Lisa Plaggemier discusses how and why schools need to be better prepared for cyberattacks.
In today’s digital landscape, schools face growing cybersecurity threats that can disrupt learning, compromise sensitive data, and leave administrators scrambling to recover. With cybercriminals becoming more sophisticated, understanding these risks and being prepared is more critical than ever, says Lisa Plaggemier, the executive director of the National Cybersecurity Alliance.
“The vast majority of bad things that happen at institutions like schools and municipalities-- again, under-resourced organizations or organizations that have some technical debt. They haven't kept up with the latest and the greatest when it comes to technology. It's really, really, really basic things that get exploited by people that are up to no good,” she says.
The Center for Internet Security recently released a report revealing that 82 percent of schools suffered from a cyber incident over an 18-month period. From ransomware attacks to AI-powered phishing scams, cybercriminals are finding new ways to exploit vulnerabilities—especially in under-resourced institutions like schools and municipalities. Plaggemier shares practical steps schools can take to protect themselves, from implementing multi-factor authentication to training staff on phishing awareness. She says the biggest mistake is not being prepared for a cyberthreats.
“[This] is not something that's fun to go through, to have to answer to the press, to have to handle the crisis communications, the questions you get from parents. It then becomes such a drain on all those other things… that are a higher priority, that you realize that you've risked all those good and noble things because of a lack of preparedness,” Plaggemier says. “It's not if, it's when. So, it's all about being prepared. It's about resilience. It's about business continuity, being able to still teach school if everything's offline, and then being able to recover from the attack and go back to business as usual.”
In this episode, we discuss why educational institutions are frequent targets, the role of human error in cyberattacks, and the importance of proactive security measures.
[MUSIC PLAYING]
JILL ANDERSON: I'm Jill Anderson. This is The Harvard Edcast.
[MUSIC PLAYING]
Lisa Plaggemier understands cybersecurity isn't just an IT concern, but a critical part of keeping schools safe. She's the executive director of the National Cybersecurity Alliance, a nonprofit focused on cybersecurity awareness and education. Despite its importance, cybersecurity often takes a back seat in school systems where IT resources can be limited. But the threat is real. A recent report from the Center for Internet Security found that 82% of schools experienced a cyber incident over an 18-month period. I wanted to learn more about why schools are increasingly being targeted and how they can better protect sensitive data, even with constrained resources. I asked Lisa why cyber-attacks on schools seem to be on the rise.
LISA PLAGGEMIER: Since things like this are frequently underreported—
JILL ANDERSON: Yeah.
LISA PLAGGEMIER: --unfortunately, I wouldn't be surprised if the number is even higher. I think cyber criminals have had to kind of work their way down their food chain. You can hack away at one of the major banks, and you're probably not going to come up with much anymore because their security programs are so mature and their posture is so good.
The problem is the IT practices and some of the technology that's in use in organizations that are maybe under-resourced, like hospitals or schools, can have glaring vulnerabilities in it. You know, it could be unpatched software, so software that isn't kept up to date. A lot of updates include security fixes, so it can be things like that.
It can be maybe a security tool that was purchased and installed, but not properly configured. There can be any myriad of reasons, but a lot of it, the vast majority of bad things happen due to really, really, really simple human errors. It's basic, basic IT or cyber practices that maybe comes down to a human or making a mistake or a flawed process or lack of follow through or some technical debt. You know, you hear about hacks and cybercrime on the news and you think, oh, these things are really sophisticated. You hear phrases like, state actor. You know, it was Russia or North Korea or China. When you look at things like SolarWinds, for example, which was Russia, was very sophisticated. SolarWinds is a tool that's in place at a lot of customers that Russia would want to get to. And when you're a high-value target like that, yes, you can have a very mature security program, but if the bad guys are really, really, really bent on getting access to what you have, then that's a different story. Yes, those are very sophisticated attacks. But the vast majority of bad things that happen at institutions like schools and municipalities-- again, under-resourced organizations or organizations that have some technical debt. They haven't kept up with the latest and the greatest when it comes to technology. It's really, really, really basic things that get exploited by people that are up to no good.
JILL ANDERSON: What would you say are the biggest cybersecurity threats facing schools today?
