Ransomware is a rapidly growing problem for school districts across the United States. In the past year alone, there have been multiple high-profile cases of school districts falling victim to ransomware attacks. These attacks can have devastating consequences, both financially and in terms of the disruption to the educational process.

The most significant impact of a ransomware attack on a school district is the disruption to the educational process. Schools rely heavily on technology to provide an effective and efficient education.

The financial cost of a ransomware attack can also be significant. In some cases, schools have paid tens of thousands of dollars in ransom. Even if the ransom is paid, there is no guarantee that the attacker will provide the decryption key. Additionally, there is the cost of lost productivity and the need to hire outside experts to help with the recovery process.

While the financial cost is difficult and can be mitigated with a cyber insurance policy, there is a much bigger cost, which is unique to educational institutions. When important systems and files are encrypted, teachers and students are unable to access essential information and resources. This can lead to a major disruption in the classroom, making it difficult for students to learn and for teachers to effectively teach. The cost of this is immeasurable as it affects the education and well-being of our children.

One of the biggest challenges with ransomware is that it can be very difficult to detect and prevent. Ransomware is typically delivered via a phishing email or through a vulnerable software program. Once the malware is installed, it encrypts important files on the victim’s computer, making them inaccessible. The attacker then demands payment, usually in the form of Bitcoin, in exchange for the decryption key.

How to protect against ransomware in K-12

To protect against ransomware, school districts must take a multi-layered approach:

  • Layer 1 – User Education/Password Policy
  • Layer 2 – Endpoint Protection
  • Level 3 – Multifactor Authentication
  • Level 4 – Incident Response Plan.

Below are some tips (along with some solutions Cisco offers) on how to address each of these layers. All of them are cloud/subscription based, are simple to implement and, in the case of Umbrella and Duo, you can try them for free.

Layer 1 – User Education/Password Policy

Educating users on how to protect themselves from ransomware is a key step in preventing attacks. Here are a few ways you can educate your users:

  • Conduct regular training sessions: Hold regular training sessions to educate users on the latest threats and best practices for avoiding them. This can include information on identifying and avoiding phishing emails, safe browsing habits, and the importance of software updates.
  • Provide written materials: Create written materials such as guides, tip sheets, and FAQs that users can refer to for information on how to protect themselves from ransomware.
  • Use real-world examples: Use real-world examples of ransomware attacks to illustrate the impact of these attacks and the importance of following best practices for avoiding them.
  • Provide technical support: Provide technical support to help users with software updates and other security measures.
  • Encourage reporting: Encourage users to report any suspicious emails or other potential threats to the IT department.
  • Make users aware of the consequences: Make users aware of the consequences of a ransomware attack, both financially and in terms of the disruption to their work and encourage them to take the necessary steps to protect themselves.

Implementing a good password policy is an important step in protecting your organization from cyber threats. Here are a few steps you can take to implement a strong password policy:

  • Require strong passwords: Encourage users to create strong passwords that are at least 8 characters long and include a combination of uppercase and lowercase letters, numbers, and special characters.
  • Use password managers: Encourage users to use password managers to generate and store strong, unique passwords for each account. I use 1Password from AgileBits. It works seamlessly across all my devices.
  • Change passwords regularly: Require users to change their passwords on a regular basis, such as every 90 days, to reduce the risk of a password being compromised.
  • Prohibit password sharing: Prohibit users from sharing passwords with others and encourage them to report any suspicious password-related activity.
  • Educate users: Educate users on the importance of strong passwords and good password practices and provide them with resources to help them create and manage strong passwords.
  • Monitor: Monitor for possible password breaches using tools like password cracking software and other security measures. Take action in case of a possible breach.
  • Be flexible: Be flexible and adapt the policy according to the company’s security needs and the threat landscape.

