Best Practices for Protecting Your K–12 School from Cybersecurity Threats

Malicious cyber activity is on the rise worldwide. In private K–12 schools, foreign cybercriminals, school vendors, employees, and even students have perpetrated recent cyberattacks. While protective technology is imperative, cybersecurity is primarily a people problem. Your school may have the best firewalls and technical protections in place, but attackers can get into your system if one employee makes one mistake.

Blackbaud takes cybersecurity very seriously, and the protection of our customers is paramount. Here we offer information and best practices to keep cybersecurity at the forefront of your school operations.

Most Common Threats to K–12 Cybersecurity

  • Business email compromise(BEC) typically occurs when an employee clicks on a phishing email and, by doing so, unknowingly provides access. The malicious actor then looks for vendor invoices that are being paid and invoices that the school is sending out and attempts to misdirect payments. They will interrupt the chain of legitimate business activity and direct payments to different accounts. Usually, by the time the error is discovered, the funds are gone. In addition to the financial impact, BEC may also have legal implications. People store a lot of personally identifiable information in their email inboxes. Depending on your school’s location and the data involved, you may be legally obligated to notify affected individuals and regulatory bodies of the data breach.
    • Use a secure portal instead of email for invoices and other confidential or financial interactions whenever possible.
  • Ransomware attacks happen when a malicious actor gets control of your files and encrypts them. If they get onto one computer, they can spread the ransomware across all computers on the network, your servers, and your backups. This can mean your entire school is shut down without phones, computers, email, etc. They then demand payment to decrypt your data and threaten to post your private data publicly if their demands are not met. The financial impact can be in the millions of dollars, and the damage to your school’s reputation can be significant.
    • In ransomware cases, it is critical to hire a third-party intermediary to communicate with the cybercriminals and not attempt to work with them directly.
  • Software vendors have access to a great deal of your information. Make sure you choose partners with industry data security standards and certifications. Financial software should have SOC1 Type 2 controls and meet Payment Card Industry Data Security Standards (PCI DSS). Systems that hold student information should be HIPAA, LTI (Learning Tools Interoperability), and OneRoster 1.1 compliant. Review software vendor agreements carefully.

K–12 schools are often low-hanging fruit for cybercriminals. As a whole, the industry is not spending the money and devoting the necessary resources required to mitigate risks. Schools tend to take a reactive vs. proactive posture, focusing on cybersecurity only after an incident has occurred. Here are some best practices to be proactive and reduce your school’s risk of cyberattacks.

Cybersecurity Best Practices for Your School

  1. Restrict Access: Your school software systems contain a great deal of sensitive data, from names, addresses, and contact information to credit card transactions and social security numbers. To protect your data, choose software solutions that allow role-segmented access levels. Each user’s login should only give them access to the information they need to do their job. For example, an accounts payable clerk shouldn’t have the same access as the Controller, and a helpdesk technician shouldn’t have the same access as the IT director.
  2. Enable Multifactor Authentication: Ensure your school software uses multifactor authentication (MFA), which requires more than one way for users to identify themselves. For example, after entering their unique password in the system, a user may need to approve the login through a mobile app. Use MFA everywhere it is available in your school’s tech stack.
  3. Implement Single Sign-On: Ideally, most of your software solutions should be integrated to allow single sign-on (SSO). SSO gives each user one set of login credentials for multiple systems, increasing access management security and providing a secure, streamlined experience for faculty, staff, and families.
  4. Train Your Staff to be Security Aware: People are your first line of defense from cyber threats that could impact your school. Studies show that 85% of data breaches are caused by human error. Ensure your staff understands the threat landscape and how to protect themselves and your school from a breach. We recommend annual security training and education about phishing, vishing, and smishing threats—see below.
  5. Beware of Unsolicited Communications: If you or a staff member receives an email, phone call, or text message that feels odd, it probably is. Even if the origin of the contact seems authentic—a colleague or friend, your bank, or a trusted vendor—do not engage until you can validate it. Beware if the message includes poor grammar or spelling or if they ask for confidential information. Ensure your faculty and staff are aware of the various types of malicious behavior:
  • Phishing is a specific form of email deception and is the most common form of online crime. The world of phishing has matured significantly since the days of email solicitations from far-off princes. Phishing emails may replicate authentic brands, use seemingly legitimate URLs, and may not include outright requests for money. Teach your team to review unexpected emails carefully, not to click links or attachments, and to check the sender’s email address for errors. They may need to contact the sender by phone to verify that the email is legitimate.
  • Vishing uses phone calls or voicemails for a similar art of deception. One common tactic is to pose as your bank telling you there’s been fraudulent activity on your account—that gets your attention, right? Then they may ask you to verify yourself before reviewing the activity by providing an account number or social security number. That’s all a malicious actor needs to compromise your data. Never provide confidential information over the phone.
  • Smishing uses SMS—Short Messaging Service, commonly known as texting—to conduct fraudulent activity. The same rules apply to smishing as they do to phishing. Block and delete.
  1. Do Not Reuse or Share Passwords: Savvy cyberattacks include credential mining and stuffing—stealing usernames and passwords from one location and then attempting to use them for other systems. Never use your work email address for non-work purposes like banking, shopping, contests, or other online logins. Keep work and personal accounts separate. Ensure your passwords are unique, long, and complex. It takes only minutes to crack an 8-character all-lowercase password. If you make it 12 characters, it takes weeks. If you add one uppercase letter or an unusual character, it can take five years. Change passwords regularly.
  2. Lock Your Devices: Do not share your logins with coworkers, and do not give anyone the opportunity to use your computer surreptitiously. Log out of software when you aren’t using it. Lock your computer screen when you leave your desk and set it to lock automatically after a brief period of inactivity. Keep your smartphone locked at work and home, and do not share your passcode. All it takes is a child accidentally clicking on a phishing link on your phone to infect it.
  3. Review Your Cyber Insurance: Cyber Insurance is more important than ever. Insurance companies have tightened policies to mitigate their losses as claims have risen with ransomware payouts. Policies vary widely. Some have sub-limits or exclusions for ransomware attacks in the fine print, and schools only find that out when they need coverage the most.
  • Work with a broker specializing in cyber insurance who will shop around to look at different carriers and policies.
  • Use the cyber insurance application as a guide. If they ask about mitigation strategies, ensure your school has taken those. Do a proactive risk assessment.
  1. Update and Implement Security Policies: Policies are critical to shaping a security culture within your school. Work with your IT director and software providers to set clear expectations of security best practices that are easily digestible to your faculty and staff. Include everything from password complexity to data management and training requirements. Ensure that any policies you implement are measurable and enforceable.

To learn more about specific K–12 cyber risks and mitigation strategies, check out this session recorded during Blackbaud’s 2022 K–12 Conference: Cyber Risk Management for the K–12 Business Office.

For more information on Blackbaud’s Global Trust & Security Program, please visit our website at www.blackbaud.com/security.

Other Cybersecurity Resources 

The U.S. Cybersecurity Infrastructure & Security Agency has developed a program entitled “Shields Up” to assist organizations with mitigating potential cybersecurity threats. This program continually releases updates on industry guidance to ensure appropriate protections and responses in the event of an incident. Please reference the below resources for valuable information on mitigating risk and creating a cybersecurity program within your school: