Get expert insights you can't find anywhere else - watch nowPractice, practice, practice. It’s not just the way to Carnegie Hall. With a growing number of cyberattacks focused on schools and government agencies, are the bad guys using these as a proving ground for an even bigger target?

In July, Louisiana was forced to declare a state of emergency after a cyberattack struck districts in the northern part of the state. Two weeks later, a third-party testing provider reported a breach of personal information on 53,000 students and over 3,000 educators in Illinois.

In mid-August, several local government agencies in Texas were hit in what’s been described as a coordinated ransomware attack. Here in the state of New York, known attacks have hit schools in Lansing, Mineola, Rockville Centre, Syracuse, and Watertown school districts.

It’s well known that ransomware attacks can be motivated by money. One of the New York school districts attacked this summer reportedly paid $88,000 to hackers. Couple that with an attacker who targeted a Georgia county and received a reported $400,000. The list goes on, and a dark business case is obvious. However, is there another, bigger worry to consider?

Data-Security Risk Has a Long Tail

In the case of student data taken from educational institutions, risk has a long tail. Near-term effects on institutional productivity and school district budgets can be felt through cuts to student services and resident tax bills. Plus, stolen information may not be used immediately, or even in the next few years. Personal information could be held and used years from now—only discovered when a current primary-school student applies for a college loan or credit card a decade from now. 

Could the increasing attacks in this industry be a precursor to a larger, much more elaborate scheme? The bad guys are out there, testing for weaknesses in the system. They’re observing the response procedures and building models to predict how agencies will respond to a strike. I’m by no means an alarmist—but these are professional evildoers. Diabolical players in a real-life game of cybersecurity chess.

Educating Your Employees is Key

So, what to do? Cybercriminals don’t take a semester off, and neither can you. Ivanti’s CISO Phil Richards recently offered guidance in a blog post. Basically, you need to ensure your public-sector agency is studying regularly. Train staff consistently on the latest ransomware tactics they should recognize and avoid. You also need to be able to discover what devices are on your agency networks, where there are, and ensure these devices are up to date on security policies and patches.

While the example attacks noted above are US-focused, make no mistake: the risk is global. World-news headlines have reported a number of cyberattacks sponsored by terrorist organizations and others that are state-sponsored—the only motivation being to bring another government’s systems to its knees. The bad guys are always training. They’re constantly experimenting and learning. Public sector agencies, including educational institutions, need to ensure their security training curriculum is up to date so you’re prepared to protect against whatever may happen next.