Schools Are a Cybersecurity Nightmare. What Can We Do About It?

Schools and universities in all 50 states, along with U.S. territories, have closed to prevent further spread of the novel coronavirus, resulting in a mass migration to online learning. As classes move online so are more of our students' information and records. 

The move to online instruction means that an increasing number of students also will be doing schoolwork from potentially unsecure networks like their home WiFi.

With faculty and administrators scrambling to make decisions to ensure minimal disruption to classroom instruction, this hasty decision making will result in a rush to install new software and applications as quickly as possible—without considering the cybersecurity of these systems.

This is an ideal scenario for cyberattacks.

Hackers know that in all the rush, many schools may adopt applications and software with vulnerabilities. While schools are being forced to implement changes quickly, cybersecurity must still be taken seriously and made a priority to keep students safe. 

Schools in the United States were already very far behind in cybersecurity. Falling short of acceptable standards in risk management, compliance, threat awareness and general security hygiene, a 2018 report ranked education last for cybersecurity prevention measures out of 17 industries. 

“The lack of resources and attention to cybersecurity in schools and universities should be a cause for serious concern among students, parents, school boards, and the education industry as a whole,” said SecurityScoreCard COO and co-founder Sam Kassoumeh. “Schools collect an incredible and vastly increasing amount of personal data about students. At the same time research universities house valuable IP. Securing these networks and protecting this information is essential to protect the future of innovation and privacy."

Malicious actors are very aware of the poor security practices of educational institutions and the troves of sensitive data they collect. It’s probably why cyberattacks on educational institutions are on the rise. In 2019, there were 301 reported attacks against schools, more than double the amount during the previous year. And those are just the ones we're aware of. 

Despite that, educational institutions still take an abysmally lax approach to securing the sensitive data they collect. It’s time to change that.

The problem is that most schools, like many other sectors, simply do not have the necessary resources for a well-trained, fully-staffed IT department. As infrastructure grows more complex and cyberattacks become more sophisticated, IT departments struggle to keep up.

While schools could use an increase in the IT budget and hire more cybersecurity professionals, in most cases, that’s not realistic. In the absence of increased funding, how can schools improve cybersecurity with existing resources? 

1. Keep software up to date 

The vast majority of successful cyberattacks are unsophisticated breaches that prey on human ignorance, target existing software vulnerabilities or both. An unpatched vulnerability is one that's easily exploited, and are the direct cause of at least a third of all cyberattacks. 

By ensuring your operating system and software is up to date, you can help mitigate the threat. School IT departments should configure the operating system of all computers within the institution to automatically update when a new security patch is available. Schools can work with virtual patching companies to automate software updates. Additionally, the IT department should schedule regular reminders for students and staff on how to keep their software up to date. 

2. Consider investing in automation

Seventy-three percent of security teams are understaffed. To address that, IT departments are increasingly turning to artificial intelligence and machine learning for automated network monitoring, threat detection, and attack mitigation solutions. This can take a lot of pressure off an IT staff, leaving them free to focus their efforts elsewhere.

While this requires some upfront costs, it will lead to cost savings and less risk over the long-term, as schools streamline the IT architecture, quickly pinpoint when to eliminate old systems and use fewer man-hours to secure IT systems.  

3. Promote awareness

The greatest cybersecurity threat in a school is its people. This is especially true given that more schools than ever are now handing out devices to students and teachers. While this enables more effective learning, the sheer number of potentially unmanaged devices connected to your network represents a significant risk.

You need to establish this risk and educate both students and faculty. Perhaps the most important takeaway is to teach students, faculty and parents the importance of cybersecurity and educate them on how to properly navigate online learning. take precautions and prevent themselves from becoming a victim of cybersecurity.

Devise and distribute a comprehensive set of security guidelines which include acceptable use for mobile devices along with password and email policies. Additionally, take the time to coach everyone on how to recognize and avoid common attack methods such as phishing emails.  

4. Maintain backups

It's safe to assume that most schools would be caught off-guard if they are attacked by ransomware. They will be forced to either pay the ransom or risk significant loss of data and systems. 

Data is a critical asset and schools should have at least two systems to back it up that are isolated from the core network. These backups should additionally be secured in the same way as your systems with strict access-controlled, secure firewalls and anti-malware tools.

While these are basic steps, they will go a long way in improving cybersecurity in schools and reducing the overall risk to public sector breaches.