By Bob Turner, CISO for education, Fortinet.
As if the education system hasn’t already dealt with enough difficult change in the past two years as a result of COVID-19, the shift to remote/hybrid school also laid bare the cybersecurity gaps faced by many districts. Bad actors took advantage of already vulnerable systems and struck hard.
Ransomware attacks have been relentless. There were a record-setting 408 publicly disclosed cybersecurity incidents in 2020 in the K-12 sector, across 40 states, according to the State of K-12 Cybersecurity: 2020 Year in Review. Numbers for 2021 are still being finalized, but given what we’ve seen in terms of ransomware and cyber incidents overall, we expect them to be even higher.
Steps are being taken at the federal level; Joe Biden signed into law late last year the K-12 Cybersecurity Act to provide schools with more resources. But as we move further into 2022, ransomware attacks are still being perpetuated against schools even as districts try to bolster defenses. It can be hard to know where to focus first, so let’s examine some of the key things security IT teams should consider this year.
Uncertainty creates opportunities for bad actors
This year will experience the heightened cybersecurity threat level that the last two years saw. The year is still young, but we’ve seen schools across the country revert back to virtual learning as a result of the Omicron variant. Those types of shifts can too often open up potential opportunities for bad actors to strike, as cybercriminals operate on a “kick ‘em while they’re down” mindset. And we’ll continue to see malicious actors evolve their methods as needed to bypass or fool current cybersecurity efforts and continue their successful attack campaigns.
Circumstances make it clear that the focus for districts and schools must now become transitioning the short-term actions they initially took – both to facilitate virtual learning and combat cyber risk – into longer-term and more strategic cybersecurity approaches.
The increased need for zero trust
More and more organizations across sectors are turning toward zero trust – and for good reason. The concept of zero trust is simple: No one inside or outside the network should be trusted without thoroughly verifying their identity. Zero trust operates on the assumption that threats both outside and inside the network are an omnipresent factor. Zero trust also assumes that every attempt to access the network or an application is a threat. These assumptions inform the thinking of network administrators, compelling them to design stringent, trustless security measures.
The federal government recently instructed government agencies to adopt zero trust as part of ongoing cybersecurity efforts – and it’s not hard to imagine this directive will eventually spread to other areas, like schools. Looking at how to best implement a zero-trust strategy should be a key part of cybersecurity initiatives for schools this year.
Disparate tools and products are creating gaps
A trend in cybersecurity overall – and one that education IT leaders should look to – is the adoption of integrated platforms. There are two reasons why “point” solutions or “best of breed” products aren’t sufficient anymore. The first is that no product is “best” for very long. If something is good, everyone in the industry has some version of it. And the other, even more important reason is that if you have a variety of different security and networking devices, it’s complicated to manage and control.
And because you’re not able to track multiple vendors’ devices in a single place, it’s less secure. You’re actually leaving a lot of gaps in between the devices. And attackers know that; they’re going to try to slip through those cracks. Point products that are specific to a narrow niche aren’t sufficient, particularly if you can use a broader product that covers the same area as several point products.
The education sector needs a better system than what’s come before – a system that makes deploying new technologies and services secure and straightforward. This requires more than workarounds connecting disparate security technologies. Schools and their networks need a broad, integrated and automated cybersecurity mesh platform that provides centralized management and visibility, supports and interoperates across a vast ecosystem of solutions, and automatically adapts to dynamic changes in the network. Gartner calls this idea a “Cybersecurity Mesh Architecture.”
A new model for a more secure 2022
The education sector is vital to society; it’s the critical infrastructure of a nation’s intellectual future. But that doesn’t seem to matter to cybercriminals, who will indiscriminately exploit any security gap they can find. In fact, many are targeting schools specifically because they suspect there are multiple unsecured entry points into these networks. With new federal funds available and two years of pandemic experience under their belts, education leaders now have the opportunity to solidify and strengthen the measures they took to enable remote learning.
These opportunities include adopting a zero-trust security model that assumes malicious intent and framing security within an integrated platform. Adding automation to such a platform would increase efficiency and enable greater visibility. Use the information above to prioritize your security budget for all that awaits in 2022.