Avoiding a data breach: Cybersecurity at K-12 institutions
Excerpt from "The technology imperative: Staying ahead of the curve in the classroom"
The well-publicized breaches of multinational corporations might lead one to believe that cybersecurity is primarily a headache for large organizations with deep pockets. Nothing could be further from the truth. Cybercrime has touched organizations of every size and in every industry, and school districts are no exception. In fact, information security breaches are on the increase in schools today — from the outside and from within.
Breaches can run the gamut from students hacking into school databases and changing their grades to instigating a denial of service attack to stop electronic testing to a major infiltration by cybercriminals who steal Personally Identifiable Information (PII) such as social security and credit card numbers. Imagine a scenario where a school has to notify parents that their children’s privacy has been compromised. Breaches can also occur inadvertently when a laptop or mobile device with access to highly sensitive information is lost or stolen.
The aftermath of a breach may be severe. An attack on a district’s information technology (IT) system can compromise its ability to teach. If personal information is exposed, districts may be subject to penalties under the Family Educational Rights and Privacy Act (FERPA), including loss of federal funding. Civil lawsuits may ensue. Districts may also find they aren’t covered for damages under their traditional business interruption insurance policies.
Regardless of their severity, one thing is clear: K-12 institutions need to have a strategy for minimizing the likelihood of a breach as well as a plan to deal with the fallout after one takes place.
What makes school districts so vulnerable?
Typically, the greatest security weaknesses of school districts is a lack of IT resources coupled with the need to provide greater access to the network. With most of their IT dollars focused on meeting their educational mission, many schools look to educational service agencies or state-level education departments to meet their cybersecurity needs. In general, K-12 IT systems tend to spend less on sophisticated protections than those of large corporations, making them easier to penetrate.
Educational institutions, by the nature of their work, tend to have more porous networks that can be accessed not by just teachers and staff but also students. Their multiple buildings are at times open to the public, allowing anyone to connect a device to their network, which makes the network incredibly difficult to secure. Many districts have instituted “Bring Your Own Device” (BYOD) policies, introducing additional vulnerabilities. For the determined hacker, particularly the increasingly sophisticated student hacker, K-12 networks can be tempting indeed.
Security awareness training in K-12
- Strong password practices
- Device security
- Accessing school network from unsecured hotspots
- Sharing data with outside parties
- Use of mobile technology
- Use of online portals
- Ethics and consequences of illegal hacking
Facing the challenge: A lesson plan
Data breaches are an unfortunate reality in today’s networked world. It’s virtually impossible to completely batten down the hatches of an organization’s information system, so a comprehensive cybersecurity plan needs to address not only risk minimization but strategies for handling the fallout of a breach once one occurs. And it almost certainly will. Following are some important practices for getting K-12 cybersecurity up to speed.
Teach the security basics
Education is the first line of defense against a cyber attack. School districts need ongoing initiatives targeted at staff, students, and even parents that teach good security practices, from choosing and changing passwords to appropriate use of devices connected to the school’s network. Students, who are responsible for many of the cyber breaches in school districts, are a particularly important audience for educational programs, which need to underscore both ethical issues and the serious consequences of illegal hacking. It’s also important to keep in mind that for K-12 institutions, the student body is constantly changing — meaning education needs to be an ongoing priority.
Classify your data
Not all data has the same level of sensitivity. A course curriculum should be as accessible as possible, while Personally Identifiable Information, such as health information, Social Security numbers, and a student’s academic and disciplinary records must be protected under FERPA. Determine what data is sensitive and requires particular protection, and then develop an access management plan that answers the following questions:
- Who are you granting access to?
- What level of access are you granting (“need to know,” administrative, etc.)?
- How are you granting and removing access (single sign-on, user ID and password, etc.)?
- How are you monitoring access?
Any data that’s private should be stored and transmitted in encrypted form. Therefore, if there’s PII data on a laptop, the laptop should be encrypted. Any email communications involving PII data should be in encrypted form. Also, access to private data should require a secondary login and authentication. The secondary login should be strictly restricted to faculty, and secondary login credentials should be reverified on an annual basis.
