What does “security” mean in the context of a school? Until recently, the first things that came to mind were probably physical security technologies like surveillance cameras, metal detectors, access control stations, and even just good old fashioned locks.
But the recent COVID-19 crisis has changed that: because of the nationwide shift toward remote learning that the pandemic has prompted, schools have been forced to reevaluate their cybersecurity policies and requirements as they work to keep their data safe amid increased reliance on videoconferencing, learning management portals, and other online educational tools.
Distance Learning Tools in the Spotlight
One of the first security concerns to gain public attention was the vulnerability of the web’s most popular videoconferencing tools. Zoom, in particular, gained notoriety for the problem of “Zoom Bombing,” where random individuals would be able to drop into meetings run by others without being invited.
With much of the population working from home and relying on remote web conferencing tools, Zoom saw a massive spike in daily users, 10 million in December 2019 to 200 million in March 2020—a dramatic increase that put the previously small problem of Zoom Bombing into the public eye.
Zoom has, fortunately, implemented additional security controls specifically designed to combat Zoom Bombing, but these controls are optional and must be selected by the user. This underscores the need for effective training.
It isn’t fair to pick on Zoom, of course—in fact, Zoom’s problems highlight one of the biggest struggles facing both schools and businesses specializing in remote learning tools. Such a massive spike in remote users over a short period of time means that IT departments lacked the time to evaluate the security controls for remote learning products, and the makers of those products may not have had time to refine those controls for such heavy use.
Learning management systems (LMS) are a great example of this. Used to store grades and enable students to remotely turn in homework, LMS have long been a convenient tool for schools; however, they have generally had the benefit of operating within the safety of the school’s network. And although a bored student might occasionally attempt to hack their grades, LMS platforms have generally not been in the crosshairs for cyberattackers.
As higher education institutions compete for prospective students and look to improve offerings for those during scouting, registration and on campus, universities are already using innovations such as artificial intelligence-enabled teaching assistant programs and advanced data collection and analysis to gain an edge.
The IT environments on which universities depend are most often hybrid and multi-cloud, and because of all the new technologies should be available 24X7. Think about course registration system that is down exactly as everyone is trying to register.
From a cybersecurity perspective, the university’s security teams must work under the assumption that a successful attack will occur, and ensure the organization’s ability to recover its systems and data in a very short time from such an event;
One pressing area of improvement is assuring the ability to recover your data. One of the most alarming scenarios of a cyberattack is when both the data and its backup are destroyed in a hacking incident, thus leaving the organization with no way to recover.
This could be a result of a ransomware attack where encrypted data has been propagated to the recovery copies or because the attacker stole credentials allowing the deletion of both data and its backup. An attack with such consequences can derail any organization, leading to severe business outcomes.
We see many organizations looking at automating cyber resilience configuration assessments, whose aim is to ensure that recovery and backup copies of data are kept in a secure and isolated manner while meeting cyber-recoverability configuration best practices and compliance with regulations and standards and security baseline requirements.
These objectives are achieved using automatic and continuous processes of knowledge-driven IT configuration analysis to ensure compliance with vendor and industry best practices, and detection and repair of deviations from best practice.
Response from Mihai Corbuleac, senior IT consultant, StratusPointIT
The impact on reputation, operations and financial resources from a successful cyberattack can be wide-ranging and, hence, devastating. From data loss to extensive downtime, your IT staff and senior management team carries the heavy weight of responsibility.
So, if you don’t have sufficient expertise in-house, try to outsource, because the cost to reputation alone, if sensitive data is compromised, will make that investment viable. Check what systems are connected to the internet and if they don’t have to be, disconnect them, in order to reduce your exposure to cyber-attacks.
Make sure you back up your data regularly, and ensure you can restore from backups fast. Once you verify that you can recover from an attack, then start implementing some of the protections that are necessary to keep your data safe. Last but not least, train all your staff, make sure they understand how easy it is to unwillingly upload malware.
Additionally, email service is still the most common delivery method for malware which means that the human component is still the weakest link in the security chain and that’s because they don’t know what to expect, what an attack looks like, etc.
Employees should be educated in regard to cybersecurity, and business executives should begin using training platforms for that. Also, ensure that all employees access their work email from secure devices, preferably not their personal devices, they don’t open unsolicited emails or download suspicious attachments.
Educational institutions are a target for cyber crime, just like any other business or non-profit. Concrete, measurable steps need to be taken to protect assets. Making use of a framework greatly helps this. A framework has specific metrics and criteria included in it. This provides a tangible resource to assess against. Usually, an outside team is brought in to walk through the assessment. Once the assessment is done, a remediation list exists. With a list, priorities are established and budget/human capital are applied.
FERPA is a federal law that addresses privacy of student
records. It is not broad enough for a school to base its entire cyber security
posture on.
Specific steps that all institutions should take include:
MFA — Multi-factor Authentication is a step beyond passwords. Logging in to access a system requires not just a password, but something else. That something else can be a prompt on a phone, a code generated by your phone, a text message, a hardware token that is inserted into a USB port, a finger print … the list goes on and on. The school needs to be aggressive in ensuring there are no gaps in their MFA deployment. If all logins require MFA, but VPN access doesn’t, the crooks will find this quickly and exploit it just as fast.
Policies – While these are seen as the boring part of network security, they are critical. Who is allowed to do what? What is not allowed? What are reasonable expectations? If something happens, what is the response plan? Who is included? Who communicates to whom? Policies run the gamut and should be not only created, but yearly reviewed.
