Imagine waking up to find that your school’s entire network has been encrypted and someone is demanding a $200,000 ransom to decrypt it. The FBI encourages you not to pay the ransom in order to avoid incentivizing more attacks, but the other option is starting over at a significant cost that’s well over $100,000, and perhaps even into seven figures.
What’s your next move?
This scenario isn’t outside the realm of possibility. In fact, the Flagstaff Unified School District was forced to close 15 schools serving more than 9,600 students after a ransomware attack occurred and officials refused to pay the ransom.
The good news is that these kinds of cyberattacks are preventable with the right security measures in place and an ongoing cybersecurity plan.
Lockstep Technology Group’s Senior Security Architect, Jonathan Kyle, was recently interviewed on The Closed Beta Project podcast, where he discussed cybersecurity for the K-12 market and actionable steps that schools can take to protect sensitive data from cyber-attacks.
Let’s take a look at some of the key insights that K-12 administrators can take away from the interview.
Schools are vulnerable to cybersecurity attacks, but there are some actionable steps that they can take to reduce risk at low or no cost.
1. Focus on Low-Hanging Fruit
Many cybersecurity risks can be averted with simple changes that are free or very low cost — especially compared to the consequences of a successful attack. These are the areas where schools should focus their early efforts. Three areas to start with include:
Many K-12 schools improperly delegate permissions. For example, they may need someone to do something quick and provide them with administrative privileges to get it done, but then forget to revoke them. They don’t follow the age-old rule of least privilege.
Most ransomware attacks use tools to identify existing public vulnerabilities that haven’t been patched. Since local governments and schools tend to be underfunded and understaffed, they are frequently a target for cyberattacks.
Many K-12 schools have some backups implemented, but they fail to implement the proper security measures. For instance, they may backup data on Microsoft Azure, but everyone might have permissions to access the cloud servers, which means they’re at risk of attack.
Every network can be architected to maximize protection, but don’t let perfect be the enemy of good. Lockstep recommends focusing on the easy and low-cost changes that have the greatest impact, before trying to accomplish complex endpoint protection and other more advanced cybersecurity measures all at the same time.
2. Teach Students About Cybersecurity
Most U.S. students aren’t introduced to the topic of cybersecurity until they choose a specialization in college. Earlier exposure to the industry could convey a range of benefits. Three reasons to teach these concepts earlier include:
- There is a growing demand for cybersecurity professionals throughout the industry. In a recent survey, more than half of IT professionals reported a problematic shortage of cybersecurity skills at their organization. Earlier exposure to cybersecurity could result in greater interest.
- Children who are interested in cybersecurity are often forced to learn on the internet, where it’s easy to fall into the so-called ‘black hat’ culture. Without any other outlet, they may attack real companies or people and land in legal trouble that’s difficult to shake career-wise.
- Children who are exposed to cybersecurity concepts have a greater appreciation of why cyber hygiene (such as using strong passwords) is necessary. Even if they don’t enter the field, they will have good habits that will serve them well across any industry using technology.
These cybersecurity programs may begin by teaching the OSI Model — a standard framework for evaluating cybersecurity risks — before diving into network security, risks and controls, and vulnerabilities and mitigation. Many companies provide assistance by setting up these kinds of programs, while some even offer online courses that can help supply class material.
3. Start with an Assessment
The best starting point is a Foundational Security Assessment, or FSA, which looks at a school’s entire security posture. While vulnerability scans and AD structure analyses are parts of the FSA, the goal is to paint a more holistic picture of the organization’s cybersecurity posture. For example, how mature is the patching process? Are there regular access entitlement reviews?
A Foundational Security Assessment from Lockstep Technology Group is designed to test a full spectrum of IT systems, including:
Local administrator access is analyzed to ensure that there aren’t outdated permissions on individual workstations that could compromise the entire network.
Organizational Units, Domain Trust, and other settings are analyzed to identify any potential vulnerabilities.
Servers are analyzed to ensure that they’re properly patched on a regular basis and protected with the right equipment.
It helps to conduct a Foundational Security Assessment with the assistance of a third-party IT resource or consultant. That way, you can gain insights into the best practices that other organizations have implemented and avoid the tendency to overlook vulnerabilities that are easy to miss without a second set of eyes.
4. Put a Plan in Place
Foundational Security Assessments result in a tremendous amount of data that can be difficult to decipher. For instance, an FSA may find several vulnerabilities that need to be fixed. It’s tempting to start diving in and making the necessary updates without thinking through the potential consequences of the changes — and that kind of approach can result in a broken network.
Lockstep recommends stepping back and coming up with a plan. To address the urgent needs, an outside resource who understands the broader picture can come in to work on-site for one or two days per week, to secure critical items. Then, you should develop a plan to tackle the less critical issues over time in a way that ensures everything goes smoothly.
It’s also a smart idea to hire a Chief Information Security Officer (CISO) to oversee cybersecurity and ensure that everything is secure on an ongoing basis. If that’s not feasible in the budget, Lockstep Technology Group and other contractors may offer a virtual CISO program where someone works on-site for a few days a week to fulfill the same duties.
Cybersecurity is achievable for every K-12 school, but it requires putting in some time and effort to come up with a plan that will resolve any issues. Given the significant cost of a data breach, it’s imperative for schools to be proactive and take steps to stay ahead of threats.