With the school year firmly underway, it is a good time for MSPs with clients in the education sector to encourage those customers to improve their cybersecurity marks.
As in other markets, the shift to the shift between in-person, remote learning, and hybrid learning that schools experienced in the last few years has highlighted several cybersecurity issues that educational institutions (including primary schools and colleges/universities) faced. Those range from improperly secured online meeting sessions where interlopers would sometimes disturbingly crash meetings to crippling ransomware attacks.
This is a growing problem. According to an article in Education Week: “Ransomware attacks increased from 50 in 2020 to 62 in 2021, while the number of cyberattacks in general on schools declined for the first time in three years, from 408 in 2020 to 166 in 2021, according to the report from the K12 Security Information Exchange or K12 Six.”
The FBI and Cybersecurity and Infrastructure Security Agency (CISA) warned in early September that these attacks would likely increase. One group, the Vice Society, seems to be behind many incidents. According to multiple reports, schools are increasingly a top target and are among the most likely to pay out on ransomware demands. Unfortunately, recovery takes longer, on average, for schools and colleges. Additionally, funding challenges in many districts make them ill-equipped to implement proper security, employee training and other safeguards.
“School districts with limited cybersecurity capabilities and constrained resources are often the most vulnerable; however, the opportunistic targeting typically seen with cybercriminals can still put school districts with robust cybersecurity programs at risk. K-12 institutions may be seen as particularly lucrative targets due to the amount of sensitive student data accessible through school systems or their managed service providers,” the CISA bulletin said.
One of the most significant recent attacks was against the L.A. Unified School District in California, the second-largest in the U.S. The attack occurred over Labor Day weekend, disrupting operations, and requiring a system-wide password update for students and employees. The South Redford District in Michigan canceled classes several days after a similar attack. Sierra College in California was attacked just before the start of classes, which limited access to technology and data resources, according to the college. A ransomware attack against the Mansfield district in Texas affected access to the district website, email and phone services.
There have even been instances where students launched a cyber-attack to delay or cancel school, in the same way students of a previous generation may have pulled a fire alarm in the middle of an exam.
Several U.S. Senators have called the Department of Education and Department of Homeland Security to strengthen protections at K-12 schools. In addition, the Government Accountability Office (GAO) released a report late last year indicating that existing guidance from 2010 is in dire need of an update.
Beyond government action, though, MSPs can help their education clients find ways to address these growing threats. Here are a few best practices to follow:
Help schools provide cybersecurity awareness training. Schools have a double challenge in that both staff and students may be victims of phishing or other attacks, and in the case of primary schools, the students are given technology access at a fairly young age. MSPs can help these organizations provide awareness training, set up phishing simulations, and prepare a curriculum to help improve student cybersecurity awareness. Schools could also be encouraged to have regular cyber-attack drills; in the same way they have periodic tornado or fire drills
Identify vulnerable applications and attack vectors. MSPs can help schools conduct a security audit to ensure they have the right tools to protect their systems. In addition, schools should come up with an approved application list that they can enforce.
Follow password and access best practices. Education clients should be encouraged to follow the National Institute of Standards digital identity guidelines to use strong passwords and multi-factor authentication. This is particularly important as students and staff may access systems through district-owned computers and personal devices. Sensitive data should also be encrypted both in transit and at rest.
Leverage remote monitoring to protect cloud-based assets. Many districts have shifted to cloud-based software solutions without updating their security solutions or protocols. MSPs can leverage remote monitoring and management tools to help improve visibility into these solutions and potentially malicious traffic.
Keep devices up to date with automation. Security patching is a necessary layer of security within every organization and it’s especially important for education clients due to gaps in cybersecurity awareness experienced by students, faculty, and staff. When security updates are automated, this can help prevent cyberattacks from succeeding.
The cybersecurity challenge for schools is even more complex than for many businesses. They house a wide variety of sensitive data (medical records, Social Security Numbers, personal information on thousands of minors, etc.), and their systems are accessed by adults and young children on various devices. MSPs can help these organizations improve their cybersecurity posture by providing services and solutions that help them protect their systems while dealing with budget and staffing concerns. By following those best practices, districts can improve their security scores while expelling (pardon the pun) as many attacks as possible.