Cyber-Attacks Increasingly Targeting Schools – How to Protect Kids’ and Students’ Data

You wouldn’t think a school could be a prime target of cybercrime. That’s the exact reason why cyber attackers keep on hunting down schools and colleges. They know educational institutions are usually unprepared and don’t uphold tight cyber security measures. Often, schools uncover cyber attackers’ schemes a long time after they’ve been hit.

That’s why cybercrime in education is rising, increasing 20% during 2020 (compared to the previous year). This percentage only covers K-12 schools.

Let’s see the most common types of attacks schools face and how kids and teenagers can protect their data.

Why Schools are More Vulnerable to Cybercrime

2020 was a record-breaking year for cyberattacks overall and cyber threats against schools, especially in the US and the UK.

The pandemic and the high number of kids and students following online classes were the main grounds for the cybercrime escalation. For schools, the priority was coming up with the best solutions to develop a continuous flow of the curriculum and provide students with devices for remote learning, disregarding cybersecurity measures. Sadly, this only enabled attackers to get easier access to students’, parents,’ and teachers’ sensitive data.

surge cyber attacks US schools 2020 GovTech – Report Cyber-Attacks on US Schools in 2020

Additionally, several schools stated they dealt with numerous incidents where unauthorized users accessed online classes or video conference meetings, busting them with hate speech, threats of violence and offensive images or videos. Apart from disruptions in remote learning, students and teachers remain particularly vulnerable due to attacks on personal devices and networks.

Based on cyber security reports, schools from higher-income districts were and still are the most exposed, facing a higher number of threats. The reason is because these schools rely on heavier and more advanced technology for instruction and communication.

Mostly, schools aren’t properly prepared for a cyberattack and aren’t doing enough to protect student data. For example, a 2021 audit of IT security in K-12 schools from Kansas state, USA, showed that half of the school systems didn’t have a response plan in the event of cyber-attack. Furthermore, 28% hadn’t even installed antivirus software on school computers.

In many cases, the high risk of data exposure comes from the lack of specialized IT staff handling and enforcing protective security measures.

Most Common Types of Cyber-Attacks Against Schools

Most schools and universities deal with social engineering attacks, but the pandemic created several new opportunities for cybercriminals.

The most frequent threats schools have faced are:

Phishing attacks

Usually in the form of an email sent to a list of users or a single one, the attackers would include malware or malicious links as attachments that looked like normal documents. This scam was to trick users into handing out confidential information like passwords or network credentials.

69% of UK schools have suffered from phishing attacks since the start of the pandemic.


Ransomware attackers encrypt school’s data files and systems through malware, leaving schools staff and students unable to access them. The attackers then request the educational institution to pay a ransom to regain access. Ransomware attacks on schools proved extremely challenging in the remote learning setting as systems weren’t set up to be patched while they were off the network.

In 2020, ransomware attacks cost US schools $2.73 million, including the costs of downtime, repairs and lost opportunities.

Password attacks

Bad actors try either through brute force or malware and many times succeed in guessing students’ or educators’ passwords. These attacks often come after first finding out a few details about the user and then using that information to figure out the correct password.

The most concerning part about these attacks is that they can lead to identity theft, often left undiscovered for years. For instance, students’ credit isn’t monitored as often as adults’, so it could even take a decade for students’ or kids’ parents to realize there’s a problem.

Denial of Service (DDoS) Attacks

With a DDoS attack, perpetrators disrupt partially or completely students’ and teachers’ access to the school services or equipment. While the school is under attack and struggling to resume normal operations, the attackers take advantage and gain access to the resources. The DDoS attackers’ goal is to steal data, money, and intellectual property.

Some cyberattacks during the pandemic completely shut down schools for many days. However, besides direct financial losses or data theft, any type of cyber-attack damages a school’s or university’s reputation.

Measures to Protect Children’s or Students’ Data

With nearly two years into the pandemic, and the details of remote learning in place, schools need a big shift and address cyber security with more urgency.

The first important step towards minimizing the impact of cybercrimes in schools comes from the US’ CISA (Cybersecurity and Infrastructure Security Agency). The agency proposed legislation to protect K-12 schools against cyber-attacks, which the US government recently approved.

The new bill will help educational institutions ramp up their cybersecurity protections. CISA will help schools examine risks and challenges and come up with the proper solutions.

Here’s another suggestion from Fareedah Shaheed, Online Safety Educator:

Social engineering attacks are some of the most dangerous threats to schools. To combat social engineering threats, schools need to prioritize investing in cybersecurity awareness education for their staff and students.
Fareedah Shaheed | Sekuva

Online Safety Educator, CEO and Founder of Sekuva

Get to know Fareedah Shaheed here.

Digital literacy is also essential, so as a teacher, or a parent, you can start educating kids on how to stay safe online. From simple advice like ‘Don’t share your personal information in emails or text messages’ or ‘Never click on suspicious links or downloads in emails’, to easy-to-apply practices that will help them understand how they can protect sensitive information, such as:

1. Never skip a security update – an important and easy step to prevent malware or other malicious programs.

2. Always use strong passwords – an over stressful pointer, but one that makes a big deal in protecting digital privacy.

3. Enable the 2FA authentication method – adding a second security layer to your credentials makes attackers’ jobs way harder in trying to access files or accounts.

4. Use an antivirus – an efficient tool that helps you stay away from viruses and online threats, including malware, spyware, or ransomware.

Adjusting to all the challenges of online study includes knowing how to deal with the latest digital threats. So, here’s how to make Zoom, Slack, Google, and Microsoft safer, how to prevent Zoombombing and how to easily spot a phishing email.

What do you think is the most important security habit schools need to enforce to become cyber resilient?

Let me know in the comments section below.

Leave a comment

Write a comment

Your email address will not be published. Required fields are marked*