As a school administrator in charge of technology, the topic of cybersecurity regularly oscillates from front of mind to back of mind on a daily basis. In light of recent events (like the LAUSD ransomware attack), it’s important to not only be aware of the latest trends but to also create some best practices for your institution.
I recently hosted a 3-part series on cybersecurity in schools. My guests included a former FBI agent, an industry expert, and a recently retired CTO of a school district. Through each of their unique backgrounds and perspectives, I formulated the following summary of their advice and strategies to generate a list of best practices around cybersecurity in K12. (check the bottom of the article to view the full recording of each interview)
Cybersecurity costs money
Whether it be cyber insurance, paying off ransomware, or just money lost in attacks, cybersecurity costs money. In 2015, nearly $4 trillion was spent globally to prevent cyber attacks. By the end of 2021, that number had reached $6 trillion. By 2025, it’s predicted that cybersecurity expenses could hit $10 trillion dollars. This problem is not going away and spending more money to stay ahead of cyber attacks isn’t necessarily a sustainable long-term solution.
Prevention strategies are most effective.
Scott Augenbaum is a retired FBI agent who was a member of the nation’s Cyber Squad. He currently spends his time helping organizations (both commercial and educational) prevent cyber attacks from happening. During our interview he told me that out of the over 1,000 victims of a cyber attack, only a handful of them ever got their money/information back successfully.
It’s for these reasons that he spends a large amount of his time on prevention. During his talk he mentioned what he calls the “four truths” about cyber security.
Before we get into these “truths”, you need to have what Scott calls a “cyber secure mindset.” Technology changes at a rapid pace. We will never truly be able to outspend or keep up with the cyber criminals. However, if we have the right mindset around cybersecurity, we can prevent nearly 90% of all cyber attacks. This doesn’t mean we shouldn’t spend on the right cybersecurity tools (firewalls, filters, IP monitoring, etc), but we should also be aware of the main threats that are out there and how to avoid them.
The four truths about cyber security
1. Social engineering is the main form of attack. Social engineering happens all the time. When your kid wants something or your dog is barking to get your attention, they are acting out to get a desired behavior. In the context of IT and cybersecurity, social engineering happens when cyber criminals use deception via various mediums (email, text, phone calls, etc) to manipulate the end use into divulging confidential information like account log-ins or sensitive data.
Social engineering gets around systems. You can have the most robust IT infrastructure in the world, but if someone social engineers their way into an administrator account with super user rights, and that entire structure is for naught.
2. Identify your mission-critical accounts. These are the accounts that contain the most sensitive information. In schools we generally immediately think about our Student Information Systems (SIS) and our financial software. In addition to these, our email accounts contain access to many systems via a third party authentication. If you use your email to log into other systems and that email is compromised, you just compromised everything the email has access to.
3. Don’t use the same username and passwords. There are over 8 billion usernames and passwords available on the dark web. When people click on a suspicious link and use their log-in credentials, they are freely giving this information away. Former school CIO Eileen Belastock mentions that you should use different usernames and passwords between each critical system. It’s imperative to not use duplicate account log-in information to log into your SIS, email, and financial data. And whatever you do, make sure your staff isn’t posting account information in a visible area (like a sticky note on their monitor).
4. Set up strong passwords. Force changing passwords regularly in your organization doesn’t guarantee any extra level of safety. In fact, many times, staff just append their passwords with a different number rather than make a whole scale password change. Using the suggested strong passwords offered by many browsers and platforms is a start. Encouraging staff to use “pass phrases” rather than just the same word with the year number can help add complexity and make it harder for hackers to guess.
Some things to consider as a technology leader when it comes to cybersecurity
You can’t protect things that you can’t see. Corey Lee is a Zero Trust Architect from Microsoft. During his interview, he mentioned that oftentimes, cyber criminals will leave “breadcrumbs” scattered throughout your network over time before they commit an attack. Knowing your internet-facing assets is a great way to start increasing visibility and protecting more of the digital landscape within an environment. This becomes more imperative when schools have a BYOD (Bring Your Own Device) and Cloud programs in place which increases the amount of entry points into a district’s enterprise.
With many points of exposure, districts need a modern way to monitor what is accessing their network, systems, and most importantly sensitive accounts and data. Using a tool like Microsoft Sentinel gives you a birds-eye view as to what is accessing and interacting with your enterprise. Additional tools like XDR (Extended detection and response) help by automating threat detection in your system. Automating threat detection and response so the people can tackle the more challenging issues and do more with less as we continue to face cyber talent shortages and resources issues in education.
Check your third-party data agreements. You could have the most safe internal environment but what happens if a company you are working with gets hacked? School districts interact with dozens of platforms and systems. These applications often integrate with existing in-house systems and often house some level of student data on their platform. Systems like Microsoft’s Defender Vulnerability Management help identify and prioritize third-party software risk by providing application risk scores and monitoring apps for suspicious behavior.
Data breaches of these companies like this one from Illuminate just a few months ago, puts all the student and district data at risk. As a school or district technology leader, there should be a data privacy agreement in place before you share sensitive data. Groups like the Student Data Privacy Consortium have a wealth of resources for districts interested in updating their data privacy practices. In addition to these resources, most states have crafted a state-wide DPA that schools can use as a framework to get started or utilize a privacy management tool.
The importance of training and on-boarding staff. Whenever a district or technology department hires new employees, they are immediately granted access to certain systems depending on their level of clearance. Staff that have access to superuser or “god level” rights to your enterprise need to have some level of cybersecurity training before giving them the keys to the cyber castle.
In addition, regularly reviewing who has access to what system should be a part of a district’s data governance. Roles can be created and adjusted for various end-users based on what access they need to systems and when they might need access to those systems. It doesn’t matter if it’s on-prem or in the cloud, the more points of superuser access schools have to their enterprise introduces multiple points of risk.
Part of training should also be a crisis response plan should an attack happen. Identify who needs to be called and how you respond to an attack when it happens. Create a team that goes through the different scenarios of a cyber attack and don’t forget the cost of man-power that might be necessary to bring systems back online.
Multi Factor Authentication (MFA) should be the norm. One common thread from each of the interviews was our experts’ belief in the importance of multi factor authentication. Having some level of authenticating a log-in via a text message or alternate approval makes it incredibly difficult for hackers to gain access to your enterprise. These can often
Culture and trust are key for staff and student buy-in. Eileen stressed in her interview the role communication plays in building trust within your organization. Informing staff of the “how” and “why” you put various systems in place create a heightened level of awareness and understanding. Staff and students taking ownership of the cybersecurity conversation and embracing a “cyber secure mindset” is an important step in the journey towards being cybersecure. Adding tools and free resources this mindset creates a system that may finally give districts a chance against the cyber criminals.
Cybersecure Mindset (2 free chapters)
Have I Been Pwned? (checking for email compromise)
Editor’s Note: This article is with paid support from Microsoft