Prioritizing Cybersecurity

Industry veterans share practical thinking for catching up to the increasing incidence of attacks on public school districts

Cybersecurity remains an ever-present worry for K-12 schools and districts.

Recently, we helped a large school district in the Southeast improve its cybersecurity infrastructure to better protect and serve its students. Like many districts, this district expressed general concerns about cybersecurity. They weren’t sure about the best place to start but recognized the need to reduce risk.

Before the district could move forward, the staff first needed to understand the most critical vulnerabilities and what actions they already had taken.

System access is one of the first places school districts need to look when assessing their risks and needs. The district we worked with had multi­factor authentication, or MFA, available through its software solution and simply needed to implement this function. MFA ensured that nobody with access to the systems was sharing passwords and prevented the leaking of passwords. This is the base-level support any school district should have and where this large district laid the foundation for a solid overall security strategy.

Many school districts make the mistake of limiting important security features such as MFA to only certain staff, such as IT or chief-level officers. The truth is that anyone in a district with access to applications and systems — educators, staff, directors and others — should be required to use MFA and other security features. This is especially true for payroll and purchasing staff, who have access to significant data and administrative controls and can be primary targets for potential attacks.

From there, the district moved to role-specific authorization, which allowed it to set specific permissions to users to better protect certain data. Finally, the district established a directory access protocol to make access more convenient and secure for all users.

Initial Steps

For most districts, three vital features can improve security:

Multifactor authentication: The foundation for a solid cybersecurity strategy, MFA enhances cybersecurity by authenticating users via an authenticator app or email.

Role-specific authorization: Configurable user profiles within a software system can confine sensitive data access only to those who need it.

Lightweight directory access protocol: LDAP enables organizations to securely store and manage information and authenticate users against a centralized directory for access to third-party software solutions.

Schools and districts face historically high numbers of cyberattacks, ranging from malware attacks to data breaches and ransomware. Taking these first steps now is critical to ensuring operational stability and privacy for students, staff and families.

Districtwide Threats

Researchers estimate that ransomware attacks cost education institutions more than $53 billion in downtime and compromised more than 6.7 million personal records between 2018 and 2023, according to Comparitech, a cybersecurity product review website. U.S. schools alone lost an estimated $35.1 billion. Cybersecurity firm Sophos reported a 56 percent year-over-year increase in K-12 ransomware attacks in 2023.

School systems hold valuable troves of data within their systems, and hackers target them because they’re traditionally less defended than data systems in finance, health care and other industries. K-12 districts generally are late adopters of technology, and some districts still have not moved to storing information on cloud-based systems. This shift from on-site servers that could be shut off from the internet to web-based servers is significant and opens districts to new levels of risk that they previously did not have to prepare for.

Consider if you had your passwords written in a notebook that only you had access to and kept hidden in a drawer. Now, think about transitioning those passwords to the notes app on a cellphone. The passwords on the phone are now much easier to steal than the notebook because they are being stored on a web-based server.

What’s more, cyber attackers can net large sums through ransomware as education systems can’t afford downtime and are easily tempted to pay a ransom.

When we first met with the Southeast district, they were not taking the basic cybersecurity measures, exposing themselves to greater risk for attacks. They also lacked training across the board on how to prepare for and reduce the risk of cybersecurity attacks, which meant educators, staff and families weren’t informed on how to keep data safe.

K-12 district technology teams typically are small, and funding doesn’t always match rising risk. A spring 2023 Whiteboard Advisors poll of K-12 tech professionals revealed that 42 percent say their state allocates a “small amount” or “very little” funding to address cybersecurity needs. Many districts across the U.S. have just five or fewer total informational technology employees serving thousands of staff, vendors, students and families, with no one specifically dedicated to cybersecurity.

For a smaller district with only one or two technology staff, outsourcing cybersecurity protocols such as training, monitoring and testing for phishing attack recognition can be helpful. This builds greater awareness among all those IT staff serve so that districts can be better protected.

Advancing Cybersecurity

Regardless of size, school districts can enhance their cybersecurity strategy using four strategies.

Strong IT leadership and personnel. An experienced technology leader can weigh in on best practices, considerations for new technology procurement or usage and pressing needs within the context of changing threats.

Of course, a strong IT leader needs a team. An agile IT team, provided with up-to-date professional learning opportunities, can actively ensure protocol adherence, provide critical training and support, and identify and isolate threats when they arise. A single person can’t do it all. Consider an IT leader’s requests for additional staff seriously in any K-12 budget discussions.

Cybersecurity best practices and standards. No matter where a district is today, it’s never too late to implement best practices and standards. The U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency, or CISA, offers guidance in its 2023 publication, “Protecting Our Future: Partnering to Safeguard K-12 Organizations.” It provides actionable tips for any educational institution to create a solid data security foundation.

CISA recommendations include implementing MFA; prioritizing patch management; performing and testing backups; and creating a training and awareness campaign.

Training and awareness can make or break any cybersecurity initiative. While it can be challenging and time-consuming for IT teams in public schools, resources must be spent on ongoing cybersecurity training and check-ins with students, families and staff. This is especially true as threats continuously evolve.

Secure, integrated technology. People make up the heart and soul of any cybersecurity initiative, but technology is the backbone — the frame on which everyone’s best efforts stand against threats or fall. Hackers know how to exploit weaknesses, so reputable technology providers must constantly update their software with security features like MFA and website encryption. Additionally, cloud-based systems can offer reliable system maintenance and redundancy without taxing district staff.

Integrated software systems also help reduce risk. When data move within a single system, the data are not exposed via third-party app connections or e-mailed spreadsheets. Simplifying tech stacks can exponentially improve a district’s cybersecurity.

Avoid sending and storing sensitive information via e-mail. Use a web-based e-mail encryption solution, which enables secure sending and receiving of sensitive data and information. The recipient receives a link to view the message and attachments. They follow this link, log in and then safely view the details without a hacker’s prying eyes catching a glimpse.

Careful response planning. Planning for an attack or incident is a realistic part of any cybersecurity initiative. Even with the best defenses in place, a careless link click can spell disaster. The first step in such an event is not to panic.

Districts should have a business continuity plan, or BCP, ready to put in place. The Southeast district developed a BCP that will maintain smooth operations, minimize impact on student learning and ease families’ expectations should an attack occur on their district. The continuity protocol included a timetable for an incident investigation, how long the BCP should be used in various scenarios and clear communication measures throughout the process. The district implemented a strong cybersecurity program that resulted in greater awareness of security protocols and has so far reduced risk for the large district.

An Ongoing Partnership

Together, software providers and K-12 professionals can solidify a cybersecurity strategy that’s up to date, resilient and practical to implement and maintain. The Southeast district that implemented multifactor authentication is on track to exponentially improve its overall cybersecurity strategy.

No school or district needs to go it alone. Partnering with software vendors and security experts can help mitigates the risk and instill confidence going forward. n

Tim Chadwick is chief information security officer at LINQ in Wilmington, N.C. E-mail: tchadwick@linq.com. Morrad Battah is a solutions consultant at LINQ in Wilmington, N.C.