Is your district the low hanging fruit that hackers are searching for? For some time now, it has become commonplace for the weekly news highlights to include a story about the newest cyber victim and the subsequent aftermath. But have you noticed how frequently those stories have focused on a public institution, such as the local town, village, county, university, not-for-profit, or school district?
Since 2016, it is estimated that there have been over 775 cyber incidents involving K-12 schools alone. This estimate varies widely depending on the source and how an education institution is defined, and determining the actual number of incidents is difficult because some districts fail to report breaches or do not understand what constitutes a breach. Long Island school districts have not been immune to this trend; as you are probably aware last year, at least three local districts made headlines.
Many small to mid-size private companies are grappling with the same security challenges, but as private entities, they are not required to report cyber incidents so many of them go unnoticed. But why have there been so many stories about breaches occurring in the public sector? The overwhelming reason is that in the eyes of the hackers, your district is “low hanging fruit.”
As a Certified Ethical Hacker who has trained in both the offense and defense of cybersecurity, I can tell you that in most cases an educational institution is an easy target. This may seem harsh, but it is the hard truth. Many schools just don’t have the manpower, cybersecurity expertise, or budget to properly protect themselves.
When compared to a private company that has a dedicated cybersecurity team and a budgeted line item for security, a school simply becomes the path of least resistance. To make matters worse, since malicious actors are motivated by cold hard cash, your district’s large insurance policy and databases of valuable information make a school an irresistible target. The going rate for a child’s Social Security number with supporting information is about $10 per record on the dark web.
In general, districts think about four things when it comes to cybersecurity: patch management, antivirus, firewalls, and backups. In the IT support world, these are considered the four pillars of information security controls. The four pillars are necessary for managing information security risk, but they are just the starting point. I would compare the four pillars to showing up to your regents’ test with a number two pencil. Without a pencil, you have no chance of scoring well, but the pencil doesn’t guarantee you a high mark. It’s just the starting point. The problem is many school districts begin and end their cybersecurity program with just the four pillars. To make matters worse, most IT departments do not maintain these four pillars well on a consistent and long term basis.
Let me be clear….I’m not picking on educational IT departments, there are not many IT departments in general that do this well. It is difficult and IT staff are typically spread thin dealing with daily support and new requests.
To truly reduce a district’s risk and get out of the crosshairs of the malicious actor, districts must develop a level of cybersecurity risk management that prevents attacks from succeeding and minimizes the impact of a successful intrusion.
One of the biggest gaps is the lack of a multi-factor authentication. Multi-Factor Authentication (MFA) is a security system that verifies a user’s identity by requiring multiple credentials. MFA is an effective way to provide enhanced security. Traditional usernames and passwords can be stolen, and they’ve become increasingly more vulnerable to brute force attacks.
District internal staff is undoubtedly one of its biggest assets, but this asset is also a district’s biggest risk if the staff is not thoroughly trained on cybersecurity threats. Cyber training once or twice a year during staff development days is not going to cut it; strict staff should be enrolled in continuous training that is tracked for performance so that cybersecurity is kept top of mind while performing daily tasks.
Districts also need next-generation behavioral-based antivirus. This means log collection storage and the ability to search for things that don’t look right, so if something weird happens, you can figure out when it started, what else happened as a result of it, or what happened prior. But you need a security information event manager (SIEM) to be able to put a picture together.
Districts that master the four pillars by performing the necessary network maintenance tasks consistently and implement the cybersecurity management tools described will become a much more hardened target, hopefully enough so that the hacker moves on to the next victim. At the end of the day, districts need to set an organization goal to comply with the NIST cybersecurity framework and meet all 110 security controls. Not an easy task, but vital for a district to keep up its security GPA.