Source: Chad Ehlers via Alamy Stock Photo
COMMENTARY
Organizations are facing a challenging cybersecurity environment and a chaotic threat landscape. With an increasingly broad range of sophisticated, easy-to-use tools in the hands of cybercriminals, even the most well-equipped enterprises are struggling to keep up. Now more than ever, big thinking is required from leaders across industries to better understand and address cross-institutional challenges, like protecting children's data.
Schools often are ill equipped to fend off attacks and easy to exploit after a breach occurs, but they've become a top target for cybercriminals because they provide easy access to data-rich environments — such as sensitive administrative records, payment card information, and children's data. Between 2021 and 2022, schools saw a more than 300% increase in breaches, and the number of K–12 schools impacted by ransomware attacks against districts doubled, to nearly 2,000.
Children's data is particularly valuable to fraudsters who need personally identifiable information (PII) to fuel their schemes. Since children don't apply for credit or have credit reports to monitor, fraudulent use of their data is likely to remain undetected for years — and the consequences can be severe. Victims may face problems getting a driver's license, be denied a line of credit, or be unable to access government benefits.
A criminal engaging in synthetic identity fraud typically combines attributes that are individually legitimate (say, a child's social security number with another person's address) to create a fake identity they can use to apply for credit. Once approved, the fraudster patiently builds a positive payment history for this synthetic profile, taking out multiple credit lines over several years before maxing out their credit and "busting out."
Dismantling this threat will require focused resolve from a variety of stakeholders.
K–12 Schools and Districts
Although many schools and districts face significant resource constraints, the costs of not investing in cybersecurity can be immense — not only in financial terms. Attacks are disruptive to learning, with downtime of critical systems and tools often leading to closures. They can also create long-term damage for students and schools, which often face a protracted remediation process and extended legal and compliance issues.
To strengthen their systems and processes and to reduce risk, schools and districts must place a higher priority on cybersecurity. This includes training staff on current threats and good cyber hygiene, adopting best practices — such as requiring multifactor authentication for network access, implementing role-based access control, keeping all systems and software up to date, establishing robust backup processes, and deploying monitoring tools to help detect suspicious activity — and recognizing emerging opportunities for collaboration to improve security outcomes across the industry.
Government
The Biden administration recently launched a set of new initiatives to help strengthen schools' cyber defenses. The proposed measures, including both government actions and partnerships with private-sector technology companies offering free or low-cost resources to districts, represent a welcome commitment to improving cybersecurity in education. However, significant institutional challenges — like insufficient budgets, outdated and vulnerable systems, and difficulty competing in a tight market for cybersecurity talent — must be addressed to help every school district put the right cybersecurity tools in place and adhere to current best practices.
Minimum cybersecurity compliance standards may be needed (similar to the approach proposed for critical infrastructure in the latest National Cybersecurity Strategy), along with standardized breach notification and incident reporting requirements, which vary by state. Creative funding mechanisms and incentives likely will be necessary to help districts prioritize digital safety.
Ultimately, the burden shouldn't rest primarily on schools. Broader awareness of the risk factors and what drives them is needed, and stakeholders must take the appropriate steps to devalue children's data, reducing the incentive to target schools. Further protections aimed at keeping consumers safe from the misuse of their stolen data should also be explored.
Enterprise
To reduce the benefit derived from (and, ultimately, the demand for) children's data, enterprises must avoid inadvertently supporting identity theft and synthetic identity fraud schemes.
Take organizations that issue credit, for example. Synthetic identities are comprised of several disparate pieces of valid data, so if lenders don't scrutinize all the components of a new prospective borrower's identity in combination with one another to determine whether they check out, they may inadvertently be fueling the problem.
Fraudsters are keenly aware of how to exploit gaps in identity verification solutions and processes, and these schemes become much more difficult to detect once a synthetic identity is established and begins to build credit. Effective processes for sharing risk data across lines of business must be in place, and customer verification systems and identity authentication processes must be regularly evaluated to ensure they are reliably detecting synthetic fraud at the point of origination, before credit is issued.
Parents
Finally, broader awareness of K–12 security challenges among parents can better prepare them to protect their children accordingly.
Parents should know what student data their child's school holds, how it's protected, and who has access to it, and push for transparency around what data protection measures administrators have in place. Parents can help limit the damage after a school breach by being proactive — monitoring financial and social media accounts for unexpected activity and watching for signs of identity theft — but they first must be aware of the problem.
As the saying goes, it takes a village to raise a child. We all have a role to play in protecting children's PII from bad actors and shielding them from potential harm after a breach. It's time to step up. Let's resolve to do better in 2024.