Educational institutions, particularly public schools, provide hackers with soft targets. Threat actors, whether internal or external, are violating students’ rights—hacks have the potential to wreak havoc on the lives of students, staff, faculty, parents, and administrators. Education leaders should take a proactive stance by prioritizing significant changes to their policies regarding protecting their student’s and staff’s personally identifiable information (PII).
Critical Insight is dedicated to defending essential services with best-in-class cybersecurity solutions, including schools and school districts. While schools may have tight funds and overworked IT staff, we have identified the top priorities for strengthening schools’ cybersecurity postures. Adopting a few of the recommendations is a start.
Educational institutions manage massive amounts of data and access both students’ and staff’s personal, institutional, and healthcare information. This, however, exposes them to cybersecurity threats. In 2019, the United States was hit by multiple ransomware attacks, affecting 89 universities, colleges, and school districts — potentially up to 1,233 institutions.
Although US federal laws impose stringent cybersecurity requirements, the sheer volume of these regulations (and their constant updating) make it difficult for educational institutions to comply with all of them. This article emphasizes the critical nature of protecting student data, outlines the major cybersecurity standards, laws, and regulations that apply to educational institutions, and offers seven best practices for developing a robust cybersecurity strategy.
Results That Schools Should Avoid
Why are schools singled out? Cybercriminals are opportunistic, and student data is deemed impure. Internal threats, such as overzealous students, can also disrupt school operations.
Security breaches can cause havoc for students, faculty, and administration.
The following are the most serious consequences to avoid:
- Student Records Unauthorized Disclosure and Theft
- Breach and Hacking of Educational Institutions and Student Data
- Phishing and Misuse of Credentials
- Corrupting the Technology and Security Systems in Schools
- Extortion Ransomware
As a result, stolen identities, fraudulent tax returns, payroll and third-party payments redirected to cybercriminals, altered or destroyed school records, defaced or hijacked websites and social media, and schools closing are all possible outcomes.
The most unpleasant consequence of an attack on an educational institution is financial loss, including fines for failing to comply with cybersecurity requirements and costs associated with recovery. For instance, the Rockville Centre education department in Nassau County, New York, paid nearly $100,000 to restore its communications systems and data following a July 2019 Ryuk ransomware attack.
Securing students’ personal information is critical to avoid financial loss and avoid reputational damage. Negative publicity can deter prospective students and collaborate with government agencies and businesses on various research projects.
The following are ten priorities schools must address to mitigate their cybersecurity risks.
Monitoring of Networks and Data
If managed properly, network and data monitoring can detect malicious activity; typically, this responsibility is shared between upcoming technology trends and information technology administrators or outsourced to a cybersecurity service such as Critical Insight. Throughout the United States, schools have reported incidents of crypto-mining, which can be identified if the network is properly monitored for normal activity. By identifying influenced assets that require quarantine, proper monitoring could indeed help prevent security breaches. Trained IT staff is critical for network monitoring and analysis of alerts issued by manufacturers of on-campus technologies.
Detection and Response to Incidents
About 330,000 professional school staff in Pennsylvania is stored in the Pennsylvania Department of Education’s Teacher Information Management System. On February 22, 2018, the site was potentially compromised for 30 minutes due to human error in the governor’s Office of Administration. Rapid response measures included:
- Shutting down the website.
- Offering affected users one year of free credit monitoring.
- Developing a plan to rectify the error and prevent future incidents.
While it is unknown how the incident was discovered (a TIMS user most likely reported it), detection and response were critical in this incident for the Pennsylvania Department of Education. Rapid detection and response are critical, and incident response preparation is critical for mitigating the impact of foreseeable events.
Vulnerabilities and Patch Management Scanning
Vulnerability scanning regularly can help prevent exploits of known vulnerabilities. Vulnerability scanning technology is only as effective as the organization’s implementation—of the technology is out of date, schools may delay patching well-known vulnerabilities. If funding constraints prevent upgrading legacy systems, additional cybersecurity procedures, regulation of cognitive processes, and stop-gap technologies must be put in place to secure those systems. Patching security flaws is a significant issue for schools. According to a recent report, many school districts across the country have yet to patch for WannaCry/EternalBlue, despite Microsoft issuing emergency patches to address the vulnerability two years ago. That was the headline-grabbing vulnerability following the cyberattack on the City of Baltimore.
