IBM on Thursday announced it plans to distribute $3 million worth of in-kind grants to public school districts around the country in an effort to help the education sector defend itself from the ongoing scourge of ransomware attacks.
The announcement of the new program, which will be parceled out among six school systems that the company will choose later this spring, comes as the ransomware threat against schools only worsens, including an estimate from the FBI and Department of Homeland Security that 57% of all ransomware attacks reported last August and September targeted K-12 organizations.
Each IBM grant will be used to send teams of six to 10 employees to the winning districts to help them develop incident response plans and implement basic cybersecurity training like online hygiene and password management. Applications for the grants, IBM said, will be open until March 1.
During a briefing Wednesday, Christopher Scott, the director of security innovation in the office of IBM’s chief information security officer, concurred with other industry experts’ findings that ransomware actors are feasting on the online learning environments many schools have had to adapt in response to the COVID-19 pandemic.
“Stay-at-home orders, and the switch to remote learning, have changed the focus for cybercriminals looking for easy targets as everyone from kindergartners to college professors have adopted remote technologies,” he said.
‘A different time’
While public-sector ransomware victims do not pay off hackers as often or as lucratively as private-sector targets, the fact that some do — the school system in Yazoo County, Mississippi, paid a $300,000 bounty last October — only encourages more attacks against K-12 organizations, said Herb Stapleton, a section chief in the FBI’s cyber division.
“As long as actors continue to profit, they will continue to propagate those campaigns,” he said.
Stapleton also said ransomware has reached a point where school administrators can’t shrug it off.
“Schools have to rethink cybersecurity the way they’ve rethought physical security,” he said.
Accomplishing that, Stapleton said, should include schools incorporating cybersecurity into their conversations with law enforcement organizations like the FBI. But improving the security of networks being accessed by diverse populations of teachers, students and staff also requires resources that many school districts lacked even before the pandemic.
“We have to look at how we’re funding things and set aside resources,” said Jeff Pelzel, superintendent of Newhall School District in Valencia, California, which suffered a ransomware attack last September that interrupted its virtual classrooms. Similar incidents occurred in Hartford, Connecticut, and Baltimore County, Maryland, among other places.
“They’re just diversifying what they’re looking for,” he said. “In this era of remote learning, we’re more susceptible because everything is done through email, through Zoom. We’re in a different time right now.”
Struggling for support
But many school systems have not adapted their cybersecurity resources and training for the age of online classes. According to a survey of 1,000 K-12 and college educators accompanying IBM’s grant announcement, 59% said they have not received new cybersecurity initiatives or training for remote learning, while 54% said they had no basic cybersecurity training. In a broader survey that also included 200 school administrators, 59% said they are using their personal computers and mobile phones for remote instruction, rather than institution-issued devices.
Furthermore, teachers have been struggling to get tech support from their schools during the pandemic. Just over 60% of K-12 educators said they were getting either limited IT support or none at all, according to the survey, which was conducted for IBM by the research firm Morning Consult.
While IBM’s new grant program will benefit six school districts, there have been other recent efforts to raise the urgency of ransomware targeting schools. The Cybersecurity and Infrastructure Security Agency last month announced a new public campaign focusing on its resources designed to help local governments, K-12 systems and health care organizations, while some members of Congress have urged greater funding to help schools improve their IT security.
Stapelton, the FBI agent, said there are lower-cost ways for schools to begin making improvements.
“You can’t boil the ocean, especially with limited funds,” he said. “If the most likely way you’re going to get attacked is through a remote connection or phishing email, don’t spend your money on some sophisticated activity you’re never going to face.”
Pelzel put it more bluntly: “Two-factor authentication is a simple step. It basically costs no money.”