LISA PLAGGEMIER: I think it's ransomware, by and large. Ransomware against schools has been a problem now for quite some time. But that can start with a simple phishing email. There's still sort of business email compromise attacks going on. So, somebody gets socially engineered into sending money to the wrong place. Those attacks are now utilizing AI to be even harder to detect. So, we're running a campaign. We have some radio spots that are AI-generated voices that show what it's like to have a real-time conversation with somebody you think is your employee or your granddaughter or grandson. You're having a real time conversation, so you're asking questions. You're having a conversation, but using deepfake technology, that person's voice is not the person that you think you're speaking to. So, if you think about scenarios like that, where somebody calls somebody in finance to change a bank account number to get an invoice paid or something, those are getting harder and harder to detect because of AI.
JILL ANDERSON: Right, which is really scary. Have there been, to your knowledge, those types of incidents at schools, or have they still not seen that?
LISA PLAGGEMIER: If it hasn't happened, it's just a matter of time. It's happening to businesses. I talked to somebody over a year ago now. He was a chief marketing officer at a company and thought he was talking to his CEO on a Zoom until he texted his CEO, and his CEO texted back, and the person on the camera on Zoom did not pick up his phone. But he was that convinced that it was a real time face and voice swap, but he was having a conversation with a bad guy that looked and sounded just like his CEO. The only way he was able to prove that it wasn't was when he responded to the text, and the guy on the screen didn't respond. And that was probably a year and a half, two years ago now.
JILL ANDERSON: That is really, really terrifying.
LISA PLAGGEMIER: That's the whole point of our nonprofit of national cybersecurity alliance is to raise awareness on these things-- those little knowledge gaps that we have that the bad guys can take advantage of because we're just not on the lookout. We're not aware. And frankly, when we talk about some of these things being scary, that's also something the bad guys take advantage of. Because we kind of freeze with fear. Fear is not a great motivator for you to go turn on multi-factor authentication on all your accounts or for you to make your friend's list private on Facebook. Fear doesn't cause us to go do those things.
There's even research that shows that people who've been a part of a data breach or had something bad happen, maybe they've had an account taken over by somebody malicious or some other security incident, once bitten, twice shy doesn't really play out in reality. They don't change their habits, their behaviors with technology because the bad thing happened.
I think a lot of people have a hard time-- I mean, all of us have an inflated sense of our ability to manage these things. And what we need to do to keep ourselves safe, we kind of underestimate that piece just because we're human beings. That's just normal, but that unfortunately makes us more vulnerable. So, there's four key behaviors that we preach all the time, whether you're an individual or a business. That's watching out for social engineering, phishing and the phone calls and the random texts that we get, all those things. That's always the start of something bad that's going to happen. Keeping everything up to date-- we talked about patches, so software, hardware, everything up to date, your antivirus operating systems, all that stuff, using multi-factor authentication on everything where it's available, and then passwords. We like to use the same passwords over and over again or ones that are very close to each other.
So, we'll take one core password that is long and complex, and we can remember it. And then we think, oh, this is brilliant, I'll remember this. And then we kind of fall in love with it and we use it over and over again, or we just tweak it a little bit.
JILL ANDERSON: Right.
LISA PLAGGEMIER: So, in order to have a completely random password for every account, you probably need a password manager—
JILL ANDERSON: Yeah.
LISA PLAGGEMIER: --to help you do that.
JILL ANDERSON: Well, these are just good personal tips, so I like that, even though I'm very nervous as I'm talking to you, going through the list of things I should probably be doing right now in my head.
LISA PLAGGEMIER: They apply to schools and businesses as well.
JILL ANDERSON: Right.
LISA PLAGGEMIER: If you're still using a default password on an old router and you can Google that and find it, that means the bad guys can find it too. Those kinds of things are just as important in business. When we talk about basic cyber hygiene or those basic habits, it's all those things just in a business context.
JILL ANDERSON: You had mentioned ransomware as kind of being the trend of what we're seeing a lot of in terms of threats for schools right now. Can you talk about how this plays out and how it actually impacts a school on the ground when one of these attacks happens?
