Unfortunately, the new third “R” of ransomware is becoming an increasingly unwelcome addition to many school districts’ curriculum. And there’s no sign it will be replaced any time soon.

Ransomware threatens virtually any entity linked to the internet. Cybercriminals who began targeting public entities with increasing frequency a few years ago are now setting their sights on the public school systems those local governments operate.

Ransomware refers to a type of malware that targets both human and technical weaknesses in an organization’s workforce and IT infrastructure. This type of cyberattack aims to deny the availability of critical data and systems, which the cyber criminals offer to unlock provided they receive a ransom, often paid in cryptocurrencies such as Bitcoin. In some cases, the amount of the ransom rises as the length of time between the initial demand and payment drags on.

Join our Cyber Risk Webinar Series as we discuss topics from regulatory risk to cyber attacks.

The cybercriminals often gain access to an organization’s system by sending what appears to be an official email to an employee. When the employee opens the email and clicks on a link embedded in it, the malware infects the recipient’s computer, allowing the bad guys access to the system and its data.

“This is not a one-click, one-infection event,” said John Farley, Managing Director of Gallagher’s Cyber Practice. “Many ransomware variants have the ability to spread across vast networks and around the globe in a matter of seconds. The dominos fall quickly. What may have started out as a bad day for the first victim quickly becomes a catastrophic day for an entire organization, as global operations come to a screeching halt.”

Why would cyber criminals target schools? After all, school systems aren’t known for their monetary wealth. But they are known for their wealth of data, including a lot of financial information as well as sensitive personal information. Schools, like just about every other type of institution, depend on their IT structure to carry out day to day tasks. Block access to those systems, and the schools can’t function.

Like municipalities, school systems are soft targets. As local governments and hospitals—which have also provided targets of choice for cybercriminals—have bolstered their defenses, schools have become more and more attractive. And school systems—like other public agencies—might be using old and more easily exploited IT systems. They also may lack the personnel needed to adequately police their IT system.

In an interview with the New York Times, Keith R. Kreuger, the chief executive of the Washington-based Consortium for School Networking, pointed out that almost two-thirds of school districts in the United States serve fewer than 2,500 students. Many of those districts don’t employ a staffer who is dedicated to cybersecurity, he said.

NBC New York reported earlier this year that the Rockville Centre School District’s encrypted files were accessed in July by ransomware, even though the Long Island school system had installed antivirus software. The story noted that officials shut down the computer system for a day, which limited damage. According to the report, the officials think the shutdown allowed the system’s insurer to negotiate a lower ransom.

Although no two entities—including school systems—are totally alike, sound risk management practices can help any organization protect itself against ransomware attacks. One key defense is backing up data on a regular basis. Data needs to be backed up and recoverable in a way that it won’t be compromised even if the malware infection spreads.

The NBC story noted that another Long Island school system, the Mineola School District, was attacked at the same time. But because the system had adequate data backup, it didn’t have to pay any ransom.

In addition to backing up data, school districts should implement an enterprise-wide cybersecurity strategy that covers every user, device and file. Data access should be limited to employees who are required to have it. Also, make sure employees know not to open questionable emails or download attachments that haven’t been authenticated.

Antivirus software should be updated regularly. This includes firewall and email filters.

Insurance plays a role in implementing a comprehensive defense against ransomware as well. Don’t rely on general liability coverage alone, make sure proper cyber insurance policies are in place to protect the district. For example, some cyber insurance policies cover ransom payments to cybercriminals. These cyber extortion provisions can provide access to cryptocurrency to meet ransom demands.

“Ransomware will seek out backup data and many times can encrypt that data set too,” Farley said. “When that happens, school leaders will need to answer some tough questions. If they try and restore the data, there is a chance that the ultimate cost of the event will be many times greater than simply opting to pay the ransom demand. It is possible that millions of taxpayer dollars are at stake in making that one decision. On the other hand, if they pay, there is no guarantee they will get their data back, and rewarding the criminal will likely encourage future attacks.”

As ransomware attacks grow both more frequent and more sophisticated, it’s imperative that school systems take every possible step to protect themselves. Every aspect of a risk management response to the ransomware threat—including but not limited to employee training, data backup and risk transfer—must be implemented to keep the new third “R’ of ransomware from becoming a permanent part of the curriculum.

“Cyber insurance policies come with a panel of cyberattack response experts, including ransomware negotiators,” Farley said. "They often have immediate access to bitcoin and can negotiate a lower ransom payment. They can also analyze the digital wallet of the hacker. This allows them to make an educated guess as to whether or not a particular hacker has a history of releasing the data, or not releasing the data, after being paid.”