As we have seen in recent cyberattacks at schools, it is no longer a matter of if, but when your school may become the next target of ransomware, phishing, denial of service, or other cyberattacks. Understanding today’s cyber landscape related to the education market is essential for all school leaders. Knowing what best practices should be deployed is critical.
Schools are under siege by cybercriminals looking to access valuable, sensitive data, such as the addresses, phone numbers, and financial information of students or their parents, as well as that of educators. A high percentage of cyberattacks on schools stems directly from their information technology (IT) vendors. K–12 Security Information Exchange data found that 75% of all K–12 school breaches in 2020 were implemented through the schools’ vendors. These and other attacks were already increasing before the pandemic, but remote learning and the technology vulnerabilities it introduced gave cyberthieves more ammunition to fuel their attacks.
In fact, having access to more technology in education is generally regarded as a good thing; however, it opens up a school to more cyber land mines and gives cyberthieves new pathways for ransomware and malware attacks, and others.
Reports of cyberattacks have become an eyeopener for school leaders who recognize the need to prioritize cybersecurity and formalize their related practices. Many school leaders realized they needed a tighter communications policy between themselves and their vendors in the event a vendor experiences a cyberattack that affects the schools. Further, many school systems now require their vendors to submit a cyberattack response plan for alerting the schools regarding attacks, along with measures to be implemented to restore their systems’ secure operations.
Schools are instituting other policies, including allowing only school devices to access the network, providing access to secure data on a need-to-know basis, and eliminating guest networks. Educating all constituents, including vendors, faculty, parents, and students, regarding sound cyber practices has also become a priority for many schools.
That education covers such practices as changing passwords regularly, ensuring that devices are protected with security software, and not opening suspicious emails. These and other essential measures should be adopted and incorporated into a comprehensive, proactive school cybersecurity program.
Schools must be proactive in their own organization’s cybersecurity. That requires several key initiatives:
Detection:
Every school should begin by benchmarking its current cybersecurity status. To ensure its integrity, benchmarking should be performed by a third-party cybersecurity firm and not the school’s internal IT department or its managed services provider. Detection involves two components:
- a comprehensive vulnerability assessment to evaluate the school’s IT systems and assess risk levels and
- penetration testing, also known as “ethical hacking,” to determine how easily cybercriminals could enter the school’s IT systems, including the network, ports, database, emails.
Mitigation:
Following the vulnerability assessment and penetration testing, measures should be taken to mitigate system weaknesses and vulnerabilities. Such measures range from installing firewalls, encryption software, and end-point protection to multifactor authentication, password and SSH (secure shell protocol) key management, and solutions to lock access to proprietary data.
Best practices:
Best practices include data backups and backup data recovery, along with keeping up with software updates and limiting access to sensitive data to authorized staff members.
Cybersecurity policies:
Policies—including best practices, responses to cyberattacks, and related communications— should be formalized in a cybersecurity policy manual and provided to all vendors and staff members who manage, use, or have access to school information systems and technology.
Training:
Cybersecurity awareness training for staff should be conducted regularly to ensure that cybersecurity policies are understood and adhered to, and that staff are kept abreast of the latest developments in cyberattacks on schools. As part of this training, staff should be educated regarding the various forms of cyberattacks, including the most common forms, such as malware and phishing attacks.
Cyber incident management and reporting plan:
This comprehensive plan helps the organization prepare for, detect, respond to, and recover from network security incidents.
Regular review of cyber insurance coverage:
A regular review ensures that the insurance covers the latest threats and is adequate in covering the school’s total exposures and liabilities.
Avoiding the many land-mines dotting today’s cyber landscape is not easy. It requires heightened awareness and the commitment of education leaders and their staffs to follow prudent cybersecurity practices. Vigilance is essential for avoiding financial and reputational damages stemming from a lax attitude toward cyberattacks.
Joseph E. Saracino Jr., President & CEO
Cino Ltd Companies