When the pandemic pushed the work to homes, the situation wasn’t any different in the educational sector too. Schools worldwide pivoted to virtual learning. This sudden shift without having a proper cybersecurity foundation, exposed educational institutions to serious cyber threats.
In response to the continuous drumbeat of cyber intrusions, many countries began drafting cybersecurity guidelines specifically tailored to assist educational institutions confront these risks. For instance, the United States enacted the K–12 Cybersecurity Act of 2021, which emphasizes preventive and mitigation techniques to address cybersecurity risks in elementary and secondary schools. In fact, North Dakota’s Governor, Doug Burgum made history by signing the bill making cybersecurity a mandatory course for K-12 students in the month of March in 2023.
However, even with these efforts, it's still important for each educational institute to ask themselves: Are we truly prepared to face a cybersecurity crisis?
The Anatomy of an Attack Surface
A leading provider of student-tracking software, Illuminate Education, fell victim to a breach last year, leaking the personal information of about 820,000 current and former students. Disturbingly, the compromised data included more sensitive details such as student tardiness rates, migrant status, behavioural incidents, and descriptions of disabilities. The consequences of such breaches are not only financially burdensome for schools but also emotionally draining for the victims. It is a risk the K-12 sector simply cannot afford to take! So, where did we lose our footing? The answer lies in the rapid transition to digital learning. Not that cyber-attacks were not there before but, the fact that schools couldn’t deploy the right security infrastructure along with remote work made the education sector an easy target.
The use of devices on unprotected networks turns out to be a common practice. Not only are the devices and networks vulnerable, but users also start installing free applications without proper vetting, making them vulnerable to cyberattacks.
Another critical factor we must acknowledge is the insufficient IT resources and cybersecurity capacity within the educational institutions. Overwhelmed IT departments are always left grappling with the challenges of troubleshooting devices remotely, forcing them to deploy quick fixes without proper security protocols. This desperate move only further compromises the defences, leaving universities exposed to cyber threats. To tackle these attacks head-on, universities need to understand the anatomy of their attack surface, take proactive measures, and fortify the defences accordingly. It is crucial for every K–12 organization to establish a written Incident Response Plan (IRP) and regularly exercise it. The plan should define what an organization needs to do before, during, and after an actual or prospective security incident.
Building towards a Mature Cybersecurity Plan
Many educational institutions fail to implement basic security measures such as implementing multi factor authentication (MFA) or ensuring encryption as was noticed in the case of Chegg, an education technology company. The company was sued by U.S Federal Trade Commission (FTC) for exposing sensitive information in four separate breaches since 2017. It was noted that the company deployed outdated and inadequate encryption techniques while storing users' personal information in plain text on its cloud storage databases. Institutions often face a common challenge of encountering malicious websites or installing potentially dangerous applications. In September 2022, a staff member of the South Redford School District clicked on a malicious link, forcing the institute to postpone classes for multiple days. Even though South Redford's attack was ultimately caused by a malicious link, going forward, anything like a compromised identity, website, or endpoint might become a window for an attack. To prevent such incidents, it is crucial for businesses to invest in comprehensive solutions that could prevent attacks from multiple fronts. For instance, having a unified endpoint management (UEM) strategy could offer admins complete visibility over logged-in users, their endpoints, and the applications they use. This understanding will help IT admins to effectively filter, block and control suspicious activities. In addition, administrators can lock devices down to specific applications, maximizing student productivity. For an industry that hasn’t picked up on investing in IT security, securing the endpoints is the first step, to begin with. The edtech sector still lags in terms of IT infrastructure and with non-existent IT teams, and it becomes even more crucial to understand the scope of an attack, and how to react to it. From a privacy standpoint, the adoption of an identity and access management (IAM) framework would ensure that the right users have appropriate access to necessary resources. Considering that the personal data of children have been more sought out than adults in the black market, it is necessary that IT admins remain alerted on unwarranted data or admin access. Furthermore, deploying a data loss prevention (DLP) program will assist network administrators to monitor and manage the transmission of data, thereby preventing employees from transferring confidential information beyond the perimeters of a business.
Thinking outside the Perimeter
Perimeter-based legacy solutions like Virtual Private Network (VPNs) and firewalls have proven to be effective in protecting school networks. However, when students began switching to their home Wi-Fi, it presented new challenges. Firewalls have an inclination towards trusting every device and user logged into the school network and when it comes to virtual learning, this model seems flawed. Moreover, every other legacy solution constructed on the castle and moat approach tends to classify anything that extends past the educational boundary as hostile, which occasionally causes performance bottlenecks.
In response to this current hiccup, the US government has mandated the implementation of a zero-trust architecture. Unlike VPNs that instantly trust endpoints within predefined perimeters, Zero Trust Network Access (ZTNA) performs regular authentication and authorization checks to prevent users from gaining unrestricted access to an organization's systems. Essentially, the core principle is that users should not have free rein to navigate within an organization's systems solely based on their password. There ought to be additional verification methods that can verify that users are who they claim to be.
Ultimately, while mobile technologies and collaboration suites improve student performance and network security, K-12 institutions should avoid excessive investment in a single solution and instead develop a cybersecurity framework tailored to their specific needs. About the Author: Apu Pavithran
Apu Pavithran is the founder and CEO of Hexnode, the award-winning Unified Endpoint Management (UEM) platform. Hexnode helps businesses manage mobile, desktop and workplace IoT devices from a single place. Recognized in the IT management community as a consultant, speaker and thought leader, Apu has been a strong advocate for IT governance and Information security management. He is passionate about entrepreneurship and devotes a substantial amount of time to working with startups and encouraging aspiring entrepreneurs. He also finds time from his busy schedule to contribute articles and insights on topics he strongly feels about. ###