Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

6/25/2021
11:30 AM
Drew Daniels
Drew Daniels
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

School's Out for Summer, but Don't Close the Book on Cybersecurity Training

Strengthening their security posture should be at the top of school IT departments' summer to-do list.

As the school year wound down and summer vacations began, educational institutions said goodbye to one of the most challenging years in recent memory. COVID-19 meant shutting down classrooms and shifting to online learning. But the transition wasn't all smooth sailing, and it came with a new set of unique challenges.

Related Content:

5 Key Steps Schools Can Take to Defend Against Cyber Threats

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: Is an Attacker Living Off Your Land?

As students and teachers swapped their pens and paper for virtual blackboards and Zoom calls, laptops flocked off the shelves and became a scarce commodity. Underfunded school districts were further challenged with delayed COVID relief funds to purchase laptops for students and faculty, causing many to rely on their own personal devices at home.

Yet personal computers do not have the same protection as IT-managed devices to keep information safe, making them inherently vulnerable to cyber threats. On top of this, IT departments faced limited resources, time, and budget to invest in cybersecurity measures. Schools lacked the ability to identify malicious behavior, all contributing to an unprecedented surge of cybercrime in the sector.

The New Age of Ransomware
As the headlines showed, ransomware plagued the education sector this year as schools grappled with the disruption of COVID-19. According to the FBI, schools became one of the more prominent targets, with 57% of all reported ransomware attacks in August and September 2020 targeting K–12 institutions.

Ransomware attacks on the Clark County School District and other school systems made it clear that hackers weren't afraid to up the ante; releasing social security numbers, student grades, and other sensitive information when the ransom wasn't paid. Schools such as the Gadsden Independent School District were even targeted with the same strain of ransomware twice within the year, causing a shutdown of 24 school sites.

As long as educational institutions continue operating digitally, we can expect hackers to be at their heels. We also know that online learning is not going away anytime soon, with some school districts like the New York City public school system announcing that instead of snow days this coming winter, students and teachers will conduct classes virtually. Hybrid learning will also be a likely option next year until students of all ages are able to get vaccinated.

With the average total cost of recovery from a ransomware attack having doubled in a year to $1.85 million and the alarming trend of releasing data when ransoms aren't paid, strengthening a school's security posture should be at the top of their to-do list.

Cybersecurity Training: Your First Line of Defense
Cybersecurity awareness is an integral component to combating ransomware, and it doesn't need to break the bank. As 98% of cyberattacks rely on social engineering, investments in training and reinforcements are critical to minimizing attack surfaces.

Below are six steps for schools looking to increase cybersecurity awareness come back-to-school season:

  • Make it a summer requirement: Don't wait to assign training until school reopens. Just as students have summer reading assignments, require entry-level training courses to be completed before school starts. Come the first week of school, everyone will feel more prepared.

  • Make it a team effort: Cybersecurity training should be geared toward the school environment and involve everyone, from the superintendent to students and parents. However, training can't be a "check-the-box" activity. Understand that everyone learns differently, so the more learning styles one can accommodate, the better.

  • Create a cybersecurity checklist: Having a checklist of things to be on the lookout for, along with some examples of how to spot malicious activity, is a great way to start boosting cybersecurity awareness. Post the checklist on the school's online learning management platform such as Blackboard or Google Classroom so that it's visible to everyone.

  • Practice makes perfect: While some may disagree, testing faculty, students, and parents with simulated attacks can help them be on the lookout for risks. This will give schools a better picture of who needs more cybersecurity training, and it will be valuable for those who need more tangible examples to learn. But simulation alone won't work. Recognize participants when they report the phish, even when it is your own test. This will encourage continued reporting.

  • Invest in your people: Practice won't make perfect unless a sustainable reporting and training system is put into place. And this can't happen without some people investments. Identify an individual from the IT team to be responsible for creating and managing this program; that way there will be a designated person in charge of organizing and administering practice tests and responding to reports in a timely manner.

  • Stay informed: A monthly cybersecurity newsletter is a great way to keep the school community engaged. Outline the latest threats and best practices on how to stay cyber resilient, and to encourage participation, post a quiz link with a small prize.

Ransomware is a persistent and critical threat that will remain a problem for years or decades to come. While no system is perfect, school districts need to start preparing now for when, not if, they experience an attack. While there isn't one foolproof solution to this troubling problem, cybersecurity education is a good starting point to building a more resilient organization. The more time invested preventatively, the better the ability to combat threats and lessen the extent or impact of an attack.

Drew brings a passion for helping companies scale global operations, implementing robust security protocols, and more than 20 years of experience. At Druva, Drew focuses his time on efficient operations processes, identifying security risks, and leading the technical ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-36260
PUBLISHED: 2021-09-22
A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.
CVE-2021-39404
PUBLISHED: 2021-09-22
MaianAffiliate v1.0 allows an authenticated administrative user to save an XSS to the database.
CVE-2021-3583
PUBLISHED: 2021-09-22
A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-line YAML strings and the facts being handled do not routinely include special template characters. This...
CVE-2021-39339
PUBLISHED: 2021-09-22
The Telefication WordPress plugin is vulnerable to Open Proxy and Server-Side Request Forgery via the ~/bypass.php file due to a user-supplied URL request value that gets called by a curl requests. This affects versions up to, and including, 1.8.0.
CVE-2021-38153
PUBLISHED: 2021-09-22
Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixe...