Cybersecurity Challenges Facing Schools and Nonprofits

Why School Leaders Can No Longer Leave Cybersecurity to IT It's 4pm on Friday. An email lands in your finance officer's inbox, apparently from you, requesting an urgent transfer for a new supplier. The tone is perfect. The context is plausible. It's also entirely fake, crafted in milliseconds by an AI that's already mapped your school's structure, identified key staff, and personalised its approach. This isn't a hypothetical. And if cybersecurity still sits in your "things IT handles" category, last week's news suggests that assumption urgently needs revisiting. Anthropic, the company behind Claude (the AI I use regularly), revealed that Chinese state-sponsored hackers used their AI to attack technology companies and government agencies. The AI did 80-90% of the work. Human operators just clicked buttons and reviewed summaries. The hackers tricked Claude into believing it was conducting legitimate security testing. The AI then autonomously scanned targets, identified vulnerabilities, wrote exploit code, and harvested credentials, thousands of operations per second. A pace no human team could match. Why should education leaders care? Because schools, colleges, and universities are already prime targets. The data we hold, student records, safeguarding information, financial details, research, is valuable. And our defences were designed for human-speed attacks, not AI-accelerated ones. IBM's latest Cost of a Data Breach Report reinforces the urgency: one in six breaches now involves attackers using AI. And 63% of organisations lack any AI governance policies. Among those experiencing AI-related breaches, 97% had inadequate access controls. This isn't about being alarmist. AI is also strengthening defences, organisations using it extensively in security cut detection time by 80 days and reduced breach costs by $1.9 million. But right now, adoption is outpacing oversight. For education leaders, this raises questions we can no longer delegate entirely to IT: Does your institution have policies governing AI use? Who's considering the security implications of AI tools being adopted across your organisation? When did cybersecurity last feature in a senior leadership discussion not as compliance, but as strategic risk? The tools we are embracing to transform learning are the same tools being weaponised. That's not a reason to avoid them. But it is a reason for leaders, not just technicians, to understand them. Cybersecurity is no longer a technical issue. It's a leadership one I'm running a session on this topic Wednesday morning https://lnkd.in/eW88h-fd What I am listening to - “Breathe (In the Air)” Pink Floyd What I am reading – 1929 by Andrew Ross Sorkin What I'm Baking Tarte Tatin https://lnkd.in/eSvE6iyw See you in the kitchen. Prof Rose Luckin UCL and EVR Ltd #EdLeadership #Cybersecurity #K12 #HigherEd #SchoolLeadership #AIinEducation #EdTech #DataProtection

NGOs are cyber-poor, target-rich,” says the CyberPeace Institute and the numbers back it up. According to Microsoft, NGOs and think tanks are the 4th most targeted group by state-sponsored cyber actors. From phishing and ransomware to surveillance spyware, civil society is under digital siege. Over the years, I’ve worked with and come across many NGOs doing incredible work in digital security often quietly, often for free, and almost always dependent on limited funding. Yet many people still don’t know these organizations exist. If you work in advocacy, human rights, journalism, or WITH CSO's.  Here are some worldwide digital security non-profits helping NGOs and defenders stay safe online: 1. Access Now runs a 24/7 helpline that’s honestly one of the most responsive and practical resources out there. They’ve helped activists, journalists, and NGOs deal with everything from account takeovers to spyware checks. Services: Emergency response, risk assessments, infrastructure hardening, training. accessnow.org/help 2. CyberPeace Institute – CyberPeace Builders This team connects NGOs with cybersecurity professionals who volunteer their time and skills. If you’re dealing with an incident, need forensic support, or just want to understand your risks better, they are a solid ally. They’ve built a global network that’s actually accessible to civil society. cyberpeaceinstitute.org 3. Global Cyber Alliance (GCA) GCA creates free tools that help non-profits protect themselves and offer practical, no-cost resources like the Cybersecurity Toolkit for Mission-Based Organizations, which helps NGOs improve their security posture even with limited technical capacity.  globalcyberalliance.org 4. Open Briefing Open Briefing provides holistic security support to civil society groups, activists, and non-profits working in high-risk or sensitive environments.  Their work spans digital security, physical safety, psychosocial wellbeing, and strategic risk management. openbriefing.org/support 5. Amnesty International Security Lab If you are worried about surveillance or spyware, Amnesty’s Security Lab is one of the few places doing deep, public research on it. Amnesty International’s Security Lab is a specialized team within Amnesty Tech that works to protect civil society from unlawful digital surveillance, spyware, and other tech-enabled human rights abuses. securitylab.amnesty.org

