Cybersecurity experts said fear of getting fired or facing scrutiny could prevent school district employees from speaking out.
“The actual number of cybersecurity attacks is likely significantly higher than what’s publicly reported because schools and other victims of cyber attacks fear the consequences of reporting cybersecurity incidents,” said U.S. Senator Maggie Hassan during a Senate Homeland Security subcommittee meeting Monday.
Rossi and other cybersecurity experts are urging school districts to take proactive steps to prevent a breach and to report cybersecurity crimes when they do happen. And efforts are underway to spend new state and federal funding on cybersecurity.
The impact of an attack on a school can be disruptive and traumatizing for students whose sensitive data can be exposed, and costly for the school district. Students can lose anywhere from three days to three weeks in learning time, according to a 2022 report from the Government Accountability Office. It often costs school districts more than $1 million to bring in outside cybersecurity experts, restore computers and networks, and secure their system after a breach, according to Pamela McLeod, who founded the New Hampshire Chief Technology Officers Council and the N.H. Student Privacy Alliance.
McLeod was working for the Concord school district when it was breached in 2016. The data privacy of all staff members was compromised after attackers obtained W2 forms.
“It’s just devastating,” she said. “It really takes all of the district’s time and resources to handle an attack like that for a period of two to four weeks.”
In Nashua, officials said the school was hit by a sophisticated attack in late April, but the school wasn’t immediately sure whether sensitive information had been compromised. In a June 18 email obtained by the Globe, Superintendent Mario Andrade told families and staff that an investigation into the attack remained ongoing, and that the district was working to restore impacted systems and ensure their security moving forward.
“Although we are unaware of any actual or attempted misuse of any personal information because of the cyberattack, we recommend that individuals remain vigilant against incidents of identity theft and fraud by reviewing account statements and explanations of benefits and monitoring free credit reports for suspicious activity,” Andrade wrote.
He said if the investigation found sensitive information had been impacted, affected individuals would be notified directly. Andrade did not return a request for comment on this story.
In Lebanon, the school district was hit by a ransomware attack that included a demand letter in June, the Valley News reported, although the school district said they did not find evidence that personal information had been acquired or misused. The superintendent Amy Allen did not return a request for comment on this story.
Timothy Benitez, the U.S. Secret Service agent in charge of the Manchester office, said it’s common for attacks to come in waves like this. In some cases, reporting can lead to positive outcomes, like recovering stolen funds.
In 2021, $2.3 million in school funds was stolen from the town of Peterborough. Benitez said his team was able to recuperate around $600,000 — an outcome that was only possible because the town reported the incident. He said many of these crimes are committed by transnational criminal organizations and are only possible to resolve if there’s cooperation among law enforcement in other countries.
Around 95 percent of cybersecurity breaches involve human error, according to Rossi. That’s one reason the state is focused on training people who work in schools.
This year, the state has received $2.5 million in federal funds for the State and Local Cybersecurity Grant Program, with the possibility of receiving around $10 million more in the next four years. Including the state’s match, that could mean $16.6 million for cybersecurity initiatives in New Hampshire.
Around 80 percent of that money will go to local governments, including school districts, according to the state’s cybersecurity plan.
Denis Goulet, commissioner of the N.H. Department of Information Technology, said three programs are already underway. First, the state is spending $1 million distributing hardware tokens, which are physical keys school districts can use for multifactor authentication, a security measure that makes it harder for a computer to get hacked.
Secondly, the state is spending $1 million to move school and municipal websites to the .gov domain, which includes additional security features.
“It’s verifiable. It’s not easy to spoof,” said Ken Weeks, the chief information security officer for the state of New Hampshire, unlike other domains that become easier to spoof as they age, which can lead to business email compromise. Weeks noted that, according to the New Hampshire Municipal Association, only 26 percent of eligible entities were actually using the domain.
The state has allocated $100,000 for a security training course that local government IT employees can attend for free.
Jason Sgro has launched a new nonprofit called the Overwatch Foundation in New Hampshire to help schools and municipalities build stronger cybersecurity defenses. Sgro is also a senior partner at the Atom Group, a cybersecurity consultancy based in Portsmouth that has worked with New Hampshire municipalities, including Peterborough.
And on Monday, Sgro said, 26 school administrators attended a cybersecurity workshop facilitated by his organization, headquartered in Concord.
“Schools are by far the softest target,” he said. “There the computer to staff ratio is much higher.”
While a business might have 30 to 50 employees for one IT professional, a school’s ratio is much higher, with on IT professional supporting anywhere from several hundred to several students, each of whom uses their own laptop, Sgro said. Schools are also attractive to criminals because they are writing lots of paychecks, and have trusted relationships with vendors that bill over email, giving criminal opportunities to spoof emails and redirect payments.
The good news is there are ways to protect against this — like requiring multiple steps before payment information can be modified — and many people working to make New Hampshire more secure.
“This is a responsibility that rests with each and everyone of us, to get more and more aware of the danger of cyberattacks,” Hassan said.
Amanda Gokee can be reached at amanda.gokee@globe.com. Follow her @amanda_gokee.