Educational institutions have become one of the top ten lists of preferred hacking targets, joining the ranks of popular targets like finance (Capital One, Equifax), retail (Target), manufacturing and transportation. As a sector known for tight budgets and limited technical staffs, it was somewhat inevitable cybercriminals would increase targeting of school data, seeing a relatively weaker universe of potential targets. Hackers are demanding ransomware payments, crippling entire school district computer operations and capturing extensive personal data, violating the privacy of students and staff.
Hacking school computers has precedent in a popular 1983 movie, War Games. Certainly, ahead of its time, the movie featured actor Matthew Broderick as a bright high school student who, among other tricks, hacked into the school’s computer system to change his grades and that of a classmate. It was considered science fiction at the time but now hacking is a common occurrence and educators aren’t finding it as much fun as the movie – which was a box office hit.
The issue of education sector cyberattacks moved further up in the national consciousness recently when Louisiana Gov. John Bel Edwards declared a state of emergency in response to three school districts crippled by malware attacks, which shut down phone systems and locked data. The dramatic move enabled the state to access resources from the state’s National Guard, technology office and state police to remediate the intrusions.
The motivation for these attacks range from ransoming the normal workflow of a district to hacking into financial accounts to selling hijacked student identities. Regardless of the motivation, like other public sectors, education is now, more than ever, on cybercriminals’ radar and will continue to be one of the popular targets.
Stepping Up Cyber Attack Defense
Just keeping up with the myriad attack versions and new threats coming every day, burdens schools struggling to keep pace with rapidly changing technology advancements, let alone cybercriminals. In crafting a more effective defense, educational institutions have a dual challenge: executing all the risk mitigation defenses that any organization must-have in today’s cyber environment and then layering the unique aspect of student populations with their own set of user expectations. Here are practices that can help reduce risk yet maintain a productive user experience.
1. Tighten up on Administrative Privileges. Cybercriminals love penetrating networks in which administrator privileges are used everywhere. Effective malware and ransomware defense demand privileges are granted only to staff that truly require them to do their job. A school district, for example, can remove full admin rights and then selectively elevate just the privileges a user needs to do their job. Ideally, a district or institution of higher learning can implement technology that not only centrally manages credentials and grants granular rights, but enables staff to self-serve access as needed, based on their work function.
2. Educate Employees on Constant Vigilance. Costly ransomware attacks are caused by simple acts of opening email or clicking on a website. Cybercriminals are adept at employing marketing and social engineering tools that look non-threatening and encouraging employees to click through links in fraudulent emails. Even sophisticated users can fall prey, and if it’s a busy day, with lots of files open, no one is exempt from too quickly opening a dangerous email.
Basic education will not suffice to fight cybercriminals. IT staff needs to put a continuing education program in place that accomplishes two objectives: keep staff up to date on new cyber attack trends and introduce new employees to the school district’s approach to fighting cyber attacks. In addition to education, all employees can take phishing tests, or drills in which they click on links and receive feedback as to whether they just clicked through to a potential malware occurrence. Continual reinforcement of anti-phishing practices is an essential part of any organization’s cyber defense.
3. Engage Students to become part of the Cyber Defense Team. The current generation of students is the most mobile-device friendly ever. Whether using a phone, iPad or traditional laptop, worrying about school district security is rarely top of mind. Just as IT can help train and encourage employees to be more cyber-diligent, IT can work with teachers and administrators to help students understand school data breaches affect them personally and can cause great harm to their peers and their school. School districts need to make security awareness training a part of a school’s curriculum. Secondly, administrators are already using social media platforms like Facebook and Twitter to regularly communicate about school news and events. Reminders about tactics like pop-ups linking to dangerous websites, or opening texts that are not from recognized senders, can be posted for students and parents. This gives school districts two key communication channels for furthering threat prevention.
4. Stay Current on all Application Updates. Executing critical patches and updates is essential to prevent new attacks. It should be a top priority of IT staff and cover third party applications as well as operating systems. Microsoft regularly publishes patch updates. IT needs to flag the ones of critical nature and ensure they are accomplished.
5. Be Diligent about Third-Party Vendor Risk. If your vendors and sub-contractors have less than optimum security protocols in place, they expose the school and student population to considerable risk. Case in point: A breach in Aimsweb (part of the Pearson Education online learning products) hacked the identities of as many as 13,000 schools and university accounts in upstate New York school districts. According to a Wall Street Journal report, the attack took place last November, but Pearson learned of the attack this March, after notification from the FBI. Third-party risk assessments must be done for suppliers that have access to school and student data to make certain their operations meet the standards of good threat prevention.
6. Consider Specific Cyber Insurance. School systems are increasingly adding cyber-attack coverage to their insurance policies, driven by the trend toward ransomware. The Syracuse school district’s insurance policy covered the cost of the carrier hiring security experts to unlock its computer and email systems. The caveat is the $50,000 policy deductible the district will have to pay. Administrators and finance staff need to examine the costs of this type of coverage, weighing it against the cost of restoring operations from a system lockdown and/or privacy breach, and determine what is the appropriate level. Some regular insurance policies will allow adding cyber insurance but the trend in the insurance sector is a new category of firms specializing in cyber insurance.
Preventing Cyber-Attacks is an All-in Process
Keeping the issue of cyber attacks in front of all parties – admin, IT, teachers, students and parents – is an essential step in helping to prevent costly disruption to school operations. All-in engagement will help the steady workflow of students’ education and strengthen defense against a data privacy breach.
Combining better engagement with improved security practices will help to minimize a school or district’s threat landscape. Being aware of third-party suppliers’ approach to data security is an important part of a complete data protection strategy. Within the school’s infrastructure, consistent, up-to-date patching and tighter access controls are a relatively economical means of adding more layers of data protection, compared to the millions of dollars of potential recovery costs after an attack.
About the Author:
Phil Richards is the Chief Information Security Officer for Ivanti. He has held other senior security positions, including the head of operational security for a medical device manufacturer, Chief Security Officer for a financial services corporation and Business Security Director for an investment company. In his various leadership roles, he has created and implemented Information Security Policies, has led organizations through many local, US Federal and international compliance efforts, has implemented security awareness programs, and established comprehensive compliance security audit frameworks based on industry standards.
