Top Malware Protection Tips Every School Needs

When the FBI warns public schools about a cyber threat, administrators tend to take notice. That’s what happened last December, when the agency issued an advisory about a rash of malware attacks targeting schools. The attacks slowed district computer systems and, in some cases, brought critical functions such as distance learning to a screeching halt. The Fund encourages members to include these basic malware protection tips in their cybersecurity standards.

Why should you care about malware?

Cybercriminals see schools as low-hanging fruit, largely because cybersecurity resources often get scratched from your stretched budgets. The 2020 calendar year saw a record-breaking number of publicly disclosed school cyber incidents, according to the 2020 K-12 Cybersecurity Resource Center Annual Report.

Statistics show malware has emerged as a preferred tool for criminals:

•  5.4 billion malware attacks took place in 2021.
• In August and September 2020, K-12 schools were targeted in 57 percent of ransomware attacks compared to 28 percent from January through July
• Across seven districts that were victimized by ransomware during 2020, the personal information of at least 560,000 current students and 56,000 current staff were exposed. Because districts also maintain records on former students and staff, the actual number of potentially affected individuals could be 5–10 times higher.

Learn more about protecting your organization from vendor attacks and other malware risks in our on-demand webinar led by TASB Privacy and Cyber Risk Consultant Lucas Anderson.

4 common types of malware

When schools beef up security to protect against the latest cyber scams, criminals find new weaknesses to exploit. The many types of malware reflect the constantly evolving cyber risk landscape.

1. Ransomware

We hope your organization invests time and resources in developing a comprehensive malware protection strategy. If you’re not sure where to start, zero in on ransomware.

Like its name implies, ransomware is a type of malware that steals sensitive data and locks it. Criminals have traditionally demanded payment, or ransom, before they release the keys.

Recently, ransomware schemes have taken a darker turn.

Criminals are demanding payment for decryption keys and threatening to publicly expose breaches.

Successful ransomware attacks often exploit human nature. In the time it takes an employee to click on a link or open an infected attachment, your organization’s data could be locked. A ransom demand will surely follow — and it could be costly. The largest demand swelled from $15 million to $30 million between 2019 and 2020.

Hackers hijack district data, demand $40 million ransom

This spring, hackers launched a ransomware attack on Broward County Public Schools in Florida. The criminals warned they would post district data online if administrators did not pay a $40 million ransom.

The district’s reply was no surprise to anyone other than the criminals.

“I am ... speechless. Surely this is a mistake? Are there extra zero’s [sic] in that number by mistake?”

When the district countered with a $500,000 offer, the criminals made good on their threat. Early indications are that they were bluffing.

The stolen records appear limited to non-sensitive data such as mileage reports, travel reimbursement forms, and utility bills. Still, the incident shows how bold criminals are becoming and what’s at stake if they target your district.

2. Trojan horses

Before we dive into the technical ins and outs of trojans, a Cliff’s Note version of the Trojan War is in order (apologies to our history teachers for the remedial lesson).

The ancient city of Troy had adopted the horse as its emblem. So, the Greeks enlisted their best carpenter to build one out of wood. They hid a handful of warriors inside the hulking horse and left it outside the city gates.

Residents wheeled it in as a trophy. That night, the warriors emerged and opened the gates for the rest of the Greek army.

Replace the ancient carpenter with skilled cybercriminals and the Greek warriors with malicious software, and you’ve got trojan horse malware.

Internet popups that claim your computer is infected with a virus are a common form of trojan horse malware.

When you call the number, the “technician” takes control of your computer to “fix the issue.” He or she then installs malware on your machine that opens a back door to your system.

Your antivirus software provider will not demand you call them—and they certainly won’t contact you through a pop-up.

3. Bots

Anyone who loves zombie movies will find their learning curve a little less steep when it comes to bots. A bot is a software application that automates simple, repetitive tasks over the internet.

If you’ve ever asked Alexa to fetch the weather forecast or told your bank’s automated system why you’re calling, you’ve interacted with a bot.

Some bots are good. Others can be turned into zombies that wreak havoc on your network or send fake campus shooting threats. Here’s how it works:

• A malicious bot infects a single computer.
• The bot replicates in other computers and spreads like a virus.
• It then commands its “zombified” network to do bad things, such as steal passwords, open back doors to the network, and even extend summer break for kids who want a little more leisure time.

