Charlie Osborne reports:
All United States public K-12 school districts were eligible to apply for the grants, designed to help school officials “proactively prepare for and respond to cyberattacks.”
The grants, worth $500,000 each, have been awarded to school districts in Florida (Brevard Public Schools), New York (Poughkeepsie City School District), Georgia (KIPP Metro Atlanta Schools), Texas (Sheldon Independent School District), California (Newhall School District), and Colorado (Denver Public Schools).
Read more on ZDNet.
Some of those names rang a bell here, so I checked to see if this site has ever reported breaches involving any of the grant recipients. Sure enough, I found that Sheldon Independent School District had been a victim of a ransomware attack last year and had paid ransom. Newhall School District in California also suffered a ransomware incident last year. Brevard County Schools also reported a data breach this past month, but it was not a ransomware attack. Denver Public Schools also suffered a breach in 2017, but it was not a ransomware incident — it was a phishing incident that resulted in payroll checks being redirected.
ZDNet reports that IBM says that applicants were judged on their “cybersecurity needs and experiences, community resources and potential risks.” IBM’s press release announcing the grants noted the great interest in the grants and that 1700 schools in the education sector (k-12 and post-secondary) had reported ransomware attacks in 2020. There was tremendous disparity noted in the applicants resources, and key findings from the applications included:
- Disparity in cybersecurity budgets: 50% of the districts had less than $100,000 for cybersecurity spending – for the entire school district. This is in comparison to larger school districts that cited cybersecurity budgets in the millions.
- Ransomware attacks: More than 40% of applicants experienced a ransomware attack.
- Security training: More than 55% of school districts are operating without security training.
So yes, it’s as bad as some of us have repeatedly pointed out. And with only 6 districts getting these grants, that leaves a lot of districts sitting ducks or low-hanging fruit for attackers (pick your metaphor). But these same districts also do not tend to have great cyberinsurance to pay any ransom or even pay for remediation/recovery from an attack.
This week, new threat actors calling themselves “Pay or Grief” (or some variant of that) demanded $350,000 ransom from Clover Park School District in Washington state. When I asked them how they came up with that number, they did not indicate that it was based on any research into the district’s cyberinsurance, but rather, that they had been in their files and looked at invoices, etc. Their confidence that a k-12 district can pay that much ransom seems misplaced, at best.