Criminal cyber groups have made it abundantly clear that there is no type of organization they will not target–the more vulnerable they are, the easier it will be to victimize. Unfortunately for us, the organizations most at risk are often public institutions. A combination of lack of resources and dependence on legacy networks creates the perfect storm for exploitation. Of all public organizations, education has the most significant difficulties to overcome.
In 2021, ransomware attacks cost US schools over $3 billion in damages and an incalculable impact on teachers’ and children’s lives. City officials and state lawmakers must ask themselves: What can I do to protect my constituents? As a former CIO for the state of Arizona, I have pondered the same questions and understand how stressful the responsibility can be.
Since then, I have helped hundreds of private companies and government departments fortify their security postures in an increasingly hostile security environment. In this article, I would like to share the five most valuable practices cybersecurity personnel can implement within their school district’s or university’s security planning.
Patch vulnerabilities sooner rather than later
The common mistake IT administrators make is failing to patch vulnerabilities within their network assets. Security incidents often occur because a known bug within a popular service has not been remedied despite a patch being publicly available for months or years. This poses a particular threat as hackers have refined their attack methodologies to exploit these vulnerabilities more efficiently. My recommendation: focus on vulnerabilities that pose significant threats (there are too many in the wild to count) and prioritize those associated with network incidents and those with the potential to cause damage.
An understated risk that has grown in recent years is those found within third-party software or applications. As school districts migrate many of their administrative tools onto cloud-based services, many districts can find themselves under attack without noticing it. A large-scale breach reminds us to check who we’re getting into business with and how they have managed previous incidents, if ever.
Deploy adequate resources for timely and regular monitoring of the security situation of schools
Enabling early warning detection tools offers school administrators assurance and control over their system’s defenses. Monitoring the perimeter of your network means scanning for zero-day vulnerabilities that might not have been identified by numbering authorities or government agencies. Although these are difficult to detect independently, it’s essential to keep tabs on your solution providers’ communications channels in case any advisories are released.
Zero-day vulnerabilities are particularly dangerous because no known security patches are available and grant attackers an open window to cause serious damage. Vulnerabilities were found within Apache Log4j, a popular tool within the Java programming language, which has allowed attackers to gain access to VMWare Horizon servers. Many private and public organizations rely on VMware’s services, and three weeks passed before a patch could be developed.
Perform routine checks and apply remediation measures immediately
Performing routine checks can help school administrators understand which areas of their organization are most vulnerable. Running simulated penetration tests of your network, where you intentionally try to break into your system using proven hacker methods, can bring to light hidden entry points that criminals would otherwise use. It’s helpful to continuously view your organization from a hacker’s perspective as it forces you to consider all possibilities during normal operations and when configuring assets or network-related parameters.
Automate this process and schedule routine pen-tests to ensure new vulnerabilities are found before they are exploited. It is difficult to argue the benefits of pen-testing when universities discover data breaches during scheduled tests.
Have a contingency plan for when your systems are under attack
A school district or university administrator never want to find their organization the victim of a data breach or ransomware attack, but it is becoming a likely scenario for which everyone has to plan. Cyber incidents cause severe financial, reputation, and data security, but the damage can be reduced by preparing for the worst.
A comprehensive contingency plan helps staff prepare for a scenario when critical services are disrupted and outlines procedures to help bring them back online as soon as possible. It’s also important to consider how online learning has multiplied the IT platforms necessary to deliver these remote services. Teachers and students need access to learning material from multiple devices, IT administrators need a framework to deploy software/applications, etc.
A contingency plan should consider the following:
- Identify and prioritize critical IT infrastructure to maintain minimum service delivery or prevent a total shutdown
- Design recovery methods to restore offline systems like system back-ups or alternative hosting sites
- Training and exercise opportunities for employees to prepare for network attacks
- Plan management to ensure it is up to date with the latest changes
Keep up to date with government advisories
The K-12 Cybersecurity Act tasked the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to research the effects of cyberattacks on K-12 schools. The act is not designed to enforce compliance with cybersecurity mandates but rather to look deeper into the security flaws in the US public education system and provide recommendations for future guidelines. Following the research, CISA has published multiple reports on K-12 School Security. To find their latest publication, click here.
- How video coaching helps us support teacher growth and retention - December 7, 2023
- To foster young talent, employers need to share their social capital - December 6, 2023
- Schools and districts that ignore TikTok’s lessons are bound to fail - December 5, 2023