Nearly 1,000 US schools impacted by ransomware in 2021 — so far

A photo of two children on a bench, looking over textbooks and a shared laptop.
Photo by Mary Taylor on

Motherboard’s Lorenzo Franceschi-Bicchierai reports that a study from Emsisoft shows nearly 1,000 schools impacted by ransomware attacks across more than 70 school districts in the United States, a significant increase over the previous year. Given the onslaught of ransomware attacks this year, it’s hardly surprising, but the number is still hard to swallow.

In the 2018-2019 school year (the latest year for which statistics are available), the National Center for Education Statistics reported there were over 98,000 schools in the United States, meaning roughly one percent of all schools have been affected this year alone.

Although most schools don’t pay up, or pay very little, there’s still a lot at stake even when schools are able to recover quickly. NBC News’ Kevin Collier reported in September that hackers have released personal data about students from over 1,000 schools in 2021 alone, and this data includes sensitive health information, academic records, and personal identifiers like Social Security Numbers, which “can set up a child for a lifetime of potential identity theft.”

We all know that no computer system is fully secure, but the US Cybersecurity and Infrastructure Security Agency has published reference materials for schools to learn about ransomware prevention and recovery. I hope that stories like this one from Motherboard will encourage more school IT staff and administrators to take advantage of available resources to protect their students. Maybe we can start driving down attack statistics in 2022.

Minimum Viable Secure Product

Yesterday, Google’s security blog announced a project that I think is long overdue, the Minimum Viable Secure Product (MVSP). MVSP is a security checklist intended to aid the development of secure B2B services and safely handling sensitive data. It was developed by a group of heavy hitters in B2B tech, including Google, Slack, Salesforce, and Okta.

This is exciting to me as a security professional because it creates an opportunity for a common baseline of security controls that can be evaluated relatively quickly. It gives new companies – and those new to caring about security – a great starting point, and I’m optimistic that companies will begin sharing information about how they comply with the checklist. Having a number of major players behind it should make this more likely.

The current landscape

There already are dozens of high-profile security standards for specific sectors like healthcare and finance, as well as a number of similar standards that are more generally applicable. But actually implementing these programs can be an enormous undertaking that takes months or years to do the right way. (For example, my team just completed our first HITRUST certification, and it took us nearly two years, with lots of outside help.)

Having a simpler standard that is high quality, easy to understand, and can be implemented fairly quickly has tremendous upside. Here’s hoping it sees real adoption and doesn’t just muddy the waters further.

Of course there’s an XKCD for this.

But is it any good?

I’ll admit I was optimistic before even reading the checklist, just based on the reasons above. I was even happier when I actually read the thing. It’s definitely an excellent starting point.

It’s important to remember what it is and isn’t when evaluating it. It’s not a comprehensive risk management framework, as many existing standards are. This means it omits many sections that other frameworks include, such as device management and employee onboarding/offboarding.

But that’s kind of the point. Those bigger frameworks are great for larger businesses and those handling very sensitive data, but most B2B apps really aren’t doing that. MVSP builds in the most critical controls to protect the integrity and confidentiality of data in applications and leaves the rest up to the companies developing them.

Did I mention it’s free?

MVSP is licensed under the CC0 1.0 Universal license, which is a fancy way to say it’s in the Public Domain. This will enable companies to adapt the checklist to their own needs and provide relevant commercial services without having to worry about Google’s lawyers tracking them down.

This creates additional opportunities to build B2B tech to aid developers with implementation and verification of compliance with the checklist.

All this adds up to a very exciting announcement that makes my little nerd heart happy. I’ll be watching eagerly to see how MVSP develops and how developers respond to it.