6 min

Why Canadian Schools are Popular Targets for Cybersecurity Attacks

Students, teachers and staff of varying technical capabilities create a huge target for attackers. You can sell student information on the black market, and since school boards are in the public eye, they are appealing targets for ransomware attacks.

What's Inside
Teacher teaching students in a classroom using a computer.

It may arrive four weeks after classes begin, but Cybersecurity Awareness Month offers a reminder as potent for Canadian schools as their business counterparts: school boards, employees and the students that attend their classes are appealing targets for cyberattacks, and they need to be prepared.

While Canadian numbers are hard to come by (the most recent data appears to be a 2017 study by the Canadian Internet Registration Authority that found an average of more than 50 attempts per school board over a three-week testing period), the average U.S. education and research institution faced 1605 attacks per week in 2021, a 75 percent increase from 2020, and recent attacks on Canadian school districts in various provinces illustrate what’s at stake.

“There are a couple of reasons school districts in Canada – or anywhere, really – are prone to cybersecurity attacks,” says Alistair MacLeod, Education Strategist with CDW Canada. “One is simply budget – the budget for security services protection is very small in the education sector, so a school board’s ability to protect themselves by implementing comprehensive security measures is quite difficult.”

“The other is that students, teachers and staff of varying ages, technical capabilities and training create a huge target for attackers,” he continues. “You can sell student information on the black market and the boards themselves are in the public eye, making them very appealing targets for ransomware attacks.”


You can sell student information on the black market and the boards themselves are in the public eye, making them very appealing targets for ransomware attacks.

– Alistair MacLeod


After all, MacLeod says, what board wants the media to report they were the victim of a ransomware attack? They don’t, which makes them more likely to pay – and often creates new problems because they’re public institutions using taxpayer funds, he notes.

Fortunately, there are ways CDW can help boards and their staff and students reduce the risk, which MacLeod – a former educator with over three decades of both teaching and institutional IT experience – is more than happy to expand on after walking readers through a few more risks unique to the sector.

What makes education more vulnerable to cybersecurity attacks?

One factor that makes schools especially vulnerable to cybersecurity attacks, and uniquely difficult to secure, MacLeod says, is the users being protected: It can be difficult for IT staff to balance their digital services for students and teachers in both a seamless and secure way.

“For example, teachers and students don’t want to bother with multifactor authentication for a variety of reasons,” he says. “It’s time consuming, they don’t necessarily have a cell phone, or they don’t want to use their personal device and the school can’t afford to provide them with one like in the corporate world. So it’s a constant challenge trying to balance the need for privacy and cybersecurity readiness with ease of access, both inside and outside of the school infrastructure.”

Ransomware is an especially dangerous threat to school boards, MacLeod says, because they store and rely on so much personal data including health information, student schedules, grades, emergency contacts and attendance records. Loss of access could be both a public relations nightmare and grind operations to a halt. And while it can be guarded against to some extent, even a daily backup means at least one day’s worth of data is lost to a successful ransomware attack – the amount of work required to make up for one day’s data entry is much, much more extensive than many people outside the sector realize, he says.

Another challenge, MacLeod acknowledges, is the number of staff specifically employed to protect schools from cybersecurity attacks is very low, often because the salaries simply don’t match what skilled staff can earn in the private sector – which is why he believes collaboration between school districts and organizations like CDW is so crucial.

“They just don’t have the resources to do it on their own,” he says. “Nor can the ministry do it on their own because each school board operates differently. Vendors can’t do it on their own either because it’s very hard to provide a solution that will work for everyone.”

Fortunately, MacLeod says, efforts involving all three parties are moving forward, at least in parts of Canada – Ontario’s Ministry of Education, for example, has established the Cyber Security Centre of Excellence, which is collaborating with vendors including CDW on cybersecurity protection initiatives funded by the ministry and staffed by local school board employees.

“I think the best – only – solution is to have that collaboration between the ministry, school districts and vendors,” MacLeod says. “Together, we’re able to develop an effective solution that gradually builds towards greater levels of protection and can be implemented in a reasonable time frame at a reasonable cost.”

How CDW can help protect your school from cyberattacks

Ivo Wiens, Cybersecurity Practice Lead, CDW Canada, says that if schools want to protect themselves from cybersecurity threats they need to approach the problem like their counterparts in the private sector – for example, conducting third-party risk assessments and embracing the zero-trust model of identity verification, despite the protests of students and staff.

“Zero-trust is really popular for a reason,” he says. “And it doesn’t just apply to staff and students, but vendors – every provider involved in protecting students and their information should be able to verify they have controls in place and have passed a third-party risk assessment, because they’re dealing with one of the most vulnerable groups in society.”

MacLeod says there are a couple of factors specific to CDW that make it a perfect partner for a school board. One is institutional knowledge – CDW has a long history of collaborating with school boards and meeting their unique needs, such as narrow installation windows, lower budgets and a labyrinthine adoption process that has long required boards to put out requests for proposal (RFPs), but is increasingly encouraging collective purchasing agreements.

The other is that we always recommend appropriate vendors, which means that signing a collective purchasing agreement with CDW provides schools with access to leading vendors, such as Cisco and Palo Alto Networks, which are best suited to their unique needs.

Collective agreements also speed up the purchasing process, which MacLeod acknowledges can be a headache for IT staff like his former role with Kingston’s Limestone District School Board.

“It’s good for boards to not have to collaborate with too many partners because there’s only so much time and it adds complexity to projects,” MacLeod says. “An individual vendor can try and be everything to every district, but it usually doesn’t work out that way, so the fact that we provide detailed vendor evaluations and recommendations really helps.”