School Cyber: Worrisome Trends Affecting Districts

Cyber, Education, Property & Casualty, Risk

Concern growing over record number of school cyber incidents

According to K-12 Cybersecurity Resource Center, 2020 was a record year for school cyber incidents. An average school district faces as many as three attempted cyber incidents per day.

The urgency of this issue has been noticed by the highest level of the federal government. The Government Accountability Office (GAO), a federal watchdog agency, published  findings last year that concluded that the increasing number of cyberattacks on K-12 institutions in the U.S. were putting students and schools at risk.

Congress is also concerned about the issue. The above referenced report was rolled out as part of the K-12 Cybersecurity Leadership Symposium at which Rep. Jim Langevin (D-R.I.) said he was looking at reintroducing legislation to address cyber threats to the nation’s schools.

A further concern about the nature of attacks against public schools is that many of the incidents are politically, rather than financially, motivated. Hackers may try to bring down your operating system because they politically oppose a policy implemented by your district.

Creating a hard insurance market for cyber liability coverage

Since the inception of insurance, insurance has moved in pricing cycles called hard and soft markets. A hard market exists when an insurance company is losing money on a particular insurance coverage and/or they perceive a greater risk for a particular type of insurance. 

Right now we are seeing all of the signs of a hard market for cyber insurance:

  • Insurance carriers exiting the market limiting competition
  • Shared cyber insurance limits within pools and buying groups
  • Increased underwriting by insurance companies including increased scrutiny about security practices at your school district
  • Higher insurance prices

Why are schools targeted?

School districts are targeted by cyber criminals because they have valuable information and a reputation of weak cyber security programs. This makes school districts vulnerable to both ransomware and fraud.

Within their systems, schools have some of the most valuable types of information to cyber criminals: money, payment card information, personal medical information, and information about minors. Medical information is valuable in helping commit insurance fraud and obtaining illegal prescriptions. Student information is valuable to establish credit in the name of a minor who may not discover this fraud for years.

How are schools targeted?

The methods used by cybercriminals are too numerous to list, and there could be new ones in use by tomorrow. Here are some of the most common cybercrime methods used against school districts.

  • Phishing. A fraudulent email is sent to the district. Someone within the district answers the email with fraudulently requested information or clicks on a fraudulent link within the email. This gives the cybercriminal access to the district system to plant malware or commit fraud. 
  • Password Theft. Most people are not good at passwords. They use the same password for multiple sites or use passwords that are easy to guess. Two of the most common passwords still in use are “password” and “123456”
  • Invoice manipulation. Once the criminal is in your accounts payable or billing system, they can manipulate invoices so that payments are sent to fraudulent accounts.
  • Vishing. The cybercriminal leaves a voicemail about an urgent payment that needs to be made to a vendor or pretends to be a vendor requesting a change in a payment account.
  • Smishing. The same as Vishing but done via text message.
  • Waterholing/Cloning. The cybercriminal monitors commonly used websites by your school district. They “clone” the website address by change the address slightly and send an email to user of that website asking them to click on the link. A commonly cloned site is Paypal to PayPa”I“. The last letter is change from a lower case “L” to an Uppercase “I”

What can a school do to protect itself and assure underwriters it is practicing cyber loss prevention?

  • Multifactor authorization for access to your system. This could be biological, a text message with an authorization code, or a push notification on a smart phone.
  • Password Management. Your passwords should contain lower case letters, uppercase letters, numbers and symbols. They should be changed regularly.
  • Updating and patching your systems Constantly with the latest security updates.
  • Limit personal use of school devices.
  • Training. Make your employees aware of these threats and test them in real time by trying to get them to “take the bait” a cybercriminal would offer them.


Awareness of the current cyber situation and cyber loss control and prevent these worrisome trends from becoming a crisis. Remember good risk management practices require both risk transfer and risk control techniques. Insurance is a good method of transfer, but your school district is responsible for implementing the risk control program.

This article was written by Marty Malloy. Marty served as a Director of Education & Government Practice at M3 until his retirement in 2023.

Back to Insight Center