Layer 2 – Endpoint Protection

Endpoint protection is a type of security solution that is designed to protect individual devices, such as computers and servers, from a wide range of cyber threats, including ransomware. Cisco Umbrella is a cloud-based security platform that can be used to prevent ransomware attacks. Here are a few ways that Cisco Umbrella can be used to protect against ransomware:

  • DNS-layer security: Umbrella uses DNS-layer security to block access to known malicious websites and IPs that are commonly used to distribute ransomware.
  • Advanced threat intelligence: Umbrella uses advanced threat intelligence to identify and block malicious domains and IPs that are associated with ransomware campaigns.
  • Machine learning: Umbrella uses machine learning algorithms to detect and block new, previously unseen threats, including ransomware.
  • Phishing protection: Umbrella’s Phishing Protection feature identifies and blocks phishing websites that are used to deliver ransomware.
  • Investigate: Umbrella Investigate feature allows you to investigate a domain or IP address to understand its risk, as well as its historical association with malware or ransomware.
  • Cloud-delivered firewall: Umbrella’s cloud-delivered firewall can be used to block incoming connections from known malicious IPs and to restrict access to sensitive resources.
  • Mobile security: Umbrella’s mobile security feature can be used to protect mobile devices from ransomware and other mobile threats.
  • Integration: Umbrella can be integrated with other Cisco security products, such as Cisco Advanced Malware Protection (AMP) and Cisco Talos, to provide a comprehensive security solution that includes protection against ransomware. Please take a moment and head over to the Talos site. It is a wealth of information on all the security threats out there. All this information is fed directly into all of Cisco’s security products. There is a great blog post about it here.

Layer 3 – Multifactor Authentication

Multifactor Authentication can be used to prevent ransomware attacks by adding an added layer of security to the login process. Here are a few ways that Cisco Duo can be used to protect against ransomware:

  • Two-factor authentication: Cisco Duo requires users to provide two forms of authentication, such as a password and a one-time code sent to their mobile device, before logging in to a system. This makes it much more difficult for attackers to gain access to a system, even if they have stolen a user’s password.
  • Secure access: Cisco Duo can secure access to a wide range of systems and applications, including cloud-based services, web applications, and VPNs, providing a comprehensive security solution.
  • Risk-based authentication: Cisco Duo uses risk-based authentication to provide an additional layer of security when the user is accessing from an unknown location or device, making it more difficult for attackers to gain access to a system.
  • Mobile-based authentication: Cisco Duo can provide mobile-based authentication, which allows users to receive a push notification or a one-time code on their mobile device, email or hardware token, adding an additional layer of security.
  • Integration: Cisco Duo can integrate with other Cisco security products, such as Cisco Umbrella and Cisco Advanced Malware Protection (AMP) to supply a comprehensive security solution that includes protection against ransomware.
  • Easy to use: Cisco Duo is easy to use and can be set up quickly, allowing organizations to protect their systems and data from ransomware attacks with minimal disruption to their operations.
  • Protects Remote users: Cisco Duo can protect remote users and devices from ransomware attacks, by securing access to VPNs and other remote access technologies, even when users are working from untrusted networks.

Layer 4 – Incident Response Plan

Building an incident response plan (IRP) for a ransomware attack can help you quickly and effectively respond to an attack and minimize its impact on your organization. Here are some general steps you can take to build an IRP for a ransomware attack:

  • Identify the key stakeholders and define their roles and responsibilities in the incident response process. This may include IT staff, legal team, management, and external partners such as incident response consultants or legal counsel.
  • Establish a clear incident response hierarchy and chain of command to ensure that decisions are made quickly and effectively.
  • Identify the critical systems and data that need to be protected and prioritize their recovery.
  • Develop procedures for identifying, containing, and mitigating a ransomware attack, including procedures for isolating infected systems, restoring data from backups, and communicating with stakeholders and external partners.
  • Test and practice the incident response plan regularly to ensure that it is effective and that all stakeholders are familiar with their roles and responsibilities.
  • Regularly review and update the incident response plan to reflect changes in technology, threats, and your organization’s needs.
  • Have a communication plan in place for internal and external stakeholders to keep them informed of the situation and actions taken.
  • Have cyber insurance in place as a fallback plan in case of a successful attack.
  • Consider Cisco Incident Response, offered by Cisco Advanced Services. We can help you with a ransomware attack by providing a variety of tools and services to assist you with some of the items above and if all else fails we will help you identify, contain, and mitigate the attack.

The impacts of ransomware

Overall, ransomware attacks on K-12 schools can be devastating, leading to lost data and disrupted operations. Schools can significantly reduce their risk of falling victim to these types of attacks by taking proactive steps to prevent attacks and educating their communities about cybersecurity.

Learn more about Cisco solutions and free trials for security in K-12, and chat with a Cisco security expert to avoid being another ransomware attack statistic. Plus, we even have a K-12 funding team that is here to help you find the funding that fits your needs.







David Caren

Systems Architect

dSLED K-14 Education