This can be a highly lucrative attack method; according to a recent report by the K12 Security Information Exchange and the K-12 Cybersecurity Resource Center, $9.8 million was stolen from a single school district via a phishing attack last year.
Schools need a layered cybersecurity approach to combat the phishing threat but, at a minimum, it’s important to ensure that firewalls are enabled, that anti-virus and anti-malware are installed, and that all patches are up to date. Another best practice is turning on the multifactor authentication features available in select browsers to further protect against attacks.
New Vulnerabilities Introduced by Third-Parties
As schools grow increasingly digital, they are interacting with a wider array of external partners, suppliers, and software providers. This, in turn, opens them up to new threats as bad actors target these companies with the ultimate goal of breaching a school or district’s system. The K-12 Cybersecurity report found that at least 75 percent of the data breaches affecting K-12 districts in 2020 stemmed from incidents involving vendors and other partners.
Schools should ensure they have an updated list of approved apps and software and allow only those apps to connect to user accounts in order to get ahead of these threats. In addition, they must implement a robust process for evaluating any new technology against key security criteria prior to authorizing access to students, teachers, or staff. Depending on the size of the school or district, another consideration is investing in automated tools to audit and sanction third-party apps, as this can alleviate the burden on stretched IT departments.
The Human Element
Another prime security challenge is the threats unintentionally introduced by students, staff, vendors, and partners. For example, it’s a relatively common practice for people to employ the same password across multiple online accounts. If just one of these accounts was breached in a prior attack, there’s a good chance the associated password is known to hackers. The legacy enterprise approach to credential security was to enforce complex passwords, including numbers and special characters, but the National Institute of Standards and Technology, or NIST, has outlined numerous reasons why this practice actually results in weaker passwords. Not to mention that it’s highly unrealistic to expect an elementary student to remember a long, complex password.
A better approach is to invest in credential screening solutions that check for compromise when passwords are being created and continually thereafter with intelligence from the latest data breaches. This allows K-12 schools to ensure that no exposed credentials are in use without imposing complexity requirements. In addition, because this screening can be entirely automated, there is no additional work required on behalf of the IT team.
Recent technological innovations hold great potential for the K-12 sector. However, in their rush to explore these opportunities, it’s critical that districts and schools also ensure that basic security considerations are addressed. Otherwise, it’s akin to rolling out the welcome mat for hackers—and this welcome mat will only grow larger as new technologies are introduced.
- What school leaders need to know about organized cybercrime - March 24, 2023
- How esports is creating scholarships, jobs, and school investments - March 23, 2023
- 6 ways to help reluctant readers become booklovers - March 22, 2023