LISA PLAGGEMIER: So, ransomware, I think most often starts with the humble phishing email. We've been getting these things now for 20 plus years. It's no longer the Nigerian prince. Now there are a whole lot harder to detect. So, I know, for example, schools in the state of New York, they have to run simulated phishing programs in the schools so that teachers and administrators are trained on how to recognize malicious emails and to report those. So, ransomware most frequently starts with a phishing email. Somebody tricked into clicking on something that they shouldn't. And then very quickly, it infects your network.
And employees will generally see some kind of pop up with a cliched skull and crossbones, and, yeah, the scary message saying that you've been ransomed and send your bitcoin here. And so, what happens is the administrators need to generally, at that point, take everything offline to keep it from not getting worse. If your backups are infected, that's when you have a big problem.
So, the best-case scenario would be you have backups that are configured in a way that they don't also get infected. Because then you can tell the bad guys to pound sand, and you just roll to your backups and you keep on going. You'd still experience some disruption, but hopefully it would be minimal, or maybe you'd lose half a day's worth of data or something like that, or a couple of hours.
Worst-case scenario, it infects your backups or you didn't have properly configured backups. Then you have a problem. Then you're left with an extortion demand to pay to get your data back and to pay to keep them from distributing your data on the internet or on the dark web.
These days, I think there's just like a little bit too much reliance on the concept of cyber insurance. Insurance companies aren't stupid. They're getting to the point now where you have to have baseline measures in place or they're not going to pay your claim. They're not going to pay the ransom for you.
I was actually talking to a CISO for a state in New England this week who told me that they've got schools and hospitals that are having a very hard time meeting those minimum IT standards, so they can't even get cyber insurance. Cyber insurance is no longer a get-out-of-free jail card. You can't have poor IT practices and not have some security program and expect that it's going to save you in that situation.
So I hope more and more administrators become aware of that. And then, there's also a little bit of a knowledge gap between the conversations that are happening between administrators and school boards and the folks that are responsible for the technology in the schools. So we have a course that aims to teach cybersecurity in business terminology. Because it's really about managing risk.
And so it's completely jargon free. And we have a great instructor who will answer everybody's questions. And I would like to see more interest in that from municipalities and schools. Because there's just a lot of wazuh, wazuh around security.
JILL ANDERSON: Right.
LISA PLAGGEMIER: Our data from our annual report tells us that people find it confusing, frustrating. It's scary. It sounds complicated. And so, we're trying to bridge that gap with that course.
JILL ANDERSON: And do you think that, as your report tells you-- and I could totally see this in schools where they have so many things going on that will likely take a priority. I mean, they're focused on the kids, they're focused on student performance, on the teaching and learning that's happening. I would imagine school boards and even school administrators and leaders are not thinking about cyber cyberattacks. So how prepared do you think they are to handle these things?
LISA PLAGGEMIER: Well, I mean, the fact that there's been so many successful ransomware attacks on schools tells you that, in general, I think there's still a ways to go. I can't imagine there's like a superintendent out there who doesn't know another superintendent whose district has had a data breach or a ransomware attack. Call them up and ask them how that went.
JILL ANDERSON: Yeah.
LISA PLAGGEMIER: No stars-- would not recommend. That is not something that's fun to go through, to have to answer to the press, to have to handle the crisis communications, the questions you get from parents. It then becomes such a drain on all those other things you listed that are a higher priority, that you realize that you've risked all those good and noble things because of a lack of preparedness.
People have been saying this for years in the security community, it's not if, it's when. So it's all about being prepared. It's about resilience. It's about business continuity, being able to still teach school if everything's offline, and then being able to recover from the attack and go back to business as usual.
JILL ANDERSON: One of the things that I saw was many schools may not even have the IT support that they need, meaning the employees in their district, to even implement some of these things that sound like are really needed. And I can imagine a school leader struggling to defend hiring somebody to do this work, versus hiring something that on the ground may seem like it benefits the kids more or the learning more. So, I'm wondering about how do you prove that to a group of people who don't understand it and don't really get it?
LISA PLAGGEMIER: Absolutely. It's a challenge for small businesses. It's a challenge for schools. It's a challenge for health care. I mean, health care, it's life-or-death situations. Like, so how is security a priority? I know a researcher who's tied deaths to ransomware attacks in hospitals.
Yeah, a good day is when nothing bad happens, but then nobody notices that the security team made sure nothing bad happened that day. It's really hard. You are proving the lack of anything bad happening. So the whole sort of value prop is hard to communicate.
