How Much Does a Public School Stand to Lose When Cyberattacks Go Undetected?
Scenario: Jackson always had two things going for him: his ability to adapt to growing technology and a certain charm that many couldn’t resist. He had a knack for saying the right thing to make a partner swoon, something he must have picked up from his childhood days watching soap operas from the comfort of his couch next to his hopeless romantic mother.
That’s why, when Jackson found himself at the bottom rungs of a hacking business, he decided to use his words in a way that would profit both him and his fellow criminals.
Located in a tiny town in central Brazil, Jackson’s employer was in the business of stealing funds from public schools in the United States. As entities sprinkled across the country, schools often did not have the proper controls in place to protect against such attacks.
Plus, smaller districts often had fewer resources, and fewer resources often meant less cyber training, more open ports and an enormous amount of student and teacher data to exploit.
The job was easy: Infiltrate the schools with little to no security, get a sense of their system and how they manage their finances, mimic their emails and request funds to be wired to a new bank account when the time was right.
A simple social engineering endeavor.
The issue Jackson’s firm faced was how to effectively swindle money overseas without setting off any red flags — which gave Jackson an idea. After all, he did have two things going for him.
GoldenYears was a new dating service geared toward senior citizens, and it was quickly gaining popularity in the States. Jackpot, Jackson thought, one of the most vulnerable populations when it came to poor cybersecurity habits, all rounded up onto one site like a little present just for him.
He got to work.
After setting up a fake profile, Jackson soon found himself in contact with several older women — and a few men — all looking for a companion for those final golden years. He took his time getting to know them, asking subtle questions about their level of understanding when it came to technology.
Meanwhile, his fellow criminals were in the process of infiltrating a decent-sized school district in upstate New York, one that serviced more than 10,000 students. It had the potential for a great payout — now, to just get the money into their hands.
Jackson went for the jugular.
One woman fell fast for his act, so he started explaining to her how he needed help moving some funds. Her knowledge of cybercriminal activity was microscopic. Led by her heart, and a few sweet nothings typed by Jackson, she complied.
The criminals entered the school’s email, posing as one of the employees responsible for finances. They crafted an email that alerted the bank to wire the money to the GoldenYears woman. The first sum was $3 million.
Jackson walked his victim through purchasing cryptocurrency before sending the money along to his criminal outpost.
They waited a few weeks to see if the scheme worked. When all seemed quiet, they struck again for another $5 million. On and on it went until roughly $40 million had made its way from this upstate New York public school district to the hackers sitting in Brazil.
When at long last the infiltration was discovered, however, Jackson and his team had moved on — new state, new school district, new love interest.
The school, however, was facing a slew of problems. Budget cuts had depleted its resources to begin with, and now, $40 million in the hole, it had only its measly $1 million cyber liability insurance policy to help.
Impossible, you might say. There has to be some safeguard in place within public school districts to protect them from wildly outlandish schemes involving fictive romance, cryptocurrency, bank wire fraud and social engineering.
But it’s more possible than you might think.
Chester-Upland School District (CUSD) in Delaware County, Pennsylvania, experienced this very thing in 2022. After infiltrating the network, a group of hackers in Nigeria used dating site eHarmony to bamboozle a widowed Florida woman into wiring nearly $13 million into their bank account.
Luckily for the district, the hackers got a little greedy after their first wiring success and asked for too much on the second installment. The $8 million ask sent a red flag through the Pennsylvania Department of Education, which then alerted the state district attorney’s office.
An investigation ensued. Through insurance, roughly $10 million was recouped. However, the missing $3 million is still a significant loss, relayed Nafis Nichols, receiver for CUSD, in the district’s official statement.
“Our district faces significant economic challenges, and we are doing our best to allocate as much money as possible to our classrooms and to providing adequate and appropriate staffing. An additional $3 million can make a significant difference for our students,” Nichols said.
It prompts the question: What might have happened had the hackers been a little more patient and a little less greedy? CUSD services just under 3,000 students across six public schools, with a student to teacher ratio of 15:1. It’s a relatively small district compared to the fake school in our scenario, but the damages are lasting.
“Unfortunately, most public entities don’t have adequate resources allocated to cybersecurity,” said Sulim Bartok, area senior vice president, public sector, Gallagher.
“Public entities have always been a little behind the curve as far as allocating for resources, because as opposed to a corporation or something like that where it’s a lot easier to find the money to allocate toward these resources and fund this sort of infrastructure and strengthen operations, with public entities, you always have to budget, and budgeting takes planning and it takes time.”
So, what are public schools to do?
Understanding the Big Vulnerability of Public Schools
When it comes to public schools — and public entities in general — the conversation on cybersecurity usually comes back to budget. And experts in the cyber and public entity space agree that this is a huge contributing factor to public schools’ cyber vulnerability.