Zombies shut down online learning in Miami

On the first day of online learning in 2020, a 16-year-old student at Miami Dade County School district leveraged a bot to launch a distributed denial of service (DDOS) attack. The bot ordered its network to visit the districts’ website. The overwhelmed server couldn’t handle the traffic, and the network froze.

Ultimately, the student disrupted online learning for a week. Investigators tracked him down and charged him with “computer use to defraud,” which is a third-degree felony, and “interference with an educational institution,” a second-degree misdemeanor.

DDOS attacks such as the one in Miami accounted for 45 percent of K-12 cyber incidents during 2020.

4. Adware, spyware

It wasn’t long ago that if an advertising firm wanted to know what was on consumers’ minds, they had to ask. Technology has changed the game. Now, adware collects information about your browsing habits and serves up ads tailored to your interests.

Like bots, adware is not always bad. If you find the end product — popup ads — annoying or aggressive, however, you’re not alone.

Adware and spyware typically take one of two routes onto a computer or mobile device.

1. Piggyback with a program you download
2. Jump aboard when you visit an infected website.

Either way, malware seamlessly installs and quietly captures passwords, financial information, and other data. Hackers could even build profiles of your employees and steal their identity.

Your IT department can use their administrative rights to limit or block popups. Employees should contact IT before clicking “allow” or trying to change their browser configurations.

Malware protection tips

The many types of malware work similarly. So, a handful of universal malware protection tips can go a long way toward protecting your organization.

Understand your antivirus software

Every antivirus package comes with a service level. Make sure your product includes protection against all forms of malware.

Back up your data

Routine, offsite system backups are cybercriminals’ kryptonite. If hackers target your organization with a ransomware attack, you should be able to restore your data without meeting their demands.

Update your technology

Software and operating system updates deliver protection against the latest security gaps and malware. Make sure updates are automated or assign someone responsibility for manually installing them. That applies to summer and holiday breaks.

Rein in software downloads

Employees should never download or install software that is unsolicited or from an untrusted source. Your IT department can, and should, prohibit downloads from the internet, peer-to-peer networks, and file-sharing networks, which are often infected with malware.

Shore up your email security policies

Nearly 40 percent of malware is delivered through infected Microsoft Office files and PDFs. Too often, attacks hinge on employees opening infected email attachments:

• Configure mail scanning/filtering applications.
• Use data loss prevention tools.
• Include banners that notify employees when email comes from external sources.
• Instruct employees to never open attachments or links from unknown senders.

Blacklist known malicious sites

Malicious websites install malware on a computer, steal the user’s personal information, or give a cybercriminal control of a device. Muddying the water for laypeople is this unfortunate fact:

Websites with bad intentions often look legitimate.

In one pandemic-related scam, employees get a text message that claims to come from a contact tracing system. The message warns them they were in contact with someone who tested positive for COVID-19. It directs victims to visit a website and learn how to protect themselves. If the employee visits the site on a district device, that device will be infected with malware.

• Use this no-cost service to scan websites and files for malware.
• Teach employees to look for the lock before entering sensitive information on a website.

Don’t use unknown USBs

This tip might seem like common sense. Surely everyone understands that using an unknown USB is risky, even if they’ve never heard of malware. Statistics suggest otherwise.

Nearly 300 USBs were scattered across a university campus as part of a trojan attack experiment:

• Based on how many USBs were picked up and/or connected, researchers suspect the mock attack was between 45 percent and 98 percent effective.
• The first USB was discovered and connected within six minutes.
• 68 percent of users took no precautions before connecting a USB.

Avoid unsecured Wi-Fi

The free Wi-Fi in coffee shops and other public places is convenient. Unfortunately, it’s also typically unsecured, so hackers can use it to distribute malware.

Wherever they choose to work, employees should use a password-protected Wi-Fi connection and a virtual private network. Remind employees that website addresses that start with https, versus http, are secure.

How to comply with your training requirements

Staff training is the cornerstone of strong cybersecurity programs. It’s also the law. Fund members with Liability coverage benefit from a State-approved, on-demand training course. Your employees must complete the training by June 14 every year.