By Allie Chevance-Singh ‘25, Commentary Editor

Multi-Factor Authentication Hinders Cyber Attacks on Schools, Courtesy of Blackbaud

At the start of each school day, Newark Academy students log in to their MyNA accounts to read emails, view their schedule for the day, and review homework assignments. Now, when logging into our accounts, we need to enter an additional code generated through a multifactor authorization app. This step adds time to the login process, but is critical for our personal and school safety because even if a student’s password is compromised, an unauthorized user would be unable to access the account. This step, along with the many other cybersecurity measures that have been implemented at NA, are crucial to safeguarding our information. However, robust cybersecurity protocols have not yet been instituted at many schools.

When defining the greatest threats to U.S. national security, nuclear proliferation, terrorism, and foreign aggression have historically posed the highest risks. However, in recent decades, cyber warfare has presented another threat to our nation. Malicious cyber attacks are a rapidly growing risk that have affected large companies, government agencies, school systems, and individual users. Schools and universities in particular have become targets of cyber attacks in recent years because many do not have mandated cybersecurity programs and regulations like other industries, and are often left to their own devices to protect themselves against this risk.

A cyber attack occurs when an attacker gains unauthorized access to computer devices, networks, and databases to steal or manipulate data. These attacks include ransomware attacks, where users are blocked from accessing accounts and data, and phishing, where fraudulent emails and web links are sent to try and extract personal information from users. These cyber breaches can be costly to the infiltrated party because of ransom payment demands, threats to one’s reputation, and lost time to repair the damage. 

While the government typically passes legislation to protect citizens from national security threats, laws guiding cybersecurity have been limited so far. The Sarbanes-Oxley Act of 2002 and the Health Insurance Portability and Accountability Act (HIPAA), for example, mandate formal data security policies primarily for financial institutions. Yet, broader cybersecurity regulations are lacking, and as a result, attackers are targeting organizations that are less secure, like K-12 schools and universities. 

According to Emsisoft, a cyber security provider, 1,043 schools were impacted by cyber attacks in 2021 and that number nearly doubled to 1,981 schools in 2022. Although students typically lack the financial means that cyber criminals seek, they do have clean credit reports, which are attractive to criminals engaging in identity theft. Even the theft of nonfinancial information from a student’s account such as grades, educational accommodations, and medical information can cause students emotional stress not knowing when or if this information will be made public. 

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a series of cybersecurity recommendations for U.S. schools, but laws have not been passed to require schools to implement them. Without government support or funding, many school districts are unable to implement robust cybersecurity programs. A 2022 report from the U.S. Government’s Accountability Office noted that the typical loss of learning due to school interruption after a cyber attack ranged from three days to three weeks. The recovery time needed to replace computer hardware and implement security measures lasted from two to nine months, with costs ranging from $50,000 to $1.0 million, excluding ransom payments.

At Newark Academy,  we are lucky to have full-time staff committed to monitoring and improving cyber security. Ms. Hammond, the Instructional Technologist, and Mr. Kapferer, the Director of Technology, provided additional insight into measures NA has taken to defend our school from cyber attacks. They noted that there are security programs on all networked devices including faculty laptops, projectors, and Apple TVs. All devices and networks are continually monitored against suspicious activity and malware attacks. There are also multiple system backups as well as on and offsite data storage so that networks can be restored if ever needed. These security measures are also frequently audited by an independent party to expose any potential weaknesses. A significant portion of NA’s technology budget is allotted to cybersecurity, but not all schools have the means to implement similar programs. Allocating some portion of federal and local school budgets toward the implementation of cybersecurity plans would help keep personal data safeguarded and lower the ultimate time and financial losses that stem from cyber attacks. We can help protect ourselves and our school as well by simply choosing strong passwords and reporting any suspicious emails to our cybersecurity team.