School networks are easy targets for cybercriminals, but it doesn’t have to be that way. With a proactive strategy, schools can shore up defenses by prioritizing the following areas to limit the damage caused by the inevitable cybersecurity event.
Educational institutions, specifically public K-12 schools, provide the soft targets that hackers are seeking. Whether internal or external, threat actors are infringing upon students’ rights—hacks can wreak havoc on the lives of students, staff, faculty, parents, and administrators. Leaders in education should take a proactive approach by prioritizing important changes in how they protect their students’ and staff’s private identifiable information (PII).
At Critical Insight, we are committed to defending critical services with best-in-class cybersecurity solutions, and that includes schools and school districts. While schools may have limited budgets and over-extended IT staff, we have identified the top priorities to help schools shore up their cybersecurity posture. Adopting at least a few of the recommendations is a step in the right direction.
We’re going to go through the top outcomes school districts need to avoid first. If you’re looking to go straight to the top 10 list of priorities, scroll down.
The Outcomes Schools Want to Avoid
Why are schools targeted? Cybercriminals are opportunistic and student data is considered pristine data. Insider threats, including overzealous students, can also wreak havoc on school operations.
Cybersecurity incidents at schools can lead to trouble for students, staff, and schools.
Here are the top outcomes to avoid:
- Unauthorized Disclosure and Theft of Student Records
- Breaches and Hacks Affecting School Operations and Student Data
- Phishing and Credential Misuse
- Corruption of School Technology and Security Systems
- Ransomware for the Purposes of Extortion
The outcomes can lead to stolen identities, fraudulent tax returns filed, payrolls and 3rd party payments redirected to cybercriminals, altered or destroyed school records, defaced or hijacked website and social media, and schools shutting down.
Top 10 Cybersecurity Priorities for Schools
To avoid those bad outcomes, there are a variety of actions schools can take to improve their cybersecurity posture. Some are affordable, some are easy, and some require budget allocation with trained experts involved.
Here are the ten priorities schools can tackle to reduce their cybersecurity risks.
- Network and Data Monitoring
Network and data monitoring can identify malicious activity if properly managed; typically, this priority is covered by a combination of technology and IT administrators, or managed by an outsourced cybersecurity service, such as Critical Insight. Schools have experienced incidents of crypto-mining across the U.S., which can be identified if the network is properly monitored for usual activity. Proper monitoring can help prevent security breaches by identifying affected assets that require quarantine. Trained IT staff are the key to monitoring the network and reviewing alerts issued by manufacturers of on-campus technologies.
- Incident Detection and Response
The Pennsylvania Department of Education Teacher Information Management System holds the personal information of 330,000 professional school staff across the state. Due to human error in the governor’s Office of Administration, the site potentially compromised for 30 minutes on February 22, 2018. Rapid response included shutting down the site, offering affected users free credit monitoring for a year, and developing a plan to correct this error and to prevent similar incidents in the future. While it’s unclear how the incident was detected (likely reported by a user of TIMS), detection and response played a pivotal role for the PA Department of Education in this incident. Time is of the essence for rapid detection and response, and preparation for incident response is the lynchpin to reduce the impacts of foreseeable events.
- Vulnerability Scanning and Patch Management
Regular vulnerability scanning can help prevent exploits on documented vulnerabilities. Vulnerability scanning technology is only as useful as the organization’s follow-through—if technology is out of date, schools may hold off on patching well-known vulnerabilities. If legacy systems can’t be upgraded due to lack of funding, additional cybersecurity procedures, network segmentation, and stop-gap technologies should be implemented to secure those systems. Patching security holes is a real problem for schools. A recent report found a handful of school districts around the country have not yet patched for WannaCry/EternalBlue a full two years after Microsoft issued emergency patches to address the vulnerability. That was the vulnerability in the headlines after the cyberattack on the City of Baltimore.
- Protective Controls
Schools should leverage a common framework, such as the NIST-CSF, as a standard to identify and implement appropriate levels of protective controls. Standard controls include an intrusion prevention system, application firewall, URL filtering, email security, vulnerability management, anti-virus software, employee training, and data loss prevention.
