Response from Nathan Maxwell, founder Communication Concepts, Inc.
Educational institutions are a target for cyber crime, just like any other business or non-profit. Concrete, measurable steps need to be taken to protect assets. Making use of a framework greatly helps this. A framework has specific metrics and criteria included in it. This provides a tangible resource to assess against. Usually, an outside team is brought in to walk through the assessment. Once the assessment is done, a remediation list exists. With a list, priorities are established and budget/human capital are applied.
FERPA is a federal law that addresses privacy of student
records. It is not broad enough for a school to base its entire cyber security
Specific steps that all institutions should take include:
- MFA — Multi-factor Authentication is a step beyond passwords. Logging in to access a system requires not just a password, but something else. That something else can be a prompt on a phone, a code generated by your phone, a text message, a hardware token that is inserted into a USB port, a finger print … the list goes on and on. The school needs to be aggressive in ensuring there are no gaps in their MFA deployment. If all logins require MFA, but VPN access doesn’t, the crooks will find this quickly and exploit it just as fast.
- Policies – While these are seen as the boring part of network security, they are critical. Who is allowed to do what? What is not allowed? What are reasonable expectations? If something happens, what is the response plan? Who is included? Who communicates to whom? Policies run the gamut and should be not only created, but yearly reviewed.
- Separation of duties — Smaller schools in particular will tend to have one or two key IT staff. These staff are responsible for deployment of new technologies, while managing existing equipment. Picture this, staff is assigned to deploy a new wireless system. As they learn the components, software is installed/configured, firewall rules updated – they are do everything they can to make it work. In the end, it does. But, is the config optimal? Is it secure? Were the firewall updates done in a judicious and cautious manner? Having additional eyes on a project, particularly those that are subject matter experts, is not only helpful but critical.
- Executive support — No cybersecurity progress is made without senior administrative, chancellor, and/or principle support. It’s pointless yelling into the wind for staff to try to move something forward without senior buy-in. With management support, funds and personnel follow. Educational facilities never have an abundance of either. But, management’s support allows what meager resources there are to be appropriately channeled.
What should education’s IT leaders be most aware about the current treat landscape?
The old saying, “When everything is important, nothing is important” comes to mind. There are always external threats. They will never go away. But, learning institutions are in a unique spot when it comes to insider threats. Insider threats, in a traditional business, are where staff are working as, or being used by, criminals. Schools are unique targets for insider threats.
They exist to encourage learning, challenging ideas, trying new things, even pushing boundaries. Labs need to be setup for students to learn and try things. The same systems students use for learning, academia uses for grading, class management, and transcript creation. Students are brought very close to critical systems. Insider threats are very real threat to educational institutions.
By Dror Liwer, co-founder and CISO of Coronet.
At a time when schools systems are collecting more data than ever and implementing new technology to improve their classrooms, education leaders must act to better secure the personal information of their students, staff and stakeholders. Unfortunately, instead of bolstering security, reports are showing that the education industry ranks dead last in cyber security, pointing to low awareness, limited budgets and a lack of expertise, making many schools easy targets for cyber criminals.
growing threat against schools
Educational data is a valuable black-market commodity because student records often contain information such as birth dates, addresses, Social Security numbers and, in some cases, financial records. In fact, since 2016, K-12 institutions have been hit with more than 400 cyber security incidents, and in 2018 alone, there were 122 publicly-disclosed cyber security incidents impacting schools in 38 states, according to the K-12 Cybersecurity 2018 Year in Review report.
Additionally, in December 2018, a hacker stole the personal details for more than 500,000 staff and students from the San Diego Unified School District. And just a few weeks ago, Louisiana Governor John Bel Edwards issued a statewide emergency declaration in response to a cybersecurity incident that affected several school districts. That same month, Watertown city school district in New York was hit with a severe attack that prevented employees from logging into accounts or accessing files. The bottom line is, based on the treasure-trove of data educational organizations have access to, coupled with a lack of budget, awareness and protocol, schools are vulnerable to advanced cyber attacks, and criminals know it.
brings new risk
Fortunately, awareness is spreading. Technology chiefs indicated in the CoSN IT Leadership survey that cyber security is now one of their top priorities. Education leaders are also recognizing that these attacks not only have the potential to cause financial loss for schools, donors, students, and staff, but they can also erode trust in the educational institution itself. For students, it’s not just about their privacy and preventing identity theft, but also about their future academic and workplace careers.
Ultimately the problem for school systems rests in constrained budgets, inadequate cyber security staffing, and in some cases, senior leaders who may not truly understand the threats they are facing. Out of 17 industries analyzed, education ranked last in cyber security, according to the 2018 Education Cybersecurity Report.
Most schools are accustomed to putting student education at the forefront, and while they may also devote energy and resources to physical security, it can be easy to overlook the modern threats lurking in connected systems. Behind the promise and excitement of smart boards, smart TVs, laptops, tablets, and IoT devices, criminals are waiting to exploit vulnerabilities.
One major issue is the large number of staff and administrative users with personal and school devices that expands the attack surface. Many schools now have students utilizing their own laptops during school hours, bringing more points of vulnerability into the school. For example, students or faculty could be working remotely on an unsecured Wi-Fi network, opening the possibility of an attacker gaining access to a school’s system. Many also use apps such as Office 365, Dropbox, GSuite and Slack to communicate and collaborate on projects. While these apps do offer some security, they are often no match for the advanced cyber threats that are changing daily. If a student were to unknowingly share a document infested with malware to Dropbox, it could compromise the entire system.
several actions that educators should take to mitigate cyber risks. One place
to start is with a simple risk assessment to identify vulnerabilities. This
could include an inventory of all devices and connections in the system,
including BYODs, along with apps and software. During this assessment,
questions should be asked such as “How is the technology being used?” and “What
processes and protocols are in place?” Comprehensive risk assessments can often
reveal several simple ways a school can improve its security.
Other cost-effective steps that leaders should take include:
a cybersecurity plan that covers the management of networks, maintenance of
equipment, establishment of policies and how human practices and solutions will
protect the data.
endpoint security, application security and processes for ensuring patches and
strong password and protection on all devices.
visitors from using the WiFi.
Additionally, schools, much like enterprises, should have a system to backup data and a plan for recovery should an attack occur. For it is slowness or lack of preparedness that often leads to the most serious disruption.
Education leaders can find several resources to assist with planning, including those at the Readiness and Emergency Management for Schools Technical Assistance Center and The National Initiative for Cybersecurity Education (NICE).
Finally, as human awareness is a critical component of cyber security, students, faculty and staff should be educated on cyber security issues, how to reduce the risks and what procedures to follow in the event of a breach. For all employees, such training should occur before every school year and for students, computer security literacy should begin as early as the third grade. While cyber security risks will always be a reality in today’s digitally-connected environment, school-wide awareness, planning, and education can reduce many of your vulnerabilities lowering their risk and better protecting the sensitive data of their students and faculty.