Enhancing Cybersecurity in Education

Recent ransomware attacks on a local school districts highlight why cybersecurity is a critical issue for educational institutions to address. These events provide an impetus for our community to discuss best practices to better protect our schools. Though no organization is immune to cyber threats, schools tend to be prime targets yet often lack resources dedicated to security. We’ll explore the unique challenges schools face in defending their sensitive data, assets, and populations. By raising awareness and sharing actionable guidance, we aim to help education leaders strengthen their security postures now and into the future. The stakes are high, as breaches put students’ wellbeing and futures at risk. Through thoughtful preparation, we can develop resilient systems and cultures capable of weathering inevitable storms.

Why Schools Are Targets

Schools face unique cybersecurity challenges that make them attractive targets for threat actors. Two key factors contribute to the vulnerable security posture in many school districts:

  1. Sensitive student data stored: Schools maintain detailed records on students, including health information, disabilities, social security numbers, and more. Protecting the privacy of minors is extremely important. However, this sensitive data is often stored digitally with inadequate security controls.
  2. Lack of cybersecurity funding/resources: Most schools struggle to allocate enough budget and staff towards cybersecurity. With limited resources, it becomes difficult to implement modern security tools and practices. Many districts are years behind in their security maturity compared to other industries. As a result, school networks tend to lack strong protections and have vulnerabilities that can be exploited.

The combination of sensitive student data and deficient cybersecurity puts many school districts at high risk of security incidents like ransomware attacks. Without proper funding and resources dedicated to security, schools will continue to be attractive targets for cyber criminals seeking valuable data.

Assessing Current Security Posture

Conducting a thorough cybersecurity assessment is one of the most critical first steps educational institutions should take to understand their current security posture. Audits and assessments provide visibility into the existing policies, controls, and tools in place, and more importantly, where the gaps or vulnerabilities may exist. For schools and districts just getting started with improving cybersecurity, an assessment can highlight major risk areas that need priority attention. 

Assessment

Some key reasons assessments are so valuable:

  • They provide a clear baseline to measure security improvements against over time. Without understanding the starting point, it’s impossible to accurately track progress.
  • Assessments expose unknown weaknesses or misconfigurations that could lead to breaches. Many schools don’t realize how exposed certain systems or data stores are until an audit is conducted.
  • They allow benchmarking against industry standards and frameworks like NIST to identify major gaps. If core controls around access management, encryption, or backups are missing, assessments make that clear.
  • Audits validate that existing security controls are implemented and functioning as intended. Controls on paper don’t necessarily equate to real-world protections.
  • Objective third-party assessments carry more weight and credibility than internal reviews for securing budgets and resources.

Schools have a few options for conducting cybersecurity assessments. They can use free online tools and resources to self-assess, leverage auditing capabilities from existing vendors and solutions, bring in third-party consultants to audit, or work with managed service providers who conduct ongoing reviews. The right approach depends on budget, in-house expertise, and how comprehensive an assessment is needed. Regardless of method, educational institutions need to make cybersecurity assessments a regular practice, not just a one-time activity. They are indispensable for revealing vulnerabilities and keeping security programs on track.

Developing a Cybersecurity Plan

Once a security assessment is complete, the findings should be used to develop a customized cybersecurity plan. Many schools make the mistake of implementing complex and expensive security controls before getting the basics right. The most impactful security improvements come from focusing on essential protections first.

Cybersecurity practices

Some basic steps schools should take to develop a cybersecurity plan include:

  1. Set password policies requiring long, complex passwords that expire at least annually. This prevents password reuse and ensures credentials are updated.
  2. Implement multi-factor authentication (MFA), starting with privileged accounts and student/staff data access. MFA prevents compromise of a single factor like a password.
  3. Segment internal networks to limit student access to sensitive systems. Keep student and staff networks separate.
  4. Use endpoint protection like antivirus, endpoint detection and response (EDR), and disk encryption to secure devices.
  5. Enable system logging and log monitoring to detect attacks and compromise.
  6. Develop an incident response plan detailing how to handle a cyberattack. Include communication workflows and escalation procedures.
  7. Provide cybersecurity training to all staff, with practical exercises like simulated phishing campaigns. Training is key for good security culture.
  8. Work on obtaining cyber insurance, which requires many security best practices be met. The application process itself can be an assessment.

Focusing first on fundamental security controls does not need to be overly complex or costly. Schools can make huge strides in protecting against modern cyberthreats by taking a “crawl, walk, run” approach to developing a cybersecurity program.

Implementing Key Security Controls

Strong authentication, network segmentation, and access controls are essential security foundations in the education sector. Though budget constraints often discourage robust implementations, starting with even basic versions of these controls can significantly improve security posture.  

  • Multi-factor authentication (MFA) should be required for all staff and administrator accounts that access sensitive data or core systems. Though pushback is common, MFA dramatically reduces the risk of compromised credentials. Smartcards, biometrics, or security keys can help ease friction from mobile-based MFA. Staggering rolling annual password resets also promotes better credential hygiene.
  • Network segmentation is critical to restrict student access to staff and administrative systems. Separate VLANs with firewall rules should split student devices from internal networks. Segmenting traffic between elementary, middle school, and high school may also be prudent. Some schools unfortunately have student laptops on the same network segment as financial systems and medical records.
Security
  • Access management solutions can grant administrative rights on-demand while logging activity. This reduces the risks of widespread administrative access and shared credentials. Though more costly than organizational policy, privileged access management systems greatly improve access governance. Basic improvements like removing shared administrator accounts already mitigate common attack vectors.

