Scarinci Hollenbeck, LLC, LLCScarinci Hollenbeck, LLC, LLC

Firm Insights

Increased Cyber Threats Require New Jersey Schools to Take Action

Author: Scarinci Hollenbeck, LLC

Date: April 8, 2021

Key Contacts

Back

The Joint Cybersecurity Advisory warns that cyberattacks against K-12 educational institutions are on the rise

Increased Cyber Threats Require NJ Schools to Take Action

Cybercriminals are likely targeting schools, according to an Alert issued jointly by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC). The Joint Cybersecurity Advisory warns that cyberattacks against K-12 educational institutions are on the rise, resulting in the disruption of remote learning, data theft, and ransomware attacks.

Uptick in Cyberattacks Against Educational Institutions

While learning has shifted online due to the COVID-19 pandemic, cybercriminals increasingly view schools as targets of opportunity. Schools are particularly vulnerable to cyberattacks since they were forced to quickly shift to remote learning environments in response to the pandemic; many staff members and students are new to online learning platforms; and many districts lack the resources to adequately safeguard their IT systems from mounting threats.

The FBI, CISA, and MS-ISAC continue to receive reports from K-12 educational institutions about the disruption to distance learning efforts at the hands of cyber actors. The cyberattacks have taken a variety of forms, including ransomware attacks, malware attacks, and distributed denial-of-service attacks.

Ransomware attacks have become particularly prevalent and disruptive in recent months. According to the FBI, in these attacks, malicious cyber actors target school computer systems, slowing access or even rendering the systems inaccessible for basic functions. Relying on tactics traditionally used against business targets, ransomware actors have also stolen—and threatened to leak—confidential student data to the public unless institutions pay a ransom.

Data collected by MS-ISAC shows that the percentage of reported ransomware incidents against K-12 schools increased at the beginning of the 2020 school year. In August and September, 57% of ransomware incidents reported to the MS-ISAC involved K-12 schools, compared to 28% of all reported ransomware incidents from January through July.

In the most recent string of ransomware attacks, cybercriminals used PYSA malware, also known as “Mespinoza”, to infiltrate schools in 12 states. According to an FBI Flash Alert, the cyber actors specifically targeted K-12 schools. The perpetrators used PYSA to exfiltrate data from victims prior to encrypting their victim’s systems to use as leverage in eliciting ransom payments.

Mitigation Strategies for New Jersey Schools

The FBI and CISA recommend that K-12 schools review or establish patching plans, security policies, user agreements, and business continuity plans to ensure they address current threats posed by cyber actors. While schools should thoroughly review the Alert in its entirety, below are several key steps to consider:

  • Focus on awareness and training. Provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities (i.e., ransomware and phishing scams).
  • Implement multifactor authentication systems, where possible;
  • Regularly back up data, air gap, and password-protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
  • Implement network segmentation.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (i.e., hard drive, storage device, the cloud).
  • Regularly, change passwords to network systems and accounts, and avoid reusing passwords for different accounts. Implement the shortest acceptable timeframe for password changes.
  • Install updates/patch operating systems, software, and firmware as soon as they are released.
  • Disable unused remote access/RDP ports and monitor remote access/RDP logs.
  • Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
  • Install and regularly update anti-virus and anti-malware software on all hosts.
  • Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a VPN.
  • Consider adding an email banner to messages coming from outside your organizations.
  • Disable hyperlinks in received emails.

The Alert also offers best practices for safeguarding videoconferencing platforms such as Zoom and Google Meet. They include ensuring participants use the most updated version of remote access/meeting applications; requiring passwords for session access; establishing a vetting process to identify participants as they arrive, such as a waiting room; ensuring only the host controls screensharing privileges; and implementing a policy to prevent participants from entering rooms prior to host arrival and to prevent the host from exiting prior to the departure of all participants.

Schools should also recognize that their security is also influenced by the cyber controls implemented by their third-party service providers. Accordingly, when partnering with third-party and EdTech services to support distance learning, it is essential to consider the following:

  • The provider’s data maintenance and storage practices (e.g., use of company servers, cloud storage, or third-party services);
  • Types of student data the provider collects and tracks (e.g., PII, academic, disciplinary, medical, biometric, IP addresses);
  • Entities to whom the provider will grant access to the student data (e.g., vendors);
  • How the provider will use student data (e.g., will they sell it to—or share it with—third parties for service enhancement, new product development, studies, marketing/advertising?);
  • The provider’s de-identification practices for student data; and
  • The provider’s policies on data retention and deletion.
  • The service provider’s cybersecurity policies and response plan in the event of a breach and their remediation practices:
  • How did the service provider resolve past cyber incidents? How did their cybersecurity practices change after these incidents?
  • The provider’s data security practices for their products and services (e.g., data encryption in transit and at rest, security audits, security training of staff, audit logs);

Key Takeaway

Being proactive is essential to preventing a cyberattack. With the adoption of remote and hybrid learning, New Jersey schools face new threats and vulnerabilities that must be addressed with updated cyber policies, procedures, and training.