“These are public institutions; they’re depending upon public funding,” said Tiffany Calhoun, regional product leader, cyber, tech and media, Allianz Global Corporate and Specialty.
“Budget constraint is one of the biggest obstacles for them. Especially when the economy is going in its current direction, they’re going to be impacted by that.”
“Not only is it the lack of funding and resources, it’s that all public schools [are] probably not going to have access to the same amount of funding, which is going to give some districts more options over the others in terms of security investments,” added Russ Cohen, head of cyber services, U.S., at Beazley.
Budget plays a huge role in attaining the resources to prevent a cyberattack. If a school is weighed with the decision between purchasing new textbooks for its students or updating old infrastructure versus upgrading cyber protocols, chances are the more tangible items will be prioritized.
“When it comes down to a school district having to pay for their building to be updated or cybersecurity, you can see where there’s a conflict. You have to put your money where you can get the biggest bangs, and unfortunately, I don’t think cybersecurity has really been the top subject for them,” Calhoun added.
And even when the budget (or part of it) is there to have a cyber team or consultant on board, these professionals will often leave for greener pastures.
“Municipalities have long struggled with attracting and retaining the best-in-class cybersecurity staff, who often leave for better-paying roles in the private sector,” said John Farley, managing director, cyber liability practice, Gallagher.
Additionally, many public entities do not have a CISO on staff, and there is a risk that not all third-party vendors are solely focused on cybersecurity, opening schools to other cyber misalignments.
One would think having small budgets would make public schools a less exciting payout for hackers. Yet even without big budgets for big payouts, public schools remain a target because lower budgets lead to easier access.
“The past two to three years, there’s been a significant uptick in threats, in claims and in attempts by these cybercriminals to hack [public schools],” Bartok said. But he’s confident that this level of interest is sparking new conversations within entities to better secure their cyber infrastructure.
In the meantime, when these events occur, schools feel the strain. Whether the hacker is funneling funds, encrypting data or just causing short- and long-term business interruption, the threats to public schools are a challenge.
In our scenario, the fictive Jackson employed what is called a social engineering cyberattack. This type of attack occurs when hackers infiltrate a system and exploit human error, whether by successfully acting as someone on staff or by tricking someone on staff to correspond with them as a third-party vendor.
“Social engineering — in particular, phishing — is probably one of the tools that hackers are going to reach for first, because it’s easy to use, it requires few resources,” said Cohen. And thanks to burgeoning technologies, this type of attack has become easier to enact.
“In this day and age, it can be so highly automated that they can cast such a broad net and, in some cases, use very targeted phishing attacks to go after specific individuals,” he said.
“Bad actors are going to do what works,” Calhoun added.
This is not news to any industry, but as Calhoun also noted, public schools are particularly easy to access because, as public institutions, they are often required to disclose who their vendors and partners are.
“Sometimes, they’re disclosing who is within their accounting department; they have to disclose the vendors they’re working with … Bad actors can spoof emails and say, ‘You’re working with ABC Construction Company and I’m from ABC Construction Company; can you please wire me some funds?’ ” she said.
Law requires these entities to be forthright about these dealings, because they service the public. But it leaves them as very open, easy targets.
Tight budgets, short staff, easy targets. It’s hard for a school to look at this perfect storm of cyber scares and not feel discouraged. But there are always ways to fortify, no matter the funds — or lack thereof.
“A lot of carriers have a list of cyber things they want to see public entities doing before they’re comfortable providing an insurance quote. But, again, we’re talking about organizations with finite resources,” Bartok said. Because of this, he said, schools should be talking to their insurance partners and brokers about what they should be investing in.
Training, for one, is key.
“Every employee at all levels of the organization should be trained. The training content will depend on the specific roles and responsibilities of the employee. There should be a comprehensive data governance program in place, and it should address key areas of the entire data life cycle,” said Farley.
Not only does having a set cybersecurity training program in place create a culture of cyber safety, but it also acts as a first line of defense. Staff who are up to date on phishing and social engineering trends and tactics can be the biggest ROI in cyber defense.
Other safety protocols that are relatively low-cost and easy to employ include multifactor authentication, patch management, endpoint detection and response, and data backups — all tactics that can be put in place with the help of a broker or insurance partner.
“Most cyber insurance carriers offer free or discounted cyber risk management services for their insureds,” relayed Farley. “These can include scanning, employee training, threat intelligence, penetration testing, incident response planning, tabletop exercises and compliance help.”
Incident response planning, as Farley mentioned, is a huge part of cyber defense for any entity — public or private.
“Insurance partners can help with incident response planning and providing those services when an incident occurs,” Cohen said. “The insurance partners have access to a treasure trove of data and leveraging that data to help make good recommendations, because we know what is triggering these events.” &