TAMPA, Fla — Florida school districts are spending hundreds of thousands of dollars on insurance for cyber security threats, like data breaches and ransomware attacks.
A new report from the U.S. Government Accountability Office found the loss of learning following a cyberattack at K-12 schools ranged from three days to three weeks, recovery time could take anywhere from two to nine months, and districts’ losses have ranged from $50,000 to $1 million.
Florida school districts are paying big money to protect themselves.
A Florida Auditor General survey of 38 school districts found that 22 districts bought cyber insurance this school year at an average cost of $47,284.
Twelve districts bought ransomware insurance this school year at an average cost of $17,751.
One district reported a claim in the amount of $637,000.
“That’s a big allocation of budgets that are not going to students — that are having to go toward, basically, a catastrophic failure in cyber security, and/or in due diligence, or in having the best practices in place, which, in a lot of cases can be prevented up-front,” said Matt Aubin, a cyber intelligence specialist at Southern Recon Agency.
Cyberattacks can lead to students’ and school employees’ personal info getting leaked and stolen. We’re talking about social security numbers, grades and even bullying reports.
So, what makes school districts an appealing target for ransomware or cyberattacks?
“In the criminal mindset, from what I’ve understood in working thousands of cybercrimes, what we have seen is a lot of cyber criminals believe that any sort of government entity always has the ‘parents,’ the ‘rich parents’ that they can always go to. The city can go to the county, the county can go to the state, the state can go federal,” said Aubin.
A U.S. Government Accountability Office analysis of a Comparitech study found more than two million students have been affected by K-12 school ransomware attacks since 2018.
Since insurance protects the school districts’ finances, not the students’ and employees’ personal info, Aubin says districts’ best bet is to try to prevent the attacks from happening in the first place.
“A lot of it just really comes down to making themselves a hard target by understanding how the adversaries work, and what the best practices are, and how to implement them into how that district itself runs,” said Aubin.