Protective controls also include physical access to on-campus technology. A University of Iowa student used a physical keylogger to steal credentials and gain access to the school’s network to change grades for himself and five other students. While anti-virus software can identify software-based keyloggers as malware, the risk of physical keyloggers can be mitigated by implementing keyword encryption software, virtual keyboards for password logins, and behavioral analysis software adept at identifying keylogger behavior. Physical access to on-campus computers can be improved with simple steps such as monitoring access to computer rooms and using privacy filters on computer monitors.
- Network Segmentation
Many compromises are caused by a school’s own students hacking the network. Proper network segmentation can stop threat actors (including students) from escalating privilege access through lateral and horizontal movement in the network. When designing a network at a school or district, IT professionals should designate systems for private and regulated data. Lower priority activities can be assigned to a designated area in the network to support student and staff personal devices and guest usage.
- Security Awareness Training and User Education
Unsuspecting school employees may be easy to phish. Case in point: in early 2018, an employee with the Rockdale Independent School District’s finance department received a “sophisticated” phishing email in which the sender pretended to be the school superintendent. The staff member complied with the threat actor’s request for the W-2 tax forms of 300+ district employees. This ultimately resulted in widespread school employee identify theft and tax fraud. Security awareness training programs can yield on average of 20% reduction in clicks on malicious emails, links, and attachments.
45% of the education incidents in 2018 were carried out or caused by members of the affected school community—including unintentional and intentional staff and students. That means that all users, from students to staff to faculty and administrators, could benefit from digital security training on cybersecurity best practices.
- User Access Control
Schools and districts should implement and enforce the principle of least privilege. This policy can help thwart privilege escalation, a common tactic used by hackers to move throughout the network and cause damage.
- Password Management Policies
Policies that govern passwords are often non-existent or unenforced in schools. Savvy student hackers looking to change grades or simply gain access are eager to take advantage of staff members. In one case, a faculty member shared an administrative login with a student who then used privilege escalation tactics to discover IT staff was using default passwords to push updates across the entire district. A policy with standards for passwords, including multi-factor-authentication, and enforcement mechanisms can ensure students and bad actors alike do not get unauthorized access to private data or critical service operations. Urban school administrators indicate that this priority has moved up on their list of cybersecurity projects, while rural schools are lagging behind implementing such policies.
- 3rd Party Vendor Management
Vendors may not take cybersecurity and data privacy as seriously as you do. Consider asking these questions before hiring a 3rd party to manage your data, network, and connected services. One general rule of thumb is to carefully vet free services—because the old adage here still applies: “If you are not paying for it, you're not the customer; you're the product being sold.” And if you are in charge of a school network, a free product with vague terms and conditions could accelerate your risk of a CIPA, COPPA, or FERPA violation.
- IT Security Governance
In 2019, 35% of reported breaches in education were due to, “miscellaneous errors” caused by humans. To remedy this, educational institutions and districts should, “clean up human error to the best extent possible – then establish a baseline level of security around internet-facing assets like web servers.” Two-factor authentication on web servers is a baseline security control. With IT security governance, leaders, department heads, and IT pros can align and enforce the top security priorities to significantly reduce incidents caused by human error.
Going Beyond Protective Controls in Schools
Technology has proliferated in schools and districts over the last decade, and it’s clear that cybersecurity matters. In 2018, an educational institution reported a confirmed cybersecurity incident every 3 days in the U.S.—and that’s not counting the cybersecurity incidents that were never publicly reported. While hackers are lurking in networks for an average of 197 days before detection, schools can experience outcomes that will be long-lasting for everyone involved.
With Critical Insight's Managed Detection and Response (MDR) solution, security analysts are monitoring the network 24×7×365 to catch intrusions in 2 hours or less. With that level of support, schools can limit the potential of negative outcomes caused by extensive dwell time. If a threat is detected,Critical Insight Success Engineers provide clients with a customized plan for rapid incident response.
Expert consultants can do a lot to advance the entire cybersecurity program. Consultant-lead initiatives can lay the foundation to prevent incidents and reduce overall risk with security awareness and training programs, incident response, password policies, network security, cloud security, disaster recovery, and more. Critical Insight's consultants offer these services in addition to providing security control readiness for FERPA, CIPA, and COPPA.