We kicked off TechSoup Talks today with Stéphane Duguin, CEO of CyberPeace Institute, and Linda Widdop, Chief Innovation Officer of Tech Impact. They each spent 30 minutes describing the evolving threat landscape, highlighting both its significant challenges and the opportunities to address those challenges. Here are five things I took from the sessions today: ✅ The Evolution of Cyber Threats: Cybercriminals are increasingly sophisticated, using AI to craft highly personalized phishing attacks and social engineering tactics. Beyond criminal activity, cybersecurity now critically involves safeguarding sensitive data and individuals from state actors who might use legislative or other means to access information, particularly concerning marginalized client bases. ✅ Moving Beyond Basic Defenses: While foundational practices like anti-malware are essential, we must embrace more advanced solutions. This includes implementing Endpoint Detection and Response (EDR) and rigorously enforcing unique, strong passwords across all platforms. A single compromised credential can open the door to widespread breaches. ✅ Civil Society's Overlooked Vulnerability: Many are unaware that civil society organizations are significant targets. Our sector often lacks the operational funding for robust cybersecurity, as project-based funding leaves little for infrastructure. We also struggle to compete for scarce cybersecurity talent, making us prime targets for malicious actors. ✅ The Power of Collective Action and Shared Resources: Addressing these systemic vulnerabilities requires innovative solutions. Stéphane highlighted initiatives like Cyber Peace Builders, which taps into private sector expertise, and the concept of a "Common Good Cyber Fund" for donors to pool resources. The key is to create platforms that bring together existing capacities, data, and funding to achieve an economy of scale against threats. Donors need to understand that cybersecurity is not a luxury, but a critical operational need. ✅ Cybersecurity as Holistic Data Protection: Linda emphasized that cybersecurity is part of a broader strategy for data protection. This means not just technical safeguards, but also robust document retention policies and comprehensive disaster response plans. These measures are crucial for protecting our data and, most importantly, the people we serve from various threats and potential loss. These conversations underscore that genuinely addressing these problems at scale requires a networked approach, bringing our collective attention and skills to bear. Our goal is to build the resilient networks that help CSOs around the world maintain the ability to meet their missions and serve their communities. Find out more about TechSoup Talks and sign up: https://lnkd.in/gWtF9NEB #TechForGood #CivilSociety #Nonprofits #Cybersecurity #DigitalResilience #NPTech

A rural Nebraska school recently lost $1.8M to a phishing email. Not to hackers in hoodies. Not to sophisticated AI attacks. To an email pretending to be from a construction vendor. Broken Bow Public Schools. 800 students. $26.5M bond project. Gone: $1.8 million. 💔 Here's what kills me: They had protocols. They had procedures. What they didn't have? A culture where someone felt safe saying: "This email feels off." The scammer knew exactly what they were doing: ✓ Studied their vendor relationships ✓ Timed it during construction chaos ✓ Made it urgent enough to bypass double-checks But here's the real tragedy: After losing $1.8M, they're implementing "new protocols." More rules. More procedures. More PDFs. That's not the answer. The answer was in that Texas district I visited last month. Their accounts payable clerk caught a similar scam. Not because of protocols. Because of Chip's simple rule: "When money's involved, pick up the phone." 📞 One. Phone. Call. That's the difference between losing $1.8M and becoming a case study. To every small district thinking "we're too small to be targeted": You're not. You're actually the perfect target. Limited IT resources. Overworked staff. Trust-based relationships. That's not weakness. That's human. But it's exactly what scammers count on. We can't afford to wait until after the breach to care about security. 🐿️ What simple rule could have saved your organization from disaster? 🔗 https://lnkd.in/dCPW5_Hq #Cybersecurity #K12Education #PhishingPrevention #CyberNut #SchoolSafety #RuralSchools