Schools should use a standardized framework, such as the NIST-CSF, to determine and implement the appropriate level of protective controls. Intrusion prevention systems, application firewalls, URL filtering, email security, vulnerability management, anti-virus software, staff training, and data loss prevention are all considered standard controls.
Physical access towards technology is also included in protective controls. A University of Iowa student stole credentials and gained access to the school’s network to change his and five other students’ grades. While anti-virus software can detect software-based keyloggers as malware, the risk of physical keyloggers can be mitigated by utilizing keyword encryption software, virtual keyboards for password logins, and behavioural analysis software capable of detecting keylogger behaviour. Physical access to campus computers can be enhanced through simple measures such as monitoring computer room access and utilizing privacy filters on computer monitors.
Segmentation of Networks
Numerous compromises are caused by students hacking the school’s network. A properly segmented network can prevent threat actors from escalating privilege access via lateral and horizontal network movement. When a school or district’s network is designed, IT professionals should set aside systems for private and regulated data. Lower priority activities can be delegated to a dedicated network area to accommodate student and staff personal devices and guest usage.
User Education and Security Awareness Training
Employees at unsuspecting schools may be easy to phish. As an example, in early 2018, an employee of the Rockdale Independent School District’s finance department received a “sophisticated” phishing email purporting to be from the district’s superintendent. The staff member confirmed the threat actor’s request for 300+ district employees’ W-2 tax forms. This ultimately resulted in widespread identity theft and tax fraud among school employees. Information security awareness courses can reduce malicious email, link, and attachment clicks by an average of 20%.
In 2018, 45% of educational incidents were committed or caused by the affected school community members. This means that all users could benefit from cybersecurity training, from students to employees to faculty and managers.
Control of User Access
Schools and districts should adhere to and enforce the least privilege principle. This policy can assist in thwarting privilege escalation, a frequently used technique by hackers to move around the network and cause damage.
Password Management Policies
Password policies are frequently absent or unenforced in schools. Student hackers eager to manipulate grades or simply gain access exploit staff members. In one instance, a faculty member shared an administrative login with a student, who then used privilege escalation techniques to discover that IT staff was using default passwords to push updates throughout the district. A policy that includes password standards, multi-factor authentication, and enforcement mechanisms can help ensure that neither students nor bad actors gain unauthorized access to private information or critical service operations. While urban school administrators suggest that this priority has been elevated on their list of cybersecurity projects, rural schools have lagged in implementing such policies.
Management of Third-Party Vendors
Vendors may not be as concerned with cybersecurity and data privacy as you are. Consider the following before contracting with a third party to manage your data, network, and associated services. One general rule is to thoroughly vet free services—because the adage still holds: “If you’re not paying for it, you’re the product being sold.” Additionally, if you are responsible for a school network, a free product with ambiguous terms and conditions may increase your risk of violating CIPA, COPPA, or FERPA.
Information Technology Security Management
In 2019, 35% of reported education breaches resulted from “miscellaneous errors” caused by humans. To address this, educational institutions and districts should “clean up human error as much as possible – then establish a baseline level of security all over internet-facing assets such as web servers.” Two-factor authentication is a recommended security measure for web servers. Leaders, department heads, and IT professionals can use IT security governance to align and enforce the highest security priorities, significantly reducing incidents caused by human error.
Before we discuss cyber security techniques for ensuring comprehensive data protection, let’s review educational institutions’ most critical compliance requirements.
Compliance with all applicable regulations and ensuring data security in higher education institutions is a difficult and ongoing process. Educational institution standards are constantly updated, and hackers and malicious insiders may devise new ways to compromise and steal your sensitive data.
We hope the practices outlined above will assist you in developing a strong cybersecurity strategy and adhering to industry standards. With Ekran System, you can significantly strengthen your insider threat defences, protect students’ data, and move closer to full compliance.