Nantucket is a small island of windswept dunes and postcard perfect lighthouses 30 miles off the coast of Massachusetts. It's a place so isolated that Herman Melville described it in Moby Dick as "a mere hillock, and elbow of sand; all beach, without a background."

But even this remote enclave couldn't escape the ransomware scourge that has been plaguing K-12 school districts around the United States.

Attacks on Schools

In late January, a ransomware attack caused the closure of Nantucket's four public schools. The island's 1,700 students were sent home at noon Jan. 31 and told not to use school-issued electronic devices. Schools reopened Feb. 2.

Nantucket wasn't alone. The same week, a ransomware attack affected computer systems at the Tucson Unified School District, though schools were able to remain open.

Ransomware assaults targeting the education sector have jumped dramatically around the world. Globally, a whopping 56% of K-12 schools were hit last year (PDF), according to a survey of 5,600 IT professionals in 31 countries by cybersecurity company Sophos.

The loss of learning after a cyberattack typically ranges from three days to three weeks, and recovery time lasts from two to nine months, the US Government Accountability Office reported in October.

These incidents and others — like the one in September that forced the Los Angeles Unified School District, the nation's second largest, to take its computer systems offline — not only show the lengths cybercriminals will go to if they're willing to attack one of the country's most precious institutions but the special struggles that school districts face in fighting the threat.

Public school districts tend to fall below what is commonly called the "cybersecurity poverty line," a haves-and-have-nots division between organizations equipped with the resources to implement strong security measures and those challenged by insufficient IT budget, expertise, and other factors.

A large company can afford the most stringent cybersecurity protection, but limited budgets and talent make it difficult for other organizations, from schools to small businesses, to defend themselves and recover quickly from attacks.

School districts usually confront these three distinct hurdles.

First, districts lacking the budget for all the security tools and people needed for the most fortified defenses are forced to make tough choices about what security aspects to prioritize. Second, it's a tall order for school districts to compete for cybersecurity professionals amid a worldwide talent shortage (PDF) that keeps driving salaries higher. Third, school districts are still relying on legacy IT infrastructure that is more vulnerable to cyber incidents.

And all of this comes at a time when cybercriminals keep getting more sophisticated in their attack techniques and their ambitions, the latter exemplified by a ransomware-as-a-service industry in which malware developers make their software available to third-party attackers who execute the ransomware attacks.

Recommended Security Steps

Despite these challenges, school districts can still pass the cybersecurity test with planning, attention, and action. Here are five recommended steps.

1. Determine cybersecurity maturity.

School districts must self-examine where they are on the cybersecurity maturity spectrum. Are they at the first stage, prepared for data breaches at a basic level with safe and secure backups?

Are they at the second stage, having started taking measures such as conducting tests and simulations to prevent data breaches as well as monitoring signals from their data that help identify data risks and investigate threats faster?

Are they at the third and final stage, having embraced a proactive stance toward data breaches, regularly conducting tests of both vulnerabilities as well as of recoverability?

Many large companies have found this maturity model effective in helping better understand and measure cyber-risk management. Schools should do the same.

2. Have a recovery plan ready and act quickly.

Schools must stand prepared to spring into action after a cyber incident is discovered. That means maintaining  a turnkey system for activating a clean backup of data and applications if primary systems are compromised.

3. Emphasize employee training.

Attackers use techniques like phishing to compromise user identities and get to critical data. An attack can spread through a system quickly by someone clicking on an untrustworthy link.

Therefore, school districts should train, train, and train some more to help their people recognize and report phishing attacks.

4. Focus on data.

In a world awash in data, organizations must protect their large volumes of data from various forms of unauthorized access. That has two ramifications for school districts.

One, school system IT teams should focus not only on securing devices and the network perimeter but also on ensuring data always remains safe and available. Data, after all, is what ransomware attackers go after.

Two, school officials should look closely at what data they have. Many have collected data for the sake of collecting data because they might need it at some point. It's time to ask what really is essential, and focus on protecting the most critical and sensitive data.

5. Push for federal help.

The GAO in its October report recommended actions the federal government should take to help school districts. Those included establishment by the secretary of education of a cross-agency mechanism to coordinate cybersecurity efforts between agencies and with the K-12 community; an effort by the Education Department, in coordination with federal and local stakeholders, to determine how best to help school districts overcome challenges in addressing cyber threats; and development of metrics for measuring the effectiveness of its cybersecurity-related products and services available to school districts.

School officials should welcome these recommendations and lobby to make sure they're enacted.

While it's sad that cybercriminals have made K-12 schools a top target, these steps show that districts have the power to fight back. What could be more important? Our children's learning is at stake.