Why Cyber Criminals Are Going Back to School
Have you given a thought to your children’s data? If you had a ‘huh?’ moment, hear me out. With so much concern about protecting our identities and personal information, one of the biggest oversights I have found during my time working in the security industry is protecting our children’s school digital records.
This became apparent to me when I was working many years ago for a large software security vendor. During one of our user conferences, I had the opportunity to have lunch with a customer who was tasked with the IT and security for a large K-12 school district in Georgia. During our conversation, he exclaimed how he was so fatigued with the ‘bad guys’ because they continuously try to hack into their school district’s network.
I was surprised. Why target schools – especially a K-12? Why not dedicate your time as a bad guy to hospitals or financial institutions? That’s what sells on the Dark Web. It was all very curious. But here’s what I found. Cybercriminals are going after children’s records because they are digital gold. I was stunned by the revelation. Have you ever had that moment when you get one piece of information and then all of sudden the way you look at things completely shift? If you’ve watched the movie ‘The 6th Sense,’ you’ll know what I’m talking about. But I digress (huge Bruce Willis fan here).
What makes these records so valuable? If you think about it, cybercriminals are in the business of selling information that others can use to do all sorts of things. To name a few: charge things on credit cards, open accounts, stream money from bank accounts, and so much more. The lifespan of these records will determine how much they can sell these for.
On the Dark Web, a credit card number may sell for $1 or less while a health record can go for way beyond $100 per record. In the case of the credit card, the fraudulent charge will ultimately get caught either by you noticing on your statement or the credit card company’s fraud department. The lifespan on that credit card number is short, so the value per record is less. Now take a health record – imagine all the information that has been collected on you, including birthday, social security number, etc. That is valuable because that type of information doesn’t just get shut off. It can be used and reused and it’s difficult to catch.
Here’s where the children’s records come in. If you’re a parent, you’ll know that when you register your child for school you must provide your child’s birthday, medical records, grades, family records, and personally identifiable information such as their social security number, etc. If these records are stolen, think about the potential lifespan they have. When John Doe goes to buy his first car at 16 it may not be until then that it is realized that his information has been used for all sorts of illegal activity that was completely out of everyone’s view. John Doe’s school record, from a cybercriminals point of view, is a valuable long-term investment and recurring revenue stream.
If you are finding yourself getting worked up just thinking about this – good! The next thing we should be asking is what can we do about it? For parents, I suggest that identity protection not only for the adults but for each child (a good rule of thumb here is to not blindly enter in your information to a website—think birthdays, emails and phone numbers) so fraudulent accounts cannot be opened with their information. For K-12 institutions, it’s vital to ensure that access to where this sensitive information resides is tightly governed and protected – this is referred to as identity governance.
You see, cybercriminals are crafty and are now “breaking in.” They use your internal workers whether they be employees (faculty/staff) or contractors – all without them even knowing it. Whatever your workforce has access to, the “bad guys” do too. Ensuring that each user only has the least amount of access needed to do their job successfully is key. Less really is more when it comes to security.
Here’s the good news. This problem has made its way to Congress and there is new bi-partisan legislation being brought forward. The K–12 Cybersecurity Act of 2019 asks federal and private sector organizations to assess cybersecurity risks that are specific to K-12 educational institutions. It’s graduated from a real problem to a step in the right direction. When we all work together—parents, governments, schools, and companies—we can make sure that everyone is protected. Adults and children alike.