When you look at the IT and security professionals that might work in K-12-- if you work at a bank with a very mature security program, there's going to be a language there around talking about risk and being able to score the risk and understand what's a big risk and what's not, and where do we put our resources and priorities? And I can imagine that trying to have the equivalent conversation or anything close to it at a school is very, very challenging, where that's not really in their vocabulary, that they're protecting their institution against something bad happening, where as at a bank, you can imagine that's sort of in the DNA of the organization.
So then, I think what you end up with a little bit on the professional side is that the rich get richer and the poor get poorer. So if I'm a security engineer, for example, I'm probably going to want to go work somewhere that has a program where the leadership is risk averse, my recommendations are accepted, and we implement things that the security team thinks should be done to reduce the risk to the organization. If I'm a highly technical person and communications aren't my forte, then having that risk conversation with a principal or a superintendent or something, that translation that needs to happen between the IT issue that we're talking about and the risk that that's creating and what that means to the organization-- I think that's a difficult bridge to gap.
And really, it's all security and IT people everywhere. We all have to remember that we serve the organization that we work for, and we have to figure out a way to align what we're doing with what they're doing and talking to them in terms of what the risk is to the organization-- like why you need to make a particular investment or run a simulated phishing program, for example, for teachers, even though teachers will complain and tell you that they're busy. Like, here's how you do that in a way that doesn't aggravate people.
And here's what the best practices are so that people are better equipped to recognize those things and know how to report them and know how to report real fish when they see them, so that the technical folks can protect the organization and one of those doesn't turn into a ransomware attack. It's a challenge. I've seen too many people in leadership, especially in small businesses-- they know how to have a conversation, for example, with their accountant about finances, but when they turn to their IT person, they're not even sure what questions to ask.
How do I hold this person accountable? What are they supposed to be doing every day? If I say, are we ready for a ransomware attack, how do I even understand how to interpret their answer? There's just a really big communication gap there.
JILL ANDERSON: What would you say are some of the common cybersecurity mistakes schools make, and how do they avoid them?
LISA PLAGGEMIER: I mean, for me, a lot of it starts in the classroom when the teacher introducing some new application or something and they say, OK everybody, here's the password. And we teach the kids to all use the same password. And we don't teach the kids that it's not OK to share-- you can share some secrets with your best friends, but passwords are things you really shouldn't share with everybody.
So it starts, for me, in the classroom. Whenever we introduce technology, we should be including with that how to use it safely, how to use it securely, how to protect yourself from somebody who might be trying to use that same technology to do harm. So we don't teach kids how to drive without telling them how to put their seatbelt on.
And right now we give kids technology without telling them how to put their seatbelt on. So I think it really starts there. And some of those same practices, like using long, complex, unique passwords, affect the district as well for the technology that's in place in the whole district.
I mean, you'll see organizations where passwords are written on Post-It notes. They're posted on teams or slack because everybody's sharing the same password for a particular application. Like, it's those little things that you think, well, that sounds kind of innocuous, but that can turn into a really big problem.
Multi-factor authentication, same thing, all the technology that the school is running on should have MFA in place. That's that thing you have to do when you log into your bank account. A lot of applications and services offer that, and we don't always enable it. We don't always turn it on and use it.
We really should use it everywhere it's offered. It's a very basic technology. What it means is if you do have a bad password habit or your password is already for sale on the dark web, that some bad guy somewhere with your password can't get into that application.
There was a breach of some sort of edtech company not too long ago-- it was a massive data breach-- and the root cause was that they didn't have multi-factor authentication. It's just like locking your door, and then also using a deadbolt. It's belt and suspenders.
And for me, it's so easy to use, especially if you use like a to biometric to log in or to log in to a password manager, for example, or to use MFA. It's so quick and convenient, and it's so much more secure that I-- honestly, it really baffles me why more of us don't do that, both in a business setting and at home in our personal life.
JILL ANDERSON: It is amazing as I'm listening to you and hearing you talk. A lot of the things you are mentioning are not hard to do.
LISA PLAGGEMIER: Nope. Nope. I think technology companies have gone out of their way to try and take the friction out of being more secure, but it's still up to us as human beings. Unless-- Salesforce did this recently-- they mandated MFA for all their customers. Companies are afraid of the friction.
