What Cybersecurity Defense Looks Like for School Districts

Schools and libraries around the world are experiencing a surge in the number of cybersecurity threats and attacks. In the United States, 29% of K-12 schools in the Center for Internet Security's network have been victims of a cyberattack, the nonprofit reports.

For this Ask the Experts column, Johnathan Kim, director of technology at the Woodland Hills School District in North Braddock, Penn., sat down with Dark Reading to talk about the importance of implementing cybersecurity measures in school districts, as well as the challenges that public institutions, like schools and libraries, face in creating robust cybersecurity programs.

Dark Reading: Why do cybercriminals attack schools?

Johnathan Kim, director of technology at the Woodland Hills School District: Few schools have a dedicated cybersecurity person, and you are wearing multiple hats every day. In the private world, you have that person where that's your job all day. You know, all you're focused on is cybersecurity. In a school environment, you get a very small window to actually focus on those things. You don't want to let it get away from you because before you know it, it's too late and you can be targeted.

We have 3,700 staff and students and three technology employees. Attackers know this. They know that schools don't have the staffing or the budget to necessarily put in the correct countermeasures, so [we] make for an easy target. And then what they're targeting is right there. They're trying to steal anything financial and trying to get information from the student information system or the business systems with everybody's Social Security numbers, addresses, and all that personal identifiable information.

Dark Reading: How has your school district been impacted by cyber threats?

Kim: Before coming to the school district, I worked at the Navy Cyber Defense Operations Command in Suffolk, Va., so I had a cybersecurity background. One of the reasons I got the job at the Woodland Hills School District is due to the fact that about a year before I started in 2022, they were hit with a cyber attack that got everything. It got their backups, locked them out of all their stuff.

During the pandemic, handing out computer equipment was a huge thing with schools [and], in general, not tracking who had what or who had access to their systems. And during that time is when Woodland Hills did get hit by that cyberattack, and part of the reason is because the proper security protocols were not in place.

Dark Reading: What changes did you make to enhance the district’s cybersecurity when you came on board? What cybersecurity mistakes are common in school environments?

Kim: When I started, they were still recovering from the cyberattack, so one of the first things I did was implement [two-factor authentication]. It's common now, but even two to four years ago, it was not common in school districts. But with the recent attacks, it has become more mainstream.

Another common thing I see in school is that all staff have local admin rights to their computers, so they could install whatever programs they wanted. That's something that I took away, so the staff no longer had admin rights. Some people have been there for a long time. They kind of just keep kicking the bucket down the road because they don't want to make big changes. But sometimes that's what needs to be done for the best security practices.

Dark Reading: What advice do you have for others working in cybersecurity for school districts?

Kim: You don't want to be an enemy of the teachers, which happens whenever you make some of the sweeping changes, but you definitely can't be afraid to do what's right. You just have to make sure you're able to explain things, especially to those who might not know about technology. You have to explain why you're making the change, what it's going to do, and how it protects them personally.

Also, educate yourself. One of the things I did in the military — they did for everybody — was they regularly sent us to cybersecurity boot camps and classes where you could get different certificates. With schools, you don't have the ability to do that, so [you have to figure out how to] improve your cybersecurity posture with what's available to you.