Obtaining a periodic outside audit can provide an independent assessment of how effectively you’re protecting your most sensitive data and whether you’re in compliance with applicable regulations.
Put third parties to the test
Many K-12 institutions use the resources of school districts at the county or regional level to handle their IT needs. Others may contract with a third-party vendor or use cloud services to store data. To gain sufficient comfort with a third party’s security posture, it’s good practice to conduct due diligence in areas such as:
- Technology and systems architecture
- Internal controls environment, security history, and audit coverage (Service Organization Control Reports)
- Policies versus procedures
- Legal complaints, litigation, or regulatory actions
- Insurance coverage
- Ability to meet disaster recovery and business continuity requirements
- Contract language to ensure that it meets breach notification requirements
Establish strong BYOD security policies
Allowing students and staff to use their own computers and mobile devices to connect with a school’s network has become an increasingly common practice. But embracing a BYOD policy is not without risk because each device, its security setting, and the apps that are loaded onto it can introduce threats if and when they’re connected to the network. Rather than allowing a free-for-all, come up with a list of approved devices and a strategy for securing them. A more limited list of approved devices will simplify processes like securing email as it interfaces with different devices. The IT department will need to vet application security to determine whether it’s sufficient to handle wide-scale access by each approved device.
A BYOD Security Checklist:
- Update your Acceptable Use Policy (AUP) to include BYOD
- Use passwords, not PINs
- Enable auto lock
- Secure email/calendar (including sync)
- Keep Bluetooth devices to “non-discoverable”
- Enable remote wipe
- Lock/wipe following failed attempts
- Secure backup data on mobile device
- Keep all system/applications patches up to date
- Keep “apps” version current
Make sure your technology gets a passing grade
There are a host of basic security practices and applications that need to be in place and kept up to date in order to maintain a secure network, including:
- Perimeter security — firewalls and intrusion detection/prevention systems (IDPS)
- Wireless security — service set identifiers (SSIDs), encryption, and default passwords
- Authentication — user IDs and passwords
- Encryption — connectivity and storage
- Anti-virus software
- Patch management
Hold cyber drills
Each school is familiar with that age-old practice, the fire drill, designed to maintain safe and orderly conduct in the event of a fire. Today schools need to be equally prepared for a digital inferno. IT administrators should be putting networks through their paces on at least an annual basis via internal and external penetration testing. For even more rigorous testing, consider working with an outside party to help identify potential network vulnerabilities. For example, in the state of Michigan, a service called the Michigan Cyber Range, run by the nonprofit Merit Network, helps set up a virtual environment for IT professionals to practice defending their networks against attacks perpetrated by a team of professional hackers.
Establish a response plan
Once a breach occurs, how the organization handles the situation is critical. Unfortunately, many school districts — operating under the “wishful thinking” view that they won’t suffer a breach — have no response plan in place. Then, when the inevitable occurs, they shift into panic mode. Having a response plan is particularly critical for districts because they’re responsible for the PII of minors. Even when a security breach doesn’t expose this information, the school needs to deal with a sometimes prickly constituency — parents who will have immediate questions and concerns to address. A comprehensive response plan should include detailed processes for containing and repairing the breach, a clear delineation of roles and areas of responsibility, a communications checklist, a set of triggers that can help determine when the institution might need to bring in outside help, and guidelines for dealing with internal perpetrators.
As schools increasingly rely on the Internet to deliver educational curricula, communicate with stakeholders, and store sensitive information, good cybersecurity will become an essential component of a healthy infrastructure. While resource constraints may prevent school districts from tapping the deluxe version of every piece of security software, there’s still much they can do to detect and prevent cyber breaches and to contain them when they do occur. From ongoing education to developing sound policies, procedures, and response plans, they can make significant headway in shoring up their networks and minimizing the impact of a cyber attack.