They don't want their users to be frustrated or unhappy with their products. If there was any one thing you asked me about and I could wave a magic wand and it would be changed tomorrow, we would have multi-factor authentication on everything.
JILL ANDERSON: You've mentioned the value of having strong passwords, not sharing your passwords in a classroom, multi-factor authentication. There were a couple others you mentioned earlier.
LISA PLAGGEMIER: Updates-- keeping things up to date, whether it's hardware or firmware or your router, making sure-- you probably heard the stories on the news about volt typhoon and salt typhoon. That was Russia and China getting into our power grid and our water systems through people's small business-- and I don't know if any of them were schools-- but small business and some individual citizens' home routers. So you can have a router that has a password that's already been compromised and is for sale on the dark web, or is really easy to crack.
The government's advice and our advice now is that your password should be 15 characters or longer. So you really probably need a password manager to keep track of that. But if it's too short, a password cracking software tool can crack it really quickly.
So when you think about a foreign power using a small businesses router to get to other things that they wanted access to, I mean, it's really kind of-- I think we're seeing this blurring now between national security and our individual cybersecurity. And I think that's only going to get blurrier and blurrier. And I think we're looking at one big continuum.
JILL ANDERSON: I think we've seen a lot of efforts, specifically at the legislative level, to try to manage these incidents. There's been a lot of bills proposed, and I see there's a lot of programs out there aimed specifically to help schools. Can you talk about some of those programs, how to take advantage of them?
LISA PLAGGEMIER: If you go to cisa.gov-- so CISA is the cybersecurity agency. It's a part of DHS, the cybersecurity and infrastructure security agency. They have resources for small businesses and schools, hospitals. They have a number of different things that they offer.
I would start on cisa.gov, and all of it is free. At one point, they would do penetration testing. They would do scanning of your network to see if your zipper was down. Some of their services are more robust than others. OK, so I think they still do this. Gosh, I hope so. Who knows.
JILL ANDERSON: The government is obviously in transition so we don't know what will continue to exist.
LISA PLAGGEMIER: One of the best things to do to bring the message home to leadership is to hold what's called a tabletop exercise. I know that CISA has had services in the past to do this. I think they're still doing them, but for not an insane amount of money, I think you can have a local vendor that will do one.
Basically what they do is they run a data breach or security incident scenario. You have all your leadership around the table, so not just IT, but all the leadership. And somebody is running through like the playbook of, like, OK, this is happening now, and that's happening now.
And now somebody got a ransomware note on their machine and they can't close it. They're locked up. And they run through it minute by minute, hour by hour, and everybody practices the response. Like, OK, what do we do? Somebody just called from this particular school, and somebody's got a ransomware note on their machine. What happens next? Who do you call?
Who takes the network offline? How do you actually respond? So you practice having a security incident, and it allows you to find gaps in your response. It's a fantastic exercise.
Large businesses do these regularly. I think more small businesses should do them. But because the leadership is there in the room, they have to make decisions on the fly. Because one of those things that could be happening in the scenario, the made up scenario, could be, oh, the local newspaper called, or the local television is at the front door.
We have a reporter with a camera and a microphone who wants to know what's going on. And so it forces you to think through all those things. And you usually come out of there with a pretty good to do list of, OK, here's the things that we need to fix.
And if you do those on a regular basis, it just helps you to mature your program overall because you're going to find the places where, boy, that part didn't go so well. We could have done that better. So I highly recommend those, and I think CISA is still offering those.
JILL ANDERSON: That sounds great. And I feel like that would really make sense, given that schools are so used to practicing responses.
LISA PLAGGEMIER: Right, like an active shooter.
JILL ANDERSON: Yeah.
LISA PLAGGEMIER: It's the same thing, but you're doing it for cyber. I think everything we do goes back to those core four things. That's really what it's all about. It's watching out for social engineering, using multi-factor authentication, strong unique passwords. And then making sure everything is up to date and patched. Doing those four things consistently can make a world of difference.
JILL ANDERSON: Lisa Plaggemier is the executive director of the national cyber security alliance. I'm Jill Anderson. This is The Harvard Edcast produced by the Harvard Graduate School of Education. Thanks for listening.