Separation of duties — Smaller schools in particular will tend to have one or two key IT staff. These staff are responsible for deployment of new technologies, while managing existing equipment. Picture this, staff is assigned to deploy a new wireless system. As they learn the components, software is installed/configured, firewall rules updated – they are do everything they can to make it work. In the end, it does. But, is the config optimal? Is it secure? Were the firewall updates done in a judicious and cautious manner? Having additional eyes on a project, particularly those that are subject matter experts, is not only helpful but critical.
Executive support — No cybersecurity progress is made without senior administrative, chancellor, and/or principle support. It’s pointless yelling into the wind for staff to try to move something forward without senior buy-in. With management support, funds and personnel follow. Educational facilities never have an abundance of either. But, management’s support allows what meager resources there are to be appropriately channeled.
What should education’s IT leaders be most aware about the current treat landscape?
The old saying, “When everything is important, nothing is important” comes to mind. There are always external threats. They will never go away. But, learning institutions are in a unique spot when it comes to insider threats. Insider threats, in a traditional business, are where staff are working as, or being used by, criminals. Schools are unique targets for insider threats.
They exist to encourage learning, challenging ideas, trying new things, even pushing boundaries. Labs need to be setup for students to learn and try things. The same systems students use for learning, academia uses for grading, class management, and transcript creation. Students are brought very close to critical systems. Insider threats are very real threat to educational institutions.
At a time when schools systems are collecting more data than ever and implementing new technology to improve their classrooms, education leaders must act to better secure the personal information of their students, staff and stakeholders. Unfortunately, instead of bolstering security, reports are showing that the education industry ranks dead last in cyber security, pointing to low awareness, limited budgets and a lack of expertise, making many schools easy targets for cyber criminals.
The
growing threat against schools
Educational data is a valuable black-market commodity because student records often contain information such as birth dates, addresses, Social Security numbers and, in some cases, financial records. In fact, since 2016, K-12 institutions have been hit with more than 400 cyber security incidents, and in 2018 alone, there were 122 publicly-disclosed cyber security incidents impacting schools in 38 states, according to the K-12 Cybersecurity 2018 Year in Review report.
Additionally, in December 2018, a hacker stole the personal details for more than 500,000 staff and students from the San Diego Unified School District. And just a few weeks ago, Louisiana Governor John Bel Edwards issued a statewide emergency declaration in response to a cybersecurity incident that affected several school districts. That same month, Watertown city school district in New York was hit with a severe attack that prevented employees from logging into accounts or accessing files. The bottom line is, based on the treasure-trove of data educational organizations have access to, coupled with a lack of budget, awareness and protocol, schools are vulnerable to advanced cyber attacks, and criminals know it.
New technology
brings new risk
Fortunately, awareness is spreading. Technology chiefs indicated in the CoSN IT Leadership survey that cyber security is now one of their top priorities. Education leaders are also recognizing that these attacks not only have the potential to cause financial loss for schools, donors, students, and staff, but they can also erode trust in the educational institution itself. For students, it’s not just about their privacy and preventing identity theft, but also about their future academic and workplace careers. Ultimately the problem for school systems rests in constrained budgets, inadequate cyber security staffing, and in some cases, senior leaders who may not truly understand the threats they are facing. Out of 17 industries analyzed, education ranked last in cyber security, according to the 2018 Education Cybersecurity Report.
Most schools are accustomed to putting student education at the forefront, and while they may also devote energy and resources to physical security, it can be easy to overlook the modern threats lurking in connected systems. Behind the promise and excitement of smart boards, smart TVs, laptops, tablets, and IoT devices, criminals are waiting to exploit vulnerabilities.
One major issue is the large number of staff and administrative users with personal and school devices that expands the attack surface. Many schools now have students utilizing their own laptops during school hours, bringing more points of vulnerability into the school. For example, students or faculty could be working remotely on an unsecured Wi-Fi network, opening the possibility of an attacker gaining access to a school’s system. Many also use apps such as Office 365, Dropbox, GSuite and Slack to communicate and collaborate on projects. While these apps do offer some security, they are often no match for the advanced cyber threats that are changing daily. If a student were to unknowingly share a document infested with malware to Dropbox, it could compromise the entire system.
Taking action
There are
several actions that educators should take to mitigate cyber risks. One place
to start is with a simple risk assessment to identify vulnerabilities. This
could include an inventory of all devices and connections in the system,
including BYODs, along with apps and software. During this assessment,
questions should be asked such as “How is the technology being used?” and “What
processes and protocols are in place?” Comprehensive risk assessments can often
reveal several simple ways a school can improve its security.
Other cost-effective steps that leaders should take include:
Establishing
a cybersecurity plan that covers the management of networks, maintenance of
equipment, establishment of policies and how human practices and solutions will
protect the data.
Identifying
endpoint security, application security and processes for ensuring patches and
updates.
Requiring
strong password and protection on all devices.
Prohibiting
visitors from using the WiFi.
Additionally, schools, much like enterprises, should have a system to backup data and a plan for recovery should an attack occur. For it is slowness or lack of preparedness that often leads to the most serious disruption.
Finally, as human awareness is a critical component of cyber security, students, faculty and staff should be educated on cyber security issues, how to reduce the risks and what procedures to follow in the event of a breach. For all employees, such training should occur before every school year and for students, computer security literacy should begin as early as the third grade. While cyber security risks will always be a reality in today’s digitally-connected environment, school-wide awareness, planning, and education can reduce many of your vulnerabilities lowering their risk and better protecting the sensitive data of their students and faculty.