💻🔒 Wouldn’t it be cool if public schools had the funding to protect their networks like large corporate America? Here’s the reality: 📌 Not all school districts are the same size. In my district, our tech team is just me and five repair technicians. Most of their time? Tier 1 support and Chromebook repairs. 📌 Most public schools don’t have a dedicated CISO (Chief Information Security Officer). I know because I wear that hat along with many others. Cybersecurity threats are real, and public schools are prime targets yet our budgets rarely match the risk. So, how do we change that? ✅ Advocacy: We need to educate policymakers on the critical importance of cybersecurity funding. ✅ Collaboration: Share resources and best practices between districts. ✅ Creativity: Partner with vendors and leverage grant opportunities. And here’s an ask for the EdTech sales community: We need you, too. Because when public schools are properly funded and protected, you thrive too. More secure schools mean more opportunities to deploy solutions, train staff, and grow your market. So let’s work together: 🤝 Educators, policymakers, and EdTech vendors let’s advocate for a safer digital environment for every student. 👉 How are you addressing cybersecurity with limited resources? 👉 EdTech sales leaders: how can you help us move this needle together? #Cybersecurity #Education #EdTech #SchoolSafety #Funding

You ever met a well funded IT or security department? Yeah, me neither. And attackers know that soft targets exist in places like healthcare and education. But what does this actually look like in education? No surprise, ransomware is a quick and easy way to make money from these "soft targets" for those willing to take a brush with the law. Despite some changes in attack patterns and responses, cyberattacks continue to persist in education: Increasing Ransomware Costs and Recovery Challenges: There is a significant financial impact on educational institutions due to ransomware attacks, with recovery costs escalating dramatically. In 2023, the emphasis was on the sheer increase in attack frequency, whereas in 2024, although the attack rates decreased, the costs associated with recovering from these attacks more than doubled. High Rate of Data Encryption and Backup Compromise: A persistent issue is the high rate of data encryption during attacks and the frequent targeting of backup systems by cybercriminals. In 2024, nearly three-quarters of educational institutions experiencing compromised backups. This underscores the critical need for robust backup and recovery strategies as a part of a comprehensive cybersecurity posture. Rising Propensity to Pay Ransoms: There is an alarming trend of increasing willingness among educational institutions to pay ransoms to recover data. In 2023, there was a noted spike in ransom payments, a trend that continued into 2024 with a higher proportion of both lower and higher education organizations opting to pay ransoms alongside using backups. This dual approach to data recovery—combining ransom payments with traditional backup use—reflects the growing desperation of institutions to quickly restore operations, despite the financial and ethical implications of paying attackers. Additionally, the reports reveal that the amounts paid often exceed initial ransom demands, highlighting the complex negotiations and pressures faced by institutions during these attacks. Let that sink in....Not only are some institutions paying AND recovering from backups, but they are paying MORE. This underscores a sustained struggle in higher education to manage and mitigate ransomware threats, with increasing financial burdens, persistent vulnerabilities in backup strategies, and a rising trend of paying ransoms to restore critical data and operations.