Overcoming Implementation Challenges

Implementing new security controls and policies in schools often faces pushback from staff who are unfamiliar or uncomfortable with change. Common challenges include:

  • Friction from new security controls – Teachers may resist new requirements like multi-factor authentication or frequent password changes if they create extra steps in their workflows. Focus on choosing intuitive, low-impact options and phasing changes in gradually. For example, only require password resets during summer breaks when class is not in session.  
  • Staffing limitations – Small IT teams may be overwhelmed trying to manage every security task alone. Consider bringing in third-party security consultants periodically to audit systems, make recommendations, and supplement in-house staff. This provides expertise without overburdening or requiring expansion of internal teams.
  • Getting buy-in – Without adequate budget and stakeholder support, security initiatives stall. Get leadership and staff invested by starting with a risk assessment to demonstrate needs and align to institutional goals. Frame security as an enabler, not a hinderance. Empower IT teams to make recommendations and collaborate on solutions.

Leveraging Available Resources 

Schools don’t have to go it alone when it comes to improving their cybersecurity. There are numerous resources available to provide guidance, assistance, and support:

Government Assistance Programs

Many state governments have developed cybersecurity assistance programs specifically for their local school districts. These can include funding for security assessments, tools, and resources to improve defenses against threats like ransomware. Schools should research what options may be available through their state government.

Security Frameworks 

There are a number of cybersecurity frameworks schools can leverage to assess their current posture and develop a comprehensive security program. The NIST Cybersecurity Framework is a common starting point that identifies key activities across Identify, Protect, Detect, Respond, and Recover functions. Other options like the CIS Controls and COBIT framework can provide more detailed guidance tailored to the education sector.

Outside Consultants

With limited internal resources, schools can bring in outside consultants to assist with activities like assessments, developing security roadmaps, implementing controls, and providing training. Experienced consultants like managed service providers (MSPs) can offer cost-effective expertise and bandwidth to accelerate schools’ security programs.

Managed Service provider

Leveraging available resources like government assistance, frameworks, and consultants can help schools overcome common challenges like limited budgets and staffing. By tapping into outside help, schools can create more effective security programs.

Planning for Future Requirements

While education institutions currently do not face cybersecurity regulations like other industries, this may change in the future. As threats continue to increase, government oversight and mandatory frameworks could be introduced. Preparing for potential regulations now by voluntarily adopting cybersecurity best practices puts schools in a proactive position.  

Cyber insurance is another area to evaluate. Having adequate cyber insurance coverage provides critical financial protection in the event of a breach or ransomware attack. When applying for cyber insurance, insurers will assess the school’s security posture and require fundamentals like multifactor authentication and network segmentation be in place. Following cybersecurity frameworks helps schools qualify for better insurance rates.

Continuity planning is essential to recover from disruptive incidents like ransomware. Documented incident response plans, disaster recovery plans, and business continuity plans let schools swiftly detect threats, contain damage, and restore critical services. Regular incident response training and testing also helps school staff know how to react. Proactive continuity planning limits educational disruption for students.

While potential regulations, insurance changes, and business impacts are uncertain, schools can take steps now to improve security, comply with future requirements, control costs, and focus on educational continuity. Being proactive positions schools to securely embrace emerging technologies and changing risk landscapes.

Focusing on Security Culture  

A strong security culture is critical for education organizations to protect against cyber risks. This starts with comprehensive cybersecurity training for all staff and students on the real dangers that exist. Training should cover identifying phishing emails, using strong passwords, reporting suspicious activity, and other best practices tailored for an education environment. 

It’s also key to empower IT teams and provide support for their security initiatives. Often IT staff see the risks firsthand but struggle to get buy-in for improvements. School leadership should have open communication with IT, understand their challenges, and give them authority to evaluate the current security posture and make recommendations. With proper funding and support, IT teams can assess potential vulnerabilities, identify critical gaps, and implement security controls that reduce risk across the organization.

An engaged, security-focused culture where everyone understands their role is one of the most effective ways for schools to improve cyber defenses. Technical controls are only as strong as the people behind them.

Closing Thoughts

To recap, we discussed why schools are prime targets for cyber attacks, with valuable data and often less mature security controls than other industries. A key first step is conducting a thorough assessment to understand where your security currently stands, then developing a plan to implement priority controls like multi-factor authentication and network segmentation. 

Overcoming friction from teachers and limited budgets remains an ongoing challenge. However, free resources like the CISA self-assessment and frameworks like NIST CSF provide a solid foundation to build your cybersecurity program. While no regulations currently exist, future requirements are likely coming. By starting your cybersecurity journey today with basic steps aligned to industry best practices, you’ll be well positioned for the future.

The goal is continuous improvement as no organization can ever be 100% secure – but with the right plan and culture, you can drastically reduce risk. Education organizations have a duty to safeguard student data and shape secure practices from an early age.

Elevate your security strategy

Safeguard your educational institution with our downloadable cybersecurity checklist.


Leave a Reply

Your email address will not be published. Required fields are marked *

Making technology work for business since 1992

CIT is designated autism-friendly by autism speaks

Resources

Get in contact: email us at info@cit-net.com or call 651.255.5780

Copyright: © 2024. All Rights Reserved.