When it comes to security, schools have unique challenges. It’s difficult to think of another type of organization that combines the functions of education, healthcare, finance, retail, and research, among the other usual administrative departments like human resources and accounting.
When you couple this breadth of service with an alphabet soup of security compliance regulations, the expectation of an openness of information within and without the organization, and potentially a very limited budget, security becomes orders of magnitude more challenging than usual.
Cybercriminals are seizing this opportunity with increasing force, and schools are feeling the squeeze. In Educause’s 2015 poll, security issues occupied the bottom slots of the top ten areas of concern for CIOs and IT leaders in education. In 2016 and 2017, Information Security was considered the number one IT issue.
For better or worse, the retail and healthcare industries have had their day in the spotlight because of the sheer enormity of the losses from a few of the more notable breach victims. This has forced both industries to address their shortcomings in a very public way, due to governmental and customer pressure. The lack of mega breaches contributing massive numbers of lost records may give some educational institutions a false sense of the size of the problem.
According to the Privacy Rights Clearinghouse, there were only 19 breaches in the education sector in 2016, comprising fewer than 65,000 records. But of these 19 breaches, 11 report an unknown number of records accessed, so their totals were not included.
"Children are targeted for identity theft at a much higher rate than adults."
Five other breaches comprising as many as 613,000 more records were not counted, as the total number of records was not verified. Because the dataset is so incomplete, the true scope of the problem is not clear.
Children are targeted for identity theft at a much higher rate than adults, though this too is an underreported occurrence. And the consequences of a school’s security lapse could follow them for a lifetime.
How do you address a threat you can’t measure?
One of the first steps that security experts recommend is a thorough and ongoing risk assessment. A big part of the point of this process is to get visibility into your environment. This is particularly challenging in school networks as they have a more itinerant population than most other types of organizations, but this simply underlines the importance of making this a regular task rather than a yearly chore.
With that increased visibility, you get a number of additional benefits. Not only does it improve reporting and tracking of security incidents; it helps highlight anomalous events. In an industry where budget cuts seem to be a regular occurrence, it can help justify the necessity of budget items, and help assure more appropriate levels of coverage with whatever money is allotted. And, with better monitoring of assets comes faster responses to security events.
What to do with that information?
Now that you’re aware of your assets and their risks, the next step is to mitigate that risk. This may seem overwhelming as the number of threats discovered every day grows by leaps and bounds. Rather than focus on individual threats, it can be helpful to focus instead on how those threats might get into your environment.
Many threats spread stealthily, using automated methods to exploit system and network vulnerabilities. Other threats rely on social engineering tactics to lure victims via the web or email. This points to two separate problems: one that is technological, and one that is entirely human.
Methods for improving technology
The simplest software applications contain millions of lines of code. If even a tiny fraction of a percent of those lines contains error, this means there is a significant number of potential errors in every program or device.
"Because every device and application has the potential to be a point of weakness in your network, some items carry more risk than others."
While some of those mistakes will lead to simple crashes, some of them will be more serious and could allow someone to steal data or run malicious code. Some of those flaws could remain unpublished for years, in a way that might be used quietly for misdeeds, for quite some time.
Because every device and application has the potential to be a point of weakness in your network, some items carry more risk than others. There are some devices that will necessarily be wholly under your control, and some that will be mostly outside your sphere of influence. But even the risk of relatively uncontrolled devices can be decreased:
Update early and often
Most of us are aware of the necessity of regular software updates, at this point. But it’s not just your desktop, laptop and mobile devices that need to be checked, and not all devices prompt you to let you know when new updates are available. Routers are another item that need to be updated, though you will likely need to manually check for when one is available.
Keep uncontrolled devices such as mobile devices or laptops brought by staff or students, and internet-connected “Smart” devices in areas of your network that are unconnected to areas where sensitive data resides; e.g. payroll information, healthcare records, and research data. Keep the sensitive areas of the network separate from each other, so that an attacker cannot use a less-secured device in your environment to get to a more valuable area.
Principle of least privilege
Don’t give any individual, system or part of your network any more access than is absolutely necessary to perform approved job functions. For example, you should carefully consider whether employees must have access to administrator-level access to their machines, or to areas of the network outside their own departments.
Authentication and authorization
Use more than simple usernames and passwords to verify your users’ identities, especially on machines with valuable or sensitive information. Two-factor authentication is now available on most online services, and can be easily added to your own login processes. Don’t stop with merely verifying a user’s identity; couple this with the Principle of Least Privilege to assign what each user is authorized to access.
Filtering network traffic
Use web and email filters that check for spam and phishing, as well as blocking popular file-types used by malware authors, as this can help decrease the risk of the malware reaching your users.
Anti-malware software used on the gateway, network and endpoint can help identify and prevent malware from entering your network, or decrease damage done if it should succeed in getting past initial defenses. Firewalls and intrusion prevention software can help identify unknown or unwanted network traffic.
Sensitive data should be encrypted when it’s stored on computers and mobile devices, and when it’s sent across the network such as via email, web or instant messaging applications. This way, even if cybercriminals infiltrate your network, they may not be able to make off with your data.
Prepare for emergencies
Backups that are performed and tested regularly are a very effective way to mitigate damage caused by ransomware and other malware as well as a variety of other types of technological or natural disasters.
Methods for improving human factors
"Technology can help mitigate some risks, but if you’re not addressing the people using your network, your hard work may be wasted."
Technological solutions can help mitigate some risks, but if you’re not addressing the people using your network, your hard work may all be for naught.
If security methods cause too much hassle, or if your users don’t understand what constitutes safe computing behavior or why it’s essential, they may thwart technological protections.
Train early and often
You wouldn’t explain the whole of geometry to a student once and then leave it at that. Likewise, it’s important to give security lessons to your users in digestible chunks and then build on important concepts over time.
With research showing that 52% of data breaches is a result of user error, it is important to make it mandatory for employees to take part in some sort of cyber education. If your IT budget is strapped, you can start with a free resource like ESET’s Cybersecurity Awareness Training that recently launched; it is completely free, and can easily be given to both staff and students.
Regular testing can also be a great way to check the effectiveness of your training, to see what areas that need to be revisited. Have an Acceptable Use Policy and make sure it’s posted in places where users will see it often.
See how users do their work
Security has gotten a bad reputation of being all about introducing impossible hurdles and of constantly looking over people’s shoulders. By working with your users to see how they go about their daily tasks, you can tailor security measures to their needs so that they can enable users to safely do what they need to do. If done properly, it can even help users strengthen their privacy.
Reward safer behavior
Users are the eyes and ears of your network. By enlisting their help to determine what is normal or anomalous behavior, and rewarding safer behavior, you can offer users more incentive to help improve your organization’s security.
Forbes recently published an article called Why Cybersecurity Should Be a No. 1 Business Priority For 2017. I believe this is especially true for educational institutions. Schools are being hit with a wide variety of attacks; the dearth of data suggests that the effects of this are probably more severe and widespread than any of us realize. Now is the time to evaluate your security strategy and train employees, to protect our students and staff.