This has been a year like no other for school districts. And that's putting it mildly. Sudden COVID-19 directives in March forced IT departments to find ways for all students to learn remotely for what turned out to be the remainder of the school year. The need stressed systems that were simply unprepared – and demanded IT forge very new, unplanned territory. Security? Those who could consider it considered themselves fortunate.
"School districts have to work with lean IT staffs, which can make it difficult to meet the growing demands of security for K-12 school districts, many of which do not have a dedicated cybersecurity employee," says Renee Tarun, deputy CISO at Fortinet, which works with K-12 districts on both physical and cybersecurity.
This month, as students in most parts of the country head back to school, many districts are offering up a blend of in-person and remote learning. Some are still exclusively remote. While summer offered needed respite, many of the issues that plagued districts before the break are remain as unresolved as they were when they began in the spring.
"Schools have IT infrastructure and networks that rival the size of many corporations yet only a fraction of the resources and personnel to maintain and secure them," says Joshua Motta, CEO of Coalition, a cyber-risk management firm that works with school districts. "The IT environments and networks of many schools often feature legacy and out-of-date software, with unpatched vulnerabilities. School networks are designed to be open and accessible to foster learning, but these same attributes are what also make them more susceptible to compromise."
As Motta notes, the very nature of remote learning turns up the heat on these understaffed, underfunded districts. The need to open school networks to students and teachers means they are also equally accessible to criminal hackers. More specifically, K-12 schools could face the same kinds of threats that corporations worry about each year, including data breaches, ransomware, and social engineering fraud. If a plan for security isn't in place yet, now is the time for districts to start making one.
"The shift to remote learning this past spring was sudden and unprecedented," says Douglas Levin, president of consultancy EdTech Strategies. "As the new school year starts, it is important for K-12 IT teams to revisit implementation decisions made for expediency's sake and begin to tighten access controls to essential applications and services."
In fact, cyberattacks were a burgeoning problem in education even before COVID-19 remote arrangements were mandated. According to data from the K–12 Cybersecurity Resource Center, 992 "cyber incidents" have impacted K-12 schools since 2016. There were 348 in 2019 alone, which is nearly three times the number seen in 2018. Microsoft Security Intelligence finds that malware encounters are now impacting the education sector more than any other industry, as opportunist cybercriminals find ways to exploit an overwhelmed system.
Since there are no perfect solutions to the security challenges in schools districts, especially with budgets tight and resources slim, Motta says IT departments need to have certain best practices in mind and work with what they have now.
"The most effective protective measures are generally inexpensive to implement: Take the time to test your backup and restore processes, and make sure that a set of backups are stored in an 'offsite' location," he says. "Off-site doesn't have to mean physically off-site, but in a location or network segment that is not accessible through the public network or Internet."
Coalition also suggests ensuring use of VPNs, multifactor authentication, and email security measures, including SPF and DKIM records, DMARC, and an anti-phishing solution, Motta adds. While it sounds like security 101, in many districts these kinds of protocols are not in place and haven't even been considered because security has been an afterthought for many years.
"Strong cybersecurity is as much about organizational culture as it is about technical solutions," EdTech Strategies' Levin says. "It is important for school district leaders to start the journey to better cybersecurity practices how they can and with the tools at their disposal. More resources are definitely needed, but many important steps can be taken that are low- or no-cost."
Awareness is another key component that districts may overlook, Fortinet's Tarun stresses.
"We need to ensure that faculty, students, and staff understand the cybersecurity basics to ensure they remain safe. No online course is complete without having some form of cybersecurity education on the syllabus."
At a minimum, Tarun says, districts should be evangelizing about password protection, social engineering and phishing techniques, and the important of keeping devices up-to-date.
While it is not feasible to expect schools to radically transform their IT infrastructure in the middle of a global pandemic, Mott says any kind of preparation is an ounce of prevention worthy of investment.
"Schools need to be realistic and acknowledge that the rapid changes they are making will most likely increase their risk exposure," he says. "Accepting this new reality can help a school focus on those actions that do the most to mitigate risk and help them to prepare for a worst case scenario."