Cyber attackers are increasingly targeting K-12 schools, leading to an urgent need for more cyber security, says Phil Emer, director of Technology Planning and Policy at the N.C. State University Friday Institute.

Emer informed legislators on the growing threat during a Joint Legislative Education Oversight Committee meeting Tuesday, March 6.

“Schools are actually getting targeted specifically now,” Emer said. “Not only have North Carolina schools been targeted, but a lot of municipalities and counties in the state have been targeted.”

In December 2016, the Department of Public Instruction released a report on cyber security, which shows most school districts aren’t prepared for a cyber attack. Smaller school districts and charter schools are particularly vulnerable.

The School Connectivity Initiative, which aimed to provide internet access to schools, was amended in the 2017 budget to include cyber security. The amendment tells the State Board of Education and DPI to work with the Friday Institute to assess cyber threats and provide cyber security training.

Emer said the expansion includes continuous monitoring and risk assessments, security advisory and consulting services, and security training. Funding for continuous monitoring and risk assessments adds up to $200,000 for each year of the biennium.

“We have seen repeated malware attacks and continuous reinfections,” Emer said. “A number of devices in a school district will become compromised, they’ll detect them and clean them, and then immediately or almost immediately they will get reinfected.”

Emer said dealing with malware infections can be costly and take up a significant amount of time, but practicing better cyber hygiene could prevent these infections.

Cyber attacks come in many forms including ransomware attacks, phishing email scams, and session hijacking. Another form of attack, denial of service, happens when an attacker prevents the legitimate use of a website through a bombardment of fake requests.

“There are students in North Carolina who have gone on to websites and have bought a denial of service to attack their own school during a test day,” Emer said. “But beyond all, the entry point for virtually all of the risk and all of the hacks tends to be email.”

Emer said emails are primarily used because they are cheap, and it’s relatively easy to get people to click on a link in an email. Hackers use fake links to get behind corporate firewalls or other security measures to gain access to passwords and other devices in the system. Phishing emails can look like they are from Netflix, UPS, or Bank of America, when in fact they are a scam to gain sensitive information.

In North Carolina, CFOs and school accountants have been getting emails from people masquerading as superintendents. These hackers establish a conversation first and then ask for the federal W-2 forms for employees at certain schools. Emer said at least one school district fell for this ploy last year.

“They are getting very sophisticated,” Emer warned. “This was a very targeted attack.”

Emer said that security services are provided through SCI, but school districts and charter schools need more assistance to protect from and respond to cyber attacks.

Other possible preventative steps include using cloud-based services to reduce exposure to cyber threats and closely monitoring networks and systems.