The Interlock ransomware gang recently hit a couple of school districts. Now, I honestly can't tell you exactly why ransomware gangs go after schools, aside from the possibility that most are not very well protected and make easy targets. From a financial point of view, many schools in the US are under-resourced and likely don't have ransomware insurance or the available funds to make a large payout to the operators. In fact, some universities have tragically been forced to close permanently because of a ransomware attack. However, I can tell you about the value of the information contained within the data that the ransomware groups obtain. Schools are a treasure trove of PII. Most kids don't have a credit history, but many, especially high school students, are just a year or two away from being able to start obtaining credit. These same children are not yet in the habit of monitoring their credit histories. This makes it easier for threat actors to start opening accounts using the PII, sometimes building up a credit history until they can use it for fraud. As a parent, I highly recommend setting up credit alerts and credit monitoring with your children. Similarly, while many schools are by no means wealthy, most have relationships with other organizations, private companies, public institutions, NGOs, and charities that can then be targeted by the threat actors. A couple of years ago, I helped with an investigation for a non-profit that was being spoofed and used to target major US corporations it had previously received substantial donations from. The non-profit was horrified as this damaged their image and trust in their organization. After some investigating, it turned out that the non-profit itself was targeted because its data had been leaked as part of ransomware events against two schools it had provided funds for. So, the moral of the story is, breaches have long tails and impact many individuals and organizations beyond the original victim. Ransomware events are contagious, so take precautions.

The public interest cybersecurity team at the UC Berkeley @Center for Long-Term Cybersecurity has just released their CyberCAN Washington report, featuring survey findings from 100 nonprofits in Washington state about their cybersecurity challenges and guidance for both nonprofits and government agencies on how to address them. - 4 in 5 nonprofits in Washington have experienced at least one cyber attack in the last 3 years. - The #1 cyberattack method against nonprofits is email-based attacks, including phishing and business email compromise. - Many nonprofits are unprepared to respond to or recover from a cyber incident. - 55% lack incident response plans, and 39% lack cybersecurity insurance—and many organizations are unsure whether these plans or protections are in place. - 64% of nonprofits don't have a full-time IT or Cybersecurity staff member. Read the report: https://lnkd.in/eXKgTYC9 #CyberCivilDefense #PublicInterestCybersecurity #Take9

ALERT All corporates / Schools / Companies We would like to alert you to a recurring cyber scam that has been targeting educational institutions, including school staff members. In this scheme, cybercriminals send emails that appear to come from the Principal or Director, using identical display names and sign-offs, but from fraudulent email addresses. The content of these emails typically includes an urgent request to purchase Amazon gift cards or coupons, often claiming they are needed for a school-related emergency or event. These are impostor emails, and responding or acting on them can result in financial loss. Immediate Precautionary Advisory: • Always check the sender’s email address carefully—not just the display name. • Watch for subtle misspellings or unusual phrasing in the email body or subject. • Do not make any purchases or transfer money based on an email request without verifying it personally or via a known phone number. • If in doubt, report the email to your IT/cybersecurity team immediately. We request you to kindly circulate this advisory to all staff members to ensure awareness and avoid falling prey to such social engineering scams. Should you need assistance in training or sensitizing your team on such threats, we are happy to support with awareness sessions. Stay Alert, Stay Secure. #CyberSecurity #EmailScam #RakshitTandon #GPCSSI2025 #CyberDost

A 16-year-old just took down the IT network used by almost every school in Northern Ireland. No nation-state. No sophisticated hacking team. A teenager. This week, PSNI arrested a 16-year-old boy in Portadown in connection with an attack on the C2K system, locking pupils out of their accounts right before Easter exams. Personal data is believed to have been compromised across multiple schools. And here is the part that should make every IT and security leader stop scrolling. He did not need to be a genius. AI has changed that completely. Attack kits that once cost tens of thousands of pounds to build now rent for around $500 a month. AI tools have lowered the barrier to entry to the point where even individuals with no technical skills can launch successful attacks. AI-automated phishing emails are now achieving click-through rates of 54%, compared to 12% for standard attempts. We are no longer dealing with a threat that requires years of expertise. We are dealing with a threat that requires a Wi-Fi connection and a curious mind. The question is not whether your organisation could be targeted by a sophisticated actor. The question is whether your defences can handle someone who learned how to do this on a Tuesday afternoon. If you are unsure of the answer, it might be time for a conversation: What do you think is the most overlooked gap in your organisation's cyber defences right now? #CyberSecurity #CyberAwareness #InfoSec #UKCyber #OneByteOfHumour