolve as well," said Petretti, noting that the district regularly receives phishing emails from would-be attackers.

Ransomware is a type of malicious software - or malware - that prevents users from accessing computer files, systems or networks and demands a ransom for their return. Ransomware can be downloaded onto a computer by opening an email attachment, clicking an ad, following a link or visiting a website infected with malware. Once the code is loaded on a computer, it will lock access to the computer or data and files stored there. More dangerous versions can encrypt files and folders on local drives, attached drives and networked computers.

Ransomware attacks have been on the upswing in recent years. Districts are fortifying their defenses with the help of resources at the state and regional levels, but challenges remain. Hackers are increasingly sophisticated, and constant vigilance is required.

"It is imperative that school districts make sure they have adopted a data privacy policy, which addresses cyber security framework requirements," said Jessica Goldstein, NYSSBA's deputy director of policy services.

Between 2016 and 2022, at least 1,600 cybersecurity-related incidents were reported by school districts, according to K12 Security Information Exchange (K12 Six), a non-profit organization focused on protecting schools from cybersecurity threats.

The average ransom demand for educational institutions has been about $847,000, according to an analysis by Comparitech, a cybersecurity and online privacy product review website.

Ransomware attacks are often carried out by criminal gangs in foreign countries, said Sanjay Goel, director of research at the New York State Center for Information Forensics and Assurance at the University at Albany. They target troves of information that include student and teacher records, medical records and social security numbers.

"All of this has made schools ripe targets for ransomware attacks," Goel said. "There are small schools all over the place, and they don't have the resources to protect themselves."

The New York State Education Department's Chief Privacy Officer releases an annual report on data privacy and security. In 2023, the Privacy Office received 23 data incident reports related to phishing emails, while the state's educational agencies suffered approximately 40 cyberattacks. "Data shows that many cyberattacks occur just before the new school year begins and during school breaks," the report states.

Cybersecurity experts outlined steps districts should take to protect themselves from ransomware attacks and other cybersecurity-related incidents. These include:

• Patch known vulnerabilities on all systems, with an emphasis on systems that house sensitive data.
• Ensure that backups for critical systems are in place; audit backups for functionality.
• Make sure antivirus software is installed and up to date and the computer firewall is turned on, close unnecessary ports and disable non-essential services.
• Train school staff to recognize and respond to suspicious activity such as phishing emails and adopt protocols that outline what to do in the event of a cybersecurity attack.

In New York, a network of Regional Information Centers (RICs) support school districts in their efforts to prevent and respond to cybersecurity attacks.

"In the areas of data privacy and security, the RICs provide leadership and technical support," said Darlene Roces, director of the Suffolk Regional Information Center.

There are 12 RICs statewide; one RIC typically serves several BOCES districts in their region. The RICs have partnerships with the State Education Department and state and federal cybersecurity experts, including the FBI, the Department of Homeland Security and the New York State Police.

"Schools have done a lot of work around implementing the best practices and protocols," said Elizabeth Freas, assistant superintendent at the Western New York Regional Information Center/Technology Services.

One key role of the RICs involves managing, monitoring and evaluating the relationships districts have with the third-party vendors that manage their data. If a vendor experiences a cybersecurity breach, "we're left - the RICs, the BOCES, the districts - to clean it up," Freas said.

In December, PowerSchool, a popular software system used by many New York districts to manage registration, attendance and more, was hit by a data breach that resulted in the theft of student and staff personal information. Freas said her RIC supports about 100 districts, and that the PowerSchool breach impacted at least 38.

In 2020, SED adopted a regulation requiring educational agencies to adopt policies on data security and privacy that align with the National Institute of Standards and Technology (NIST) Cybersecurity Framework, which provides guidance on how to manage cybersecurity risks.

Williamsville Central School District in western New York has been following the NIST framework as it works to reduce the risk of cyberattacks. One of the district's first steps was setting up multi-factor authentication for any system with sensitive student data. MFA is a security system that requires users to provide multiple forms of identification to access an account.

"You want to run scans against the entire system, see where the risks are and develop a remediation plan," said Chris Siniscalchi, the district's director of technology. Training staff is also important, as the vast majority of cybersecurity threats come from email.

Williamsville has not experienced a serious cybersecurity attack, but the district knows that intrusions are on the rise and prides itself on being prepared. "We didn't really need a breach to jump into this," Siniscalchi said. "We knew we needed to put the time and effort into this. You've got to be always on it, proactive and ready to evolve."