Ransomware attacks targeting the education sector have risen sharply worldwide.

Globally, 56% of K-12 schools and 64% of colleges and universities report being hit by an attack in the past year, according to an independent survey of 5,600 IT professionals in 31 countries by British security software and hardware company Sophos.

In 2021, the survey found 44% of respondents across both sectors reporting an attack.

Of this year’s respondents, 320 were from lower education organizations  which include primary, secondary, elementary, high school and K-12 institutions  and 410 were in higher education.

Among lower education respondents, 47% reported an increase in volume of cyberattacks, 50% reported an increase in complexity, and 49% reported an increase in impact. Regarding ransomware attacks in particular, 72% of lower education respondents said data was encrypted during the attack, compared to an average of 65% across all sectors, suggesting that education is underprepared for these cyberattacks and lacks necessary defenses.

While 99% of lower education organizations reported getting some encrypted data back following a ransomware attack, only an average of 62% of data was restored after a ransom was paid. Just 2% of respondents reported getting all encrypted data back following a ransom payment.

Education is a target

In the U.S., cybersecurity experts have warned over the past decade that K-12 is an increasingly popular target for ransomware, as the combination of lagging progress on cybersecurity measures and the wealth of student and employee personal data necessary for operations have made the sector low-hanging fruit for cybercriminals

Last year’s Infrastructure Investment and Jobs Act allocated $1 billion in federal grants to improve state and local government cybersecurity between 2022 and 2025. States are required to match a certain percentage of the grants, and to secure funds, they must submit a plan to the Cybersecurity and Infrastructure Security Agency with a statewide planning committee. 

In November, a Government Accountability Office report called on the U.S. Department of Education to update its 2010 plan for addressing cyber risks to schools and to consider whether more specific guidance is needed for K-12. The report demanded decisiveness on whether sector-specific guidance is needed on current cyber risks, identifying education as one of the nation’s “critical infrastructure” subsectors.

A variety of cybersecurity programs, services and support are available to K-12 via the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the Department of Education’s Office of Safe and Secure Schools, and the Federal Bureau of Investigation. These include incident response assistance, network monitoring tools and cybersafety guidance for parents and students.

Defending against these risks isn’t just incumbent upon districts themselves, but also the ed tech vendors they choose to procure products and services from. According to the fourth annual report on The State of K-12 Cybersecurity from nonprofit K12 Security Information Exchange, vendors were an entry point for 55% of K-12 data breaches between 2016 and 2021.

In recent months, high-profile vendor-related data breaches have impacted hundreds of thousands of students across the U.S., including all three of the nation’s largest school systems: New York CityLos Angeles and Chicago.