The team from thinkCSC recently attended the Ohio Educational Technology Conference (OETC), the premier P-20 state educational technology conference. One thing that became very clear to us after being at this conference was that educators are excited about edtech. They love the way technology can empower them, make them more efficient, and better engage their students in learning.
Edtech is the future of education, but for district administrators, it’s a difficult balancing act to incorporate the right technology while still managing regulatory compliance, protecting student data, and minimizing downtime. That’s where thinkCSC comes in. Our team has more than two decades of experience working with schools to ensure they have the infrastructure they need, to extend the reach of their internal IT teams, and to provide expert guidance as they plan for each upcoming school year.
Schools Are a Target for Cybercrime
Each year, we learn of yet another school that has been targeted by hackers with sophisticated phishing schemes. According to Security Boulevard, schools are only second behind local governments in being the most targeted organizations for cybercrime. One hundred and sixty security problems were reported in July and August of 2019 – more than the total incidents reported for the whole of 2018. All it takes is one click of a link or one download of a file to compromise your entire network and leave your school vulnerable to the demands of hackers. Ransom demands have escalated in recent years, with public entities, such as schools and municipalities, being forced to pay exorbitant ransoms in order to regain access to their data.
Part of the problem from our point of view is that data governance for schools is largely focused on student data protection (and rightly so) through FERPA (Family Educational Rights and Privacy Act) and CIPA (Children’s Internet Protection Act), but there are no specific cybersecurity compliance requirements for schools to observe – which means there are no fully outlined best practices that school administrators can rely on for planning. Considering the amount of data that schools collect on students, from identifying data, such as social security numbers and home addresses, to biometric data, such as health records, a breach represents an unimaginable risk for schools.
Healthcare, retail, and banking industries are all heavily regulated, and organizations in those verticals undergo intense and regular audits – not so in education. Yet the stakes are just as high. Student records can include social security numbers, medical information, familial information, and address information. Hackers could potentially open lines of credit using student data.
IT Security for Schools: What Can Schools Do to Be More Cybersecure?
According to the Consortium for School Networking, “cybersecurity is the number one priority for school system technology administrators, and the top challenges facing IT leaders are lack of budget resources, the need for more professional development and removing department silos within their districts.” Better cybersecurity management is critical for today’s schools, both to meet compliance requirements and to manage risk more effectively. We recommend the following measures:
Establish Least-Privilege Protocols
When it comes to IT security for schools, treat data with a need-t0-know mentality. If they don’t need to know, they don’t need access. Least privilege means people should only be given access to what they need to do to perform their jobs. One of the most important ways you can limit risk in your school is to limit who has access to your data. From fully vetting edtech vendors to requiring the use of SSO (single sign-on) solution, you can eliminate some risk. Establish policies that prevent individual teachers from “going rogue” and introducing their own edtech; require students to participate in cybersecurity training and agree to abide by established security policies. Some actions to consider:
- Create security groups based on department or segment (for example, students don’t need the same access that teachers do and teachers don’t need full access to health records, etc.)
- Disable inactive admin accounts immediately
- Limit access to need
- Prohibit student access to admin accounts
Avoid Postponing Patches
One of the biggest risk mitigation tools available to improve IT security for schools is timely patching. School IT departments are spread thin and juggle many responsibilities. What often happens as a result is that patching gets put on the back burner or doesn’t happen at all. This allows an outsider to send a phishing email with a malware file attachment that, once opened, can take advantage of unpatched software. From there, the malware can install a backdoor and continue to exploit your network through data exfiltration, destruction, or encryption.
Balance Connectivity with Security
Right now, virtually everything connects to the internet – printers, TVs, and cameras included. Just because something can connect to the internet, however, doesn’t mean that it should. Schools should inventory their internet-capable hardware, establish policies about internet usage and connectivity, and lock down the school network so that outside or disapproved hardware simply cannot connect. This includes printers, cameras, TVs, IoT devices, and even student mobile devices. To protect your network,
- Develop and disseminate MDM and BYOD policies
- Restrict new devices by default
- Restrict access to any device that is not necessary for educational or school administrative purposes
- Restrict access to devices that are connected
Never Overlook the Human Element
No matter how many times employees are trained and reminded, we find that they often click on links in emails and open files almost without thinking. They also write down passwords and leave them in conspicuous places, use and reuse passwords that have been assigned to various other logins, and leave their computers logged in when they are away from their desks. Security training should be mandatory, not just for new hires but on a regular basis for every employee.
IT Security for Schools: Don’t Pay – Plan
Paying ransoms simply encourages criminals to attack more schools and public entities. We’ve seen it happen: one school or municipality is coerced into paying a ransom to unlock their files, and almost immediately, another school or municipality is targeted. No school can prevent every ransomware attack – the risk of human error is too high. But you can have a plan to limit your risk and to prepare your school for alternate ways to handle any crisis that does come up.
Your Cybersecurity Plan Should Include:
- NIST-based Cybersecurity Assessment
- Vulnerability Assessment
- Security Awareness Training
- Incident Response Plan
This means establishing not only onsite network backups but also offsite, secure backups. It means having a plan for what your school would do during the process of recovery (which takes time) so that you could continue to function during the recovery period, because even if you do pay the ransom and are given a way to decrypt your files, it can still take an enormous amount of time to get back up and running. Instead of paying, plan:
- Prepare for the worst
- Identify the threat
- Contain the threat
- Investigate the cause
- Eradicate the malware
- Recover your data and network
- Adjust to prevent future occurrences
Create an EdTech Policy Manual
To ensure that everyone in your district is playing by the same rules and understands the crucial nature of data security, you should have an edtech policy manual. This cannot simply be a 25-pound dust-covered binder sitting in an IT administrator’s office, but rather a functioning and adaptable, up-to-date document that is accessible by every employee. And every employee should be required to acknowledge that they’ve read and understood the rules and be held accountable for any breach. Your manual should identify how edtech is approved and who the people involved in the approval process are, the requirements edtech vendors must commit to in order to be considered, and the security and privacy requirements every edtech solution and vendor must meet. But more than just writing it down and disseminating it, you must actually use the manual as a guide to help prevent unnecessary edtech from being introduced to your school network.
Schools must take cybersecurity seriously. It requires a combination of tactics that include layers of security, controlling access to the network, training employees, and detecting threats as early as possible.
thinkCSC works closely with many Ohio School Districts to help keep their data safe and available. We deploy innovative, affordable technology to help your schools maximize network efficiencies and minimize external threats. With a specific focus on the needs of educational institutions of every size, we offer unique solutions, dedicated technical support and expertise, and state-of-the-art security solutions specifically designed to meet the unique demands that apply in an educational setting. Contact us to learn more.