ST. LOUIS COUNTY, Mo. – If you have a website, you are at risk. You don’t have to click on a malicious link to let the criminal inside. Just like your home, cybercriminals are looking for unlocked windows, a weak door, or that key you’ve hidden under a rock.
“It is what keeps people in my position up at night,” Jason Rooks said. He’s Parkway School District’s Chief Information Officer.
“It’s not if you get attacked – it’s when you get attacked,” he said.
Rooks says school districts are now one of the biggest targets.
“In the past month, two school districts in the state of Missouri have had to close multiple days due to ransomware attacks,” he said.
The Affton School District was recently hit with ransomware. Cybercriminals said they had personal information and demanded money for its return. Affton said it didn’t pay, but Maryville University Associate Professor of Cybersecurity Brian Gant says some districts do.
“One in four school districts is experiencing ransomware currently. Right now, K-12, we’re talking about millions and millions of dollars being lost,” he said.
Gant teaches student how to defend our computer systems. A video wall in their cyber fusion center shows active attacks being stopped—live—in real time. Gant says we don’t have enough experts to stop the attacks.
“The gap that we’ve been experiencing is vast,” he said. “In 2023, they’re expecting it to be a million-job gap between those with the skills necessary to fill it, and higher education is one of those vehicles in which we can get people into the pipeline to fill those gaps.”
Student Hunter Myles already has a job lined up where he will fight to defend our virtual borders.
“Nothing is secure. No company is safe,” he said. “Major national government agencies were attacked. National corporations with billions of dollars in security funding were attacked. It always takes one open door for these attackers to get in.”
In class, he’s working with school districts like Parkway to tighten their security.
“And the great thing is they don’t charge school districts for these services,” Rooks said. “We’ve gotten quotes for other external vulnerability assessments that have gone upwards of $30,000.”
Rooks talked about how Maryville helps assess, saying, “They’re outside of our environment trying to poke holes and doing what the attacker would do to try to get into our district.”
Maryville found no major security gaps at parkway, but did find places for the district to secure.
“They’re finding where we hide our keys – under the rock in the garden, and suggesting, well, here’s a better place where you can hide it,” Rooks said.
Maryville’s Cyber Fusion Center Director Sean Kilfoy says their checks of other districts and businesses find major problems.
“Hundreds of different vulnerabilities,” he said.
One possible weakness for web sites are the boxes where you type your username and password. That can be a way inside for criminals. They might type a hacking code in the boxes to get everyone’s username and password.
“I could go in and delete all of those usernames and passwords and make my own or I could have everybody’s credentials, or both and I could sell that,” Kilfoy said. “The possibilities are endless for attackers. So, we fix that. You should have a code in your database that says reject that kind of input.”
Most schools are now carrying cyber insurance to save the millions an attack might cost. The deductibles on those polices are often tens of thousands.
The cities of Alton, Illinois and Berkeley, Missouri were both recently attacked with ransomware and shut down for days. Both cities tell me they did not pay ransoms and that they got help from their cyber insurance policies. Berkeley canceled their last court night because of an attack.