Last September, a group known as The Dark Overlord hacked into the Columbia Falls School District’s network, causing the closure of thirty schools. The group threatened to release student data should the Montana school district not comply with their demands: a payment of 150,000 dollars to be paid in bitcoin. The group’s ransomware attacks have targeted numerous school districts nationwide, in addition to notoriously leaking season five of Netflix’s Orange is the New Black. As the world has gone digital, the presence of cyber crime has skyrocketed. According to the Florida Institute of Technology, the United States loses $100 billion annually as a result of cyber attacks, which targets almost 600 million victims per year. In particular, cyber attacks have increasingly targeted educational institutions.

Last October, the Department of Education issued a warning to K-12 students, parents, and teachers regarding increased cyber threats to schools around the country. Authorities believe that schools with weak security or well-known vulnerabilities are targeted in attempts to access to sensitive data. The value of infiltrating a school’s network is in the amount of data held, ranging from financial information to medical records, insurance information, and social security numbers. Hackers typically demand ransom, often in the form of a virtual currency such as bitcoin, in return for data restoration. If unpaid, the information is leaked or permanently destroyed. Fortunately, Burroughs has a sophisticated firewall in place that protects the school from external intruders.

Burroughs alumnus Adam Bobrow ‘90 worked in the Obama Administration at the Commerce Department and the White House Office of Science and Technology Policy on technology policy issues. He currently is the Chief Executive Officer of Foresight Resilience Strategies, a corporation he founded that develops cybersecurity solutions for companies.

“Human error is a major threat to cybersecurity. It is always easier to hack the user then the system,” claims Bobrow.

IBM reports that over 95% of all security incidents investigated identify human error as a contributing factor. The key to improving cybersecurity is retraining people to recognize dangerous emails, set more complex passwords, and practice better cyber hygiene. The Department of Education encourages schools to conduct security audits and to train staff and students on data security practices; however, most institutions only take meaningful action after a harmful attack.

“I see a disconnect between the policies imposed by an organization’s IT team and the people doing the work,” states Bobrow. “It’s a two-way street. You would like the policies to be implementable and people to recognize that a bit of inconvenience now is preferable to an incident later; however, they should not form an impediment to getting your work done.”

Martha McMahon, chair of the Computer Science Department at Burroughs, strongly advises students to restart all school devices after usage. Each time a school device is rebooted, software known as Deep Freeze removes any changes from this system, including passwords and files. The device is then restored to the IT department’s desired configuration.

McMahon also recommends that passwords exceed twelve characters, contain special symbols, numbers, as well as a mixture of upper and lower case letters. She suggests that students change their passwords frequently.

Bobrow reiterates, “To establish a secure password, go for length. You judge a password based on how strong it is as compared to a brute force attack, or when a computer keeps trying a series of possible passwords to match your password. If you have an adequate level of encryption on the password, and it is long enough, it will take x number of years of processing power to break it.” A vast number of people are still using children’s names, birthdays, and pets for passwords, which are susceptible to hacks.

A prime example of the widespread lack of cyber awareness is the practice of connecting to unsecured WIFI networks. Nowadays, free WIFI is offered in most public places, and it can be tempting to connect to an open, unsecured network. Any information, though, transferred on an unprotected wireless network without a WPA or WPA2 password is exposed to anyone on that network. Numerous pieces of data can potentially be accessed by a hacker, from credit card numbers to important emails.

Free WIFI networks are desirable to both consumers and hackers for the same reason: there is no authentication required to connect. Avoiding public wifi hotspots, which are primarily unsecured, is a simple method to improve your cyber resilience. Bobrow recommends that; “If you do connect to public WIFI, use a virtual private network (VPN), which effectively puts you an in an encrypted tunnel.”

“There is a mind-boggling number of devices connected to the internet today, and this number is only expected to increase,” says Bobrow. He suggests that the future of cybersecurity lies in securing the Internet of Things (IoT), a concept that describes connecting any and every technological device to the internet. Despite the growth of network connected devices, most IoT devices have paltry security systems. From power grids to financial markets, the nation’s infrastructure is dependent on the sustainability of the IoT. However, there is not yet a widespread solution to securing these devices. According to the Department of Homeland Security, “The characteristics of the IoT ecosystem also result in multiple opportunities for malicious actors to manipulate the flow of information.”

Many essential security systems are decades out of date, which is why it is relatively easy for hacking groups like The Dark Overlord to penetrate systems. In order to ensure integrity, confidentiality, and availability (ICA) of information, schools must invest in modern cybersecurity.

“Cybersecurity does not increase your revenue or sales, and it does not really increase your reputation. And at some point, [the year-on-year increase in cybersecurity spending] has to break down. For organizational leaders, there is nothing to tangibly measure,” asserts Bobrow.

According to the Huffington Post, schools are recommended to spend upwards of 2.5 percent of their annual budget on IT security modernization. However, despite the negative consequences that cyber threats pose, organizations often fail to take action until it is too late. Bobrow states, “We have already given away much more private information than most people even realize and that will continue to become a serious problem. I don’t know where that leads, and most people in the tech industry see that to be an uncomfortable situation.”