On Sept. 6, the FBI’s Cybersecurity and Infrastructure Security Agency warned that “[cyber] attacks may increase as the 2022/2023 school year begins and criminal ransomware groups perceive opportunities for successful attacks.” The alert came amid a rash of attacks — at least seven since Aug. 1 — most notably the ransomware attack on the Los Angeles Unified School District over Labor Day weekend. It was another wake-up call to evaluate your district’s cybersecurity approach.
In the last few years, technology use in our schools has grown much faster than ever before, outpacing the delivery of the necessary training. At Sunflower County Consolidated School District in Indianola, Miss., we had to quickly adopt an online learning management system and other digital learning tools. The sudden necessity of technology for learning meant we often lacked the time to train staff, teachers and students about security risks creating, in part, the “perceived opportunities” referenced in the FBI’s alert.
Addressing these perceived opportunities will not be easy. The private sector has built security training and systems more slowly, as technology use grew over decades. Our schools, on the other hand, must build systems and training quickly with significantly lower budgets and ensure that they’re inclusive for a more diverse set of end users, including families, children and staff.
Training is a common cybersecurity approach employed by districts and is now nearly ubiquitous in schools; indeed, according to a recent Clever survey, more than 90% of administrators planned to provide teachers with training on cybersecurity and data privacy this year. But the reality is that no amount of training will ever guarantee security.
Starting your cybersecurity approach
First, it’s difficult to identify who poses the greatest risk. For instance, that same survey revealed that about 66% of K-12 administrators believe teachers present the greatest risk. Meanwhile, nearly the same percentage of K-12 teachers say students are the most vulnerable. And, as mentioned above, districts serve a wide range of users — a typical district gives access to administrators, teachers, students and families — creating a challenge for IT professionals in school districts given the greater variation in age and digital sophistication of users. School districts also face even more unique conditions: a decentralized district office with distributed authority, further complicating access and permissions.
Second and perhaps more important, training will never remove the risk of human error. After all, to err is human, and the predictability of this fallibility means there are limits to what training alone can accomplish. This is why social engineering attacks are so successful: People are always going to behave like, well, people.
With that in mind, here are three steps in that people tasked with your district’s cybersecurity approach can take to mitigate these risks:
1. Automating security processes is half the battle
It’s a simple philosophy: To secure a system from unwanted incursions, limit human interactions. Automation not only limits the chances for human error but also prevents IT departments from being stretched too thin, particularly given the influx of devices and applications over the past two years. Password control and management, a common point of access for cyberthreats, is an area that can benefit greatly from automation.
Automating identity management, single sign-on and rostering is a good place for districts to start. It ensures access for only those who should have it, keeps passwords managed and up to date, and it prevents potential points of failure in district systems by ensuring that people who should no longer have access to the systems actually don’t have it.
To ensure third-party vendors don’t introduce points of failure, districts can select solutions that automatically safeguard student privacy — such as multifactor identification or built-in controls that limit data access and sharing. Other automated processes can include vulnerability testing from a third party to identify weak spots and using systems that encrypt local or cloud files, which means they can continue operating after a ransomware attack.
2. Small, easy security steps can help in a big way
Some of the most important cybersecurity solutions are the easiest to implement. For example at Sunflower CCSD, it took us 15 minutes to set up automated identity management through our digital partner, Google and Active Directory to ensure that only people who need access to our network have it.
Districts also can reduce the number of passwords end users must remember by, for instance, adopting single sign-on tools across the district. That is an easy but important step in securing log-ins. Districts also can eliminate the reliance on users’ easy-to-guess passwords or could use simple badges and PIN codes to secure logins for students.
Implementing multifactor authentication is another standard cybersecurity approach that can add more layers of protection. Multifactor authentication solutions that have controls to prohibit logins from certain networks or locations, as well as those that support hardware or application-based tokens as factors, can provide smart yet simple account security. In addition, teachers can use the tool discovery processes to choose apps that have been vetted for privacy and security.
Low-tech steps include asking teachers to use sticky notes as a reminder to close their computers when they walk away from their desk.
3. Simplify the path for reporting security issues
Every district’s cybersecurity approach needs a clear, simple path for reporting security issues, such as phishing or password attacks, that every stakeholder can use. Schools can easily dedicate an email address for this purpose, something like email@example.com. Additionally, collecting regular feedback from all groups of users — administrators and teachers, students and parents — about their security concerns can help district leaders design and implement systems that users are more likely to use.
Even delivering relatively light-touch training on security red flags and how to identify and easily report phishing and malware can help staff be prepared for the inevitable cyberattacks. The goal is making each system user feel like they’re part of a larger effort to thwart hackers and making it very easy for them to take the steps necessary to keep the system secure.
A district’s technology is most secure when all users understand the role they play in safeguarding privacy. There’s no such thing as providing employees with too much information.
Dylan Jones is the data and information technology specialist at Sunflower County Consolidated School District in Indianola, Miss.
Mohit Gupta is the group product manager at digital learning company Clever, which conducted a survey on schools and cybersecurity.
Opinions expressed by SmartBrief contributors are their own.