If you have questions, please contact us

For guidance, we encourage schools and school districts to reach out to a member of the Scarinci Hollenbeck Education Law Group or Cyber Security and Data Privacy Group at 201-896-4100.

No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.

Scarinci Hollenbeck, LLC, LLC

Related Posts

See all
A Whistleblower Just Filed a Complaint Against Your Company: Here's What to Do Now post image

A Whistleblower Just Filed a Complaint Against Your Company: Here's What to Do Now

Few situations create more uncertainty than learning that an employee has filed a whistleblower complaint. Questions arise immediately: Is the allegation legitimate? Should the employee be placed on leave? Do we need to notify our insurance carrier? Are we now prevented from disciplining the employee if there are unrelated ongoing work related issues? There is […]

Author: Sean M. Pena

Link to post with title - "A Whistleblower Just Filed a Complaint Against Your Company: Here's What to Do Now"
Assignment for the Benefit of Creditors: An Alternative to Bankruptcy for Distressed Businesses post image

Assignment for the Benefit of Creditors: An Alternative to Bankruptcy for Distressed Businesses

When a business reaches the point where it can no longer service its debts or otherwise resolve its liabilities, management is often faced with a difficult question: is a bankruptcy filing necessary or is there another way to perform an orderly liquidation or sale of the business assets? While Chapters 7 and 11 of the […]

Author: John D. Giampolo

Link to post with title - "Assignment for the Benefit of Creditors: An Alternative to Bankruptcy for Distressed Businesses"
Breaking Down New Jersey’s “Mansion” Tax: What Buyers and Sellers Need to Know post image

Breaking Down New Jersey’s “Mansion” Tax: What Buyers and Sellers Need to Know

For many years, the New Jersey Mansion Tax has been a significant consideration in high-value real estate transactions. Recent legislative changes, however, have substantially altered how the tax operates, including who is responsible for paying it and the amount owed in certain transactions. Whether you are purchasing, selling, or investing in New Jersey real estate, […]

Author: George McGowan

Link to post with title - "Breaking Down New Jersey’s “Mansion” Tax: What Buyers and Sellers Need to Know"
Estate Planning for Digital Assets Under New Jersey Law post image

Estate Planning for Digital Assets Under New Jersey Law

As our personal and financial lives increasingly move online, estate planning must evolve to address a new category of property: digital assets. From email accounts and social media profiles to cryptocurrency and cloud-stored business records, these assets often carry both financial and sentimental value. Yet, without proper planning, they can become inaccessible—or even lost—upon incapacity […]

Author: Marc J. Comer

Link to post with title - "Estate Planning for Digital Assets Under New Jersey Law"
The Role of Representation and Warranty Insurance in M&A Transactions post image

The Role of Representation and Warranty Insurance in M&A Transactions

In today’s mergers and acquisitions market, representation and warranty (R&W) insurance has become a common feature of deal negotiations. Once used primarily in larger transactions, R&W insurance is now frequently incorporated into middle-market deals as buyers and sellers look for efficient ways to allocate risk and close deals. When structured properly, R&W insurance can help […]

Author: George McGowan

Link to post with title - "The Role of Representation and Warranty Insurance in M&A Transactions"
You Just Received a Federal Grand Jury Subpoena in New Jersey: Now What? post image

You Just Received a Federal Grand Jury Subpoena in New Jersey: Now What?

Receiving a federal grand jury subpoena is not something most businesses or individuals anticipate. While it can be concerning, a federal grand jury subpoena does not necessarily mean that you are being accused of wrongdoing. It does, however, mean that a federal criminal investigation is underway and that federal prosecutors believe you may possess information […]

Author: Sean M. Pena

Link to post with title - "You Just Received a Federal Grand Jury Subpoena in New Jersey: Now What?"

No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.

Sign up to get the latest from our attorneys!

Explore What Matters Most to You.

Consider subscribing to our Firm Insights mailing list by clicking the button below so you can keep up to date with the firm`s latest articles covering various legal topics.

Stay informed and inspired with the latest updates, insights, and events from Scarinci Hollenbeck. Our resource library provides valuable content across a range of categories to keep you connected and ahead of the curve.

Let`s get in touch!

* The use of the Internet or this form for communication with the firm or any individual member of the firm does not establish an attorney-client relationship. Confidential or time-sensitive information should not be sent through this form. By providing a telephone number and submitting this form you are consenting to be contacted by SMS text message. Message & data rates may apply. Message frequency may vary. You can reply STOP to opt-out of further messaging.
“If you would like to submit a file, please email it directly to info@sh-law.com.

Sign up to get the latest from the Scarinci Hollenbeck, LLC attorneys!