Cyber Security

Schools Must Call for Resiliency in the Face of Increasing Cyber Threats

• By Christy Wyatt
• 12/02/19

The impact of a data breach can shake any organization, and when it comes to the education sector, schools are being forced to close their doors and wait for the crisis to pass. Although schools remain the second highest targets of ransomware attacks, little has been done to alleviate these issues.

In July and August 2019, the number of publicly-disclosed security incidents in K-12 schools reached 160 — exceeding the total of all incidents experienced in 2018 by 30 percent. Breaches of all kinds are impacting schools in extreme ways — by causing panic among faculty, families and children and disrupting students’ education. Hefty ransomware demands are paralyzing districts and urging immediate solutions to be found.

The Education Sector Is Facing a Crisis

It’s one thing for impassable roads to hit pause on a school schedule. It’s an entirely different and unacceptable scenario when cyber extortion not only gets in the way of educating our youth but puts data pertaining to their health, academics and social development at risk of exposure and compromise — not to mention the public funds that are flushed away to ransom payments and cleanup efforts. Yet here we are, co-existing with cybercrime as the new normal and witnessing escalating ransomware attacks turn schools into the second-largest victims of all industries.

The pace of growth of the “digital school district” continues to climb given the many benefits technology brings to students and educators. Funding for educational technology has increased by 62 percent in the last three years and the new U.S. Digital Equity Act proposes to commit federal dollars to bring even more tech to the classroom. And while the many benefits of the digital classroom are clear, this rapid growth, combined with complexity and the continued restricted budgets for management, make our schools and our students increasingly vulnerable.

When Complexity and Risk Plague Today’s Digital Classroom, Resilience Matters

Technology is no doubt an asset, though we need to acknowledge not just the risks to student safety and privacy it poses, but also the complexity that IT folks have to wrangle. Education IT leaders once responsible for a few hundred devices, a few dozen apps, and a single network have now found themselves managing tens of thousands of devices (as 82 percent of schools now provide students with them), hundreds of apps, and a distributed set of users accessing unknown networks — all with limited resources and budget in most cases. Meanwhile, by clicking on one bad link on a school-issued device, a student can become a conduit for a ransomware attack.

As endpoint and environmental complexities increase, and risk alongside them, it’s no surprise that 68 percent of education IT leaders in the U.S. list cybersecurity as their top priority. In tandem, several state governments, including Louisiana, Texas and North Dakota, have stepped up their efforts to safeguard schools against cyberattacks with various measures such as cyber policy mandates, cyber commission formation, and state IT department oversight for schools.

For policymakers, educational institutions and their IT leaders, and even concerned parents, collaborative cybersecurity efforts should rally around the concept of resilience, or the ability to bounce back. Here are three steps to get on the path to cyber resiliency:

1. Battle the false sense of security. Millions of dollars of public funds are invested in applying security controls in schools — giving parents and educators a false sense of security. Many of these controls are fragile or by-passable — meaning that without consistent monitoring, you may be more exposed than you think. Make the most of the tools you already have and spend your budget on more impactful projects. Ask the question, “Are the controls we already have in place functioning at all times?” Security controls cannot protect you when they are taken offline by wily students, or bypassed. Foundational device controls include, at a minimum, anti-malware, encryption, authorized VPN, patch/client management, and web-filtering/firewalling on the client — and all need to be based on a platform that enable visibility and resilience for IT.
2. Strengthen your immune system. In the complex world of endpoint security, increased security spending does not equate to increased safety any more than taking more vitamins guarantees you will never get the flu. In fact, every additional security tool, while adding protection, also increases the complexity on the endpoint and therefore the probability of failure as agents. A recent Absolute study reveals schools that have encryption in place experience agent failures on an average of nine devices per day — almost half of which never recover, leaving students and staff at risk of potential data breaches. In order to protect your students, your data, and your investment, ensure you have fundamental controls activated to gain a persistent connection to each device — on or off the school network. It’s only then that you can repair or replace critical apps that have been disabled or removed.
3. Make cybersecurity the air students breathe. Creating a culture of online security and open communication about online threats is not just good practice, it’s an ethical responsibility. Turn it into a game; teach students what attackers do, test them on practical examples, and give each of them a sense of achievement when they win. Yammering on about ransomware crippling the school or how awful an attack would be for their district is unlikely to stop an 11-year-old trying to circumvent security policies. Let them know what villains may try to do, and challenge them to step up and help stop them. Provide a means for them to report suspicious online behavior without fear of punishment. Make them the hero of the cyber resilience story.

Heeding these steps will ultimately prepare schools to successfully overcome a ransomware attack by ensuring it’s business as usual no matter the extent of the breach. While we must understand the importance of a thriving digital classroom, the education sector must also recognize the threats that come along with these advancements.