Educational institutions have an urgent reason to put data security and backup at the top of their agenda: the rising threat of ransomware. Security firm BlackFog reports that the education sector is now the top target for ransomware attacks, surpassing government and healthcare.
In one recent case, the Los Angeles Unified School District, which has more than 540,000 students and 70,000 employees, suffered a ransomware attack that blocked email, computer systems, and applications. Following the attack, Vice Society, a Russian-speaking group that claimed responsibility for the breach, released a 500GB cache of data that appeared to contain personal information, including passport details, Social Security numbers, and tax forms, according to reports.
A successful cyberattack on a school can have far-reaching and devastating consequences. Not only does it come with a high financial cost, but it also disrupts the core function of education by making resources inaccessible, potentially leading to a loss of sensitive information such as HR and MIS data. Furthermore, it diverts valuable time and resources away from the primary goal of educating students.
As bad as the threat is, it could get worse—the increase in remote learning after the pandemic has expanded the attack surface. Before the pandemic, e-learning was not so widespread. However, with many more people now accessing educational networks from remote locations, cybercriminals can exploit many more entry points, putting added pressure on schools. With the rise of hybrid education models, in which students attend in-person and online classes, the risk of cyberattacks increases, highlighting the need for comprehensive security measures to safeguard educational institutions and their students.
Schools face competing obligations. They have a responsibility to comply with legal regulations that protect student privacy—and at the same time, they must be transparent. For example, public schools must comply with the Family Educational Rights and Privacy Act (FERPA) and respond to Freedom of Information Act (FOIA) requests within a specified timeframe or risk facing noncompliance penalties. To meet these competing obligations, educational institutions must have access to reliable data backup solutions that secure their information and provide quick and easy access to the requested data.
A lot of schools don’t. They address security by hoping an attack won’t happen to them. It is understandable—many organizations engage in the same sort of wishful thinking—but it’s also dangerous. Because for most educational institutions, it’s not a question of whether a data-loss incident will occur but when. And when it does, the impact of the incident will likely be profound.
Compounding the situation, many schools have limited resources to invest in data security, which makes them more vulnerable to cyberattacks. Many can’t afford to hire top-flight technical experts to manage and secure their data or buy the latest security tools. Schools must embrace new strategies to protect themselves, their students, and their data. Here are four ways that every school can build a robust, cost-effective data security strategy.
1. Build a culture of security awareness
Educating staff and students on the best data security practices, and how to identify and respond to potential threats, is critical to promote a culture of security awareness and protect sensitive data. Schools can conduct regular training sessions and reminders, discussing past security incidents and improving best practices to prevent future incidents. Schools should also offer training on identifying phishing emails, choosing strong passwords, and taking other basic security steps.
Schools should work with internal and external security experts to ensure that their processes are updated. They should conduct regular risk assessments to identify vulnerabilities and take measures to fix them. Schools can build a strong security culture through processes, policies, standards, and technology tools that enforce those standards.
2. Embrace zero trust
Zero trust is a security concept that assumes all users, devices, and networks are untrusted until proven otherwise. It dictates a “just enough privilege, just in time” approach to protect systems. So in a school context, students logging into a system are only granted access to the specific resources they need to complete their task and no more.
For example, students may need to access their grades and class schedule. The zero-trust model would only grant the student access to that specific information, not other sensitive information such as other students’ grades or school financial information. Once the student has completed viewing their grades and schedule, their access is immediately revoked.
This approach to security limits the attack surface and potential entry points for malicious actors. By granting the minimum necessary permissions, the school can ensure that sensitive information remains secure and that students can only access the information they need to complete their tasks.
3. Maximize savings with data tiering
Data tiering involves storing data based on its importance and usage frequency. Schools on a tight budget can save money by using data tiering to move their less-critical and less-frequently-used data to lower-cost storage options.
By managing their data this way, schools can reduce the storage they need to purchase and maintain and minimize the computing power required to store and access their data. In addition, by following good data hygiene practices, schools can keep their data organized and ensure that they’re not storing unnecessary or duplicate data, a common practice that takes up valuable storage space and consumes resources.
4. Conduct regular risk assessments
Like all organizations, schools are constantly dealing with new and complex threats. But schools, with their busy agendas and limited resources, often have no idea about the ability of their existing security measures to combat those threats. Regular risk assessments will help them pinpoint potential security threats—and determine their level of preparedness to defend against them.
By conducting these assessments, schools can keep up with the latest threats and take the necessary steps to mitigate them. The law requires many schools to conduct regular risk assessments to ensure compliance with current regulations. These assessments are vital because they help protect valuable data assets and ensure the safety of their students, staff, and facilities.
Final thoughts
As schools embrace more and more technology in their day-to-day operations, it is essential that they also prioritize data protection and educate students and staff on the importance of security. By taking proactive measures to defend sensitive information, schools ensure mandatory compliance with current laws and create a safer and more secure learning environment.
Related:
Could nearly half of cybersecurity leaders leave their roles by 2025?
What school leaders need to know about organized cybercrime
- High school students say AI will change the workforce - April 18, 2024
- Motivating students using the Self-Determination Theory - April 17, 2024
- Michigan Virtual’s statewide workgroup releasing AI guidance for K-12 